使用SSL的Servlet安全性 [英] Servlet Security with SSL

问题描述

Hello All，





我非常了解Java和Tomcat等，因为我来自非Java \ Tomcat之前角色但继承了一个项目，该项目是在Windows上运行的Java servlet（Java 1.6.0.29），其中Tomcat（Tomcat 7）作为容器。 servlet与Unix服务器上的Oracle数据库和Windows服务器上的SQL服务器数据库进行通信。我现在要求使用SSL（双向通信）确保与SQL Server数据库的通信，并且真的想要一些关于如何执行此操作的直接指导，即我究竟要做什么？





我问这个是因为Tomcat网站和其他网站上有很多信息，但我发现它变得非常模糊和令人困惑。他们主要讨论在服务器上为根证书设置密钥