TLS Setup in Spring – Spring的TLS设置

最后修改: 2021年 4月 5日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

Secure communication plays an important role in modern applications. Communication between client and server over plain HTTP is not secure. For a production-ready application, we should enable HTTPS via the TLS (Transport Layer Security) protocol in our application. In this tutorial, we’ll discuss how to enable TLS technology in a Spring Boot application.

安全通信在现代应用中发挥着重要作用。客户端和服务器之间通过普通HTTP的通信是不安全的。对于一个可以投入生产的应用程序,我们应该在应用程序中通过TLS(传输层安全)协议启用HTTPS。在本教程中,我们将讨论如何在Spring Boot应用程序中启用TLS技术。

2. TLS Protocol

2.TLS协议

TLS provides protection for data in transit between client and server and is a key component of the HTTPS protocol. The Secure Sockets Layer (SSL) and TLS are often used interchangeably, but they aren’t the same. In fact, TLS is the successor of SSL. TLS can be implemented either one-way or two-way.

TLS为客户端和服务器之间传输的数据提供保护,是HTTPS协议的一个关键组成部分。安全套接字层(SSL)和TLS经常被互换使用,但它们并不一样。事实上,TLS是SSL的继承者。TLS可以实现单向或双向的。

2.1. One-Way TLS

2.1.单向TLS

In one-way TLS, only the client verifies the server to ensure that it receives data from the trusted server. For implementing one-way TLS, the server shares its public certificate with the clients.

在单向TLS中,只有客户端对服务器进行验证,以确保它从受信任的服务器接收数据。为了实现单向TLS,服务器与客户共享其公共证书。

2.2. Two-Way TLS

2.2 双向TLS

In two-way TLS or Mutual TLS (mTLS), both the client and server authenticate each other to ensure that both parties involved in the communication are trusted. For implementing mTLS, both parties share their public certificates with each other.

在双向TLS或相互TLS(mTLS)中,客户和服务器都会相互认证,以确保参与通信的双方都是可信的。为了实现mTLS,双方都互相分享他们的公共证书。

3. Configuring TLS in Spring Boot

3.在Spring Boot中配置TLS

3.1. Generating a Key Pair

3.1.生成一个密钥对

To enable TLS, we need to create a public/private key pair. For this, we use keytool. The keytool command comes with the default Java distribution. Let’s use keytool to generate a key pair and store it in the keystore.p12 file:

为了启用TLS,我们需要创建一个公共/私人密钥对。为此,我们使用keytoolkeytool命令随同默认的Java发行版。让我们使用keytool来生成一个密钥对并将其存储在keystore.p12文件中。

keytool -genkeypair -alias baeldung -keyalg RSA -keysize 4096 \
  -validity 3650 -dname "CN=localhost" -keypass changeit -keystore keystore.p12 \
  -storeType PKCS12 -storepass changeit

The keystore file can be in different formats. The two most popular formats are Java KeyStore (JKS) and PKCS#12. JKS is specific to Java, while PKCS#12 is an industry-standard format belonging to the family of standards defined under Public Key Cryptography Standards (PKCS).

keystore文件可以采用不同的格式。最流行的两种格式是Java KeyStore(JKS)和PKCS#12。JKS是针对Java的,而PKCS#12是一种行业标准格式,属于公钥加密标准(PKCS)下定义的标准系列。

3.2. Configuring TLS in Spring

3.2.在Spring中配置TLS

Let’s start by configuring one-way TLS. We configure the TLS related properties in the application.properties file:

让我们从配置单向TLS开始。我们在application.properties文件中配置TLS相关属性。

# enable/disable https
server.ssl.enabled=true
# keystore format
server.ssl.key-store-type=PKCS12
# keystore location
server.ssl.key-store=classpath:keystore/keystore.p12
# keystore password
server.ssl.key-store-password=changeit

When configuring the SSL protocol, we’ll use TLS and tell the server to use TLS 1.2:

