Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to use Spring Boot to achieve https ssl secret-free login", interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let the editor take you to learn "how to use Spring Boot to achieve https ssl secret-free login"!

Create a server-side certificate

In order to open https, we need a certificate.

In the actual development, a certificate issued by an organization will be applied for online. For convenience here, I will use the openssl command to generate a certificate myself to use.

Openssl req-x509-sha256-days 3650-newkey rsa:4096-keyout rootCA.key-out rootCA.crt

All passwords are 123456, and then enter the relevant information according to the prompt, if you find it troublesome, you can just enter and skip it.

This gives us the certificate rootCA.crt and the private key rootCA.key.

To implement server-side X.509 authentication in Spring Boot, we also need to generate a certificate for our server.

Openssl req-new-newkey rsa:4096-keyout localhost.key-out localhost.csr

Similarly, the password is 123456 and the file name localhost can be changed on its own.

The next step is to use rootCA to sign our server certificate. Before that, let's write a configuration file with some basic configurations.

Vi conf.config

AuthorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE subjectAltName = @ alt_names [alt_names] DNS.1 = localhost

The value of DNS.1 is your domain name, such as www.segmentfault.com, localhost and so on. If you fill in this incorrectly, when you visit the website, the browser will prompt that the website is not safe.

Then sign the server certificate and you will be prompted to enter the password of rootCA

Openssl x509-req-CA rootCA.crt-CAkey rootCA.key-in localhost.csr-out localhost.crt-days 365-CAcreateserial-extfile conf.config

After success, let's take a look at the certificate information

Openssl x509-in localhost.crt-text

Finally, the signing certificate and private key are packaged into the PKCS file.

Openssl pkcs12-export-out localhost.p12-name "localhost"-inkey localhost.key-in localhost.crt

This command will ask you to enter the password of localhost.key before you define the password of localhost.p12. The password localhost.p12 must be remembered because it is used in the configuration file of Spring.

It is also important to note that the value of server.ssl.keyAlias in the Spring configuration file is the localhost (- name "localhost") in the command.

Spring Boot enables https

Copy the localhost.p12 to the resources directory and compile the project

Modify the application.properties file

Server.port=8888 server.ssl.key-store=classpath:localhost.p12 server.ssl.key-store-password=123456 server.ssl.keyStoreType=PKCS12 server.ssl.keyAlias=localhost

In chrome://settings/security, select a trusted root certificate authority to import rootCA.crt

When you start the project, you can use https to access the website, and the browser prompts the site safely.

Create a trust certificate

The trust certificate will contain the certificate of a trusted external entity.

All we have to do here is add rootCA.crt.

Keytool-import-trustcacerts-noprompt-alias ca-ext san=dns:localhost,ip:127.0.0.1-file rootCA.crt-keystore localhost.jks

Then add localhost.jks to the project and modify the configuration file

Application.properties add:

Server.ssl.trust-store=classpath:localhost.jks server.ssl.trust-store-password=123456 server.ssl.client-auth=need

Note: due to the addition of server.ssl.client-auth=need and no personal certificate, the project cannot be accessed when the page is refreshed. If you want to log in at the same time, you can change need to want, but want will only ask the customer for a personal certificate when you visit the page for the first time.

Create a client certificate

Now create a client-side certificate in much the same way as the server-side.

Openssl req-new-newkey rsa:4096-nodes-keyout shurlormes.key-out shurlormes.csr

When generating a client certificate, it is not recommended to skip that information because the information is obtained for login in the next steps. For example, the information I filled in at Common Name is the user name I will use to log in later.

Next, sign the client certificate with RootCA

Openssl x509-req-CA rootCA.crt-CAkey rootCA.key-in shurlormes.csr-out shurlormes.crt-days 365-CAcreateserial

Then package the signing certificate and private key into the PKCS file

Openssl pkcs12-export-out shurlormes.p12-name "shurlormes"-inkey shurlormes.key-in shurlormes.crt

Finally, select a personal certificate in chrome://settings/security to import shurlormes.p12, during which you will be asked to enter its password.

When the page is refreshed, the browser will pop up a dialog box for you to choose personal authentication.

Spring Boot acquires personal certificate information

Congratulations, at this point, the pki login is 99% complete. The next step is to get the certificate information through request, then process the string and get the user name to log in.

@ RequestMapping ("/ login") public String login (HttpServletRequest request) {X509Certificate [] certs = (X509Certificate []) request.getAttribute ("javax.servlet.request.X509Certificate"); if (certs! = null) {X509Certificate gaX509Cert = certs [0]; String dn = gaX509Cert.getSubjectDN (). ToString (); System.out.println ("personal Certificate Information:" + dn); String username = "" String [] dnArray = dn.split (","); for (String dnItem: dnArray) {String [] dnInfo = dnItem.split ("="); String key = dnInfo [0]; String value = dnInfo [1]; if ("cn" .equalsIgnoreCase (key.trim () {username = value; break }} System.out.println ("user name:" + username); if (! StringUtils.isEmpty (username)) {SecurityContext securityContext = SecurityContextHolder.getContext (); User userDetails = new User (username, ", Collections.EMPTY_LIST); securityContext.setAuthentication (new UsernamePasswordAuthenticationToken (userDetails,", Collections.EMPTY_LIST)); return "redirect:/" }} return "login";}

Spring Boot enables both http and https at the same time

I believe you have found that now the project can only be accessed through https, if you use http to access the browser directly return Bad request.

To enable both https and http, simply add a TomcatConfig

@ Configuration public class TomcatHttpConfig {@ Bean public TomcatServletWebServerFactory servletContainer () {TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory (); tomcat.addAdditionalTomcatConnectors (initiateHttpConnector ()); return tomcat;} private Connector initiateHttpConnector () {Connector connector = new Connector ("org.apache.coyote.http11.Http11NioProtocol"); connector.setScheme ("http"); connector.setPort (9999); connector.setSecure (false); return connector }}

Start the project at this time and pay attention to the information printed on the console.

Indicates that http has been successfully launched on port 9999, https at 8888, and the page can be accessed successfully.

Spring Boot http automatically jumps to https

We can already access both http and https above, but what if I want to access http when I automatically jump to https?

You only need to make a slight change on the basis of the above.

@ Configuration public class TomcatHttpConfig {@ Bean public TomcatServletWebServerFactory servletContainer () {TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory () {@ Override protected void postProcessContext (Context context) {SecurityConstraint securityConstraint = new SecurityConstraint (); securityConstraint.setUserConstraint ("CONFIDENTIAL"); SecurityCollection collection = new SecurityCollection (); collection.addPattern ("/ *") SecurityConstraint.addCollection (collection); context.addConstraint (securityConstraint);}}; tomcat.addAdditionalTomcatConnectors (initiateHttpConnector ()); return tomcat;} private Connector initiateHttpConnector () {Connector connector = new Connector ("org.apache.coyote.http11.Http11NioProtocol"); connector.setScheme ("http"); connector.setPort (9999) Connector.setSecure (false); connector.setRedirectPort (8888); return connector;}} so far, I believe you have a deeper understanding of "how to use Spring Boot to achieve https ssl secret-free login". You might as well do it in practice! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.