一、基本概念
X.509认证:国际证书格式标准,比较常用的一种认证方式,如日常使用的网银和支付宝等都在使用。SSL:是一种安全协议,目的是为网络通信提供安全及数据完整性保障,SSL在传输层中对网络通信进行加密。
二、X.509证书制作
可以使用JDK自带的keytool工具制作证书,命令参考一下说明,参数值可以修改。
服务器证书生成:
1
|
keytool -genkey -keyalg RSA -dname
"cn=localhost,OU=java, O=spring, L=landon, ST=YY, C=CN"
-
alias
server1 -keypass stevex -keystore d:\server1.jks -storepass stevex -validity 3650
|
注:cn=localhost,这里localhost不能随便写,否则客户端认证时会出错。
客户端证书生成(双向认证才需要):
1
|
keytool -genkey -keyalg RSA -dname
"CN=stevex, OU=gookle, O=goo, L=landon, ST=RR, C=CN"
-
alias
client1 -storetype PKCS12 -keypass stevex -keystore d:\client1.p12 -storepass stevex -validity 3650
|
添加信任证书(双向认证才需要):
1
2
3
4
|
##1.导出客户端证书为cer文件
keytool -
export
-
alias
client1 -
file
d:\client1.cer -keystore d:\client1.p12 -storepass stevex -storetype PKCS12 -rfc
##2.将导出的文件导入服务器证书
keytool -
import
-
v
-
alias
client1 -
file
d:\client1.cer -keystore d:\server1.jks -storepass stevex
|
客户端导入证书(双向认证才需要):
双击client1.p12然后根据提示操作可以将证书导入到IE;对于Firefox, 可以通过Options-->Advanced-->Certificate-->View Certificate-->Import 导入证书。
三、单向SSL认证
1. Spring 配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
<?
xml
version
=
"1.0"
encoding
=
"UTF-8"
?>
<
beans
xmlns
=
"http://www.springframework.org/schema/beans"
xmlns:xsi
=
"http://www.w3.org/2001/XMLSchema-instance"
xmlns:security
=
"http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<
security:http
auto-config
=
'true'
use-expressions
=
"true"
>
<
security:intercept-url
pattern
=
"/admin"
access
=
"hasRole('ROLE_ADMIN')"
requires-channel
=
"https"
/>
<
security:intercept-url
pattern
=
"/list"
access
=
"hasRole('ROLE_USER')"
requires-channel
=
"https"
/>
<
security:intercept-url
pattern
=
"/**"
requires-channel
=
"https"
/>
</
security:http
>
<
security:authentication-manager
>
<
security:authentication-provider
>
<
security:user-service
id
=
"userService"
>
<
security:user
authorities
=
"ROLE_USER"
name
=
"stevex"
password
=
"stevex"
/>
<
security:user
authorities
=
"ROLE_USER, ROLE_ADMIN"
name
=
"admin"
password
=
"admin"
/>
</
security:user-service
>
</
security:authentication-provider
>
</
security:authentication-manager
>
</
beans
>
|
注:每个intercept-url element的requires-channel="https"都需要设置
2. Tomcat配置(server.xml):
在server.xml中增加一个Connector配置
1
2
3
4
|
<
Connector
port
=
"8443"
protocol
=
"HTTP/1.1"
SSLEnabled
=
"true"
scheme
=
"https"
secure
=
"true"
clientAuth
=
"false"
sslProtocol
=
"TLS"
keystoreType
=
"JKS"
keystoreFile
=
"D:/server.jks"
keystorePass
=
"stevex"
/>
|
注:原来的HTTP 8080端口的Connector不能注释掉,否则无法启动服务器。这个Connector是新增而不是修改HTTP的,即同时配置两个Connector.
四、双向SSL认证
1. Spring配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
<?
xml
version
=
"1.0"
encoding
=
"UTF-8"
?>
<
beans
xmlns
=
"http://www.springframework.org/schema/beans"
xmlns:xsi
=
"http://www.w3.org/2001/XMLSchema-instance"
xmlns:security
=
"http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<
security:http
auto-config
=
'true'
use-expressions
=
"true"
>
<
security:intercept-url
pattern
=
"/admin"
access
=
"hasRole('ROLE_ADMIN')"
requires-channel
=
"https"
/>
<
security:intercept-url
pattern
=
"/list"
access
=
"hasRole('ROLE_USER')"
requires-channel
=
"https"
/>
<
security:intercept-url
pattern
=
"/**"
requires-channel
=
"https"
/>
<
security:x509
/>
</
security:http
>
<
security:authentication-manager
>
<
security:authentication-provider
>
<
security:user-service
id
=
"userService"
>
<
security:user
authorities
=
"ROLE_USER"
name
=
"stevex"
password
=
""
/>
<
security:user
authorities
=
"ROLE_USER, ROLE_ADMIN"
name
=
"admin"
password
=
""
/>
</
security:user-service
>
</
security:authentication-provider
>
</
security:authentication-manager
>
</
beans
>
|
注: 增加<x509/>,密码也不需要了,Spring支持x509已经做得很到位了。
2. Tomcat配置:
在server.xml文件中增加一个Connector配置
1
2
3
4
5
|
<
Connector
port
=
"8443"
protocol
=
"HTTP/1.1"
SSLEnabled
=
"true"
scheme
=
"https"
secure
=
"true"
clientAuth
=
"true"
sslProtocol
=
"TLS"
keystoreType
=
"JKS"
keystoreFile
=
"D:/server1.jks"
keystorePass
=
"stevex"
truststoreFile
=
"D:/server1.jks"
truststorePass
=
"stevex"
/>
|
注:增加truststoreFile和truststorePass两个属性,同时clientAuth属性的值更改为true。
3. 运行结果:
附件:http://down.51cto.com/data/2364055
本文转自sarchitect 51CTO博客,原文链接:http://blog.51cto.com/stevex/1358215,如需转载请自行联系原作者