在配置SSL协议时,我们将使用TLS并告诉服务器使用TLS 1.2。

# SSL protocol to use
server.ssl.protocol=TLS
# Enabled SSL protocols
server.ssl.enabled-protocols=TLSv1.2

To validate that everything works fine, we just need to run the Spring Boot application:

为了验证一切工作正常,我们只需要运行Spring Boot应用程序。

3.3. Configuring mTLS in Spring

3.3.在Spring中配置mTLS

For enabling mTLS, we use the client-auth attribute with the need value:

对于启用mTLS,我们使用带有need值的client-auth属性。

server.ssl.client-auth=need

When we use the need value, client authentication is needed and mandatory. This means that both the client and server must share their public certificate. For storing the client’s certificate in the Spring Boot application, we use the truststore file and configure it in the application.properties file:

当我们使用need值时,客户端认证是需要的,而且是强制性的。这意味着客户端和服务器都必须共享他们的公共证书。为了在Spring Boot应用程序中存储客户端的证书,我们使用truststore文件并在application.properties文件中进行配置。

#trust store location
server.ssl.trust-store=classpath:keystore/truststore.p12
#trust store password
server.ssl.trust-store-password=changeit

The path for the location to the truststore is the file that contains the list of certificate authorities that are trusted by the machine for SSL server authentication. The truststore password is the password to gain access to the truststore file.

truststore位置的路径是包含机器信任的用于SSL服务器验证的证书颁发机构列表的文件。truststore密码是获得访问truststore文件的密码。

4. Configuring TLS in Tomcat

4.在Tomcat中配置TLS

By default, the HTTP protocol without any TLS capabilities is used when Tomcat is started. For enabling TLS in Tomcat, we config the server.xml file:

默认情况下,Tomcat启动时使用没有任何TLS功能的HTTP协议。为了在Tomcat中启用TLS,我们配置server.xml文件。

<Connector
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  port="8443" maxThreads="200"
  scheme="https" secure="true" SSLEnabled="true"
  keystoreFile="${user.home}/.keystore" keystorePass="changeit"
  clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>

For enabling mTLS, we’ll set clientAuth=”true”.

为了启用mTLS,我们将设置clientAuth=”true”/em>。

5. Invoking an HTTPS API

5.调用HTTPS API

For invoking the REST API, we’ll use the curl tool:

对于调用REST API,我们将使用curl工具。

curl -v http://localhost:8443/baeldung

Since we didn’t specify https, it will output an error:

由于我们没有指定https,它将输出一个错误。

Bad Request
This combination of host and port requires TLS.

This issue is solved by using the https protocol:

这个问题通过使用https协议得到了解决。

curl -v https://localhost:8443/baeldung

However, this gives us another error:

然而,这给我们带来了另一个错误。

SSL certificate problem: self signed certificate

This happens when we’re using a self-signed certificate. To fix this, we must use the server certificate in the client request. First, we’ll copy the server certificate baeldung.cer from the server keystore file. Then we’ll use the server certificate in the curl request along with the –cacert option:

当我们使用自签名的证书时就会发生这种情况。为了解决这个问题,我们必须在客户端请求中使用服务器证书。首先,我们要从服务器keystore文件中复制服务器证书baeldung.cer。然后我们将在curl请求中使用服务器证书以及-cacert选项。

curl --cacert baeldung.cer https://localhost:8443/baeldung

6. Conclusion

6.结语

For ensuring the security of the data being transferred between a client and server, TLS can be implemented either one-way or two-way. In this article, we describe how to configure TLS in a Spring Boot application in application.properties file and in the Tomcat configuration file. As usual, all code samples used in this tutorial are available over on GitHub.

为了确保客户端和服务器之间传输的数据的安全性,TLS可以实现单向或双向的。在这篇文章中,我们将描述如何在Spring Boot应用程序中的application.properties文件和Tomcat配置文件中配置TLS。像往常一样,本教程中使用的所有代码样本都可以在GitHub上找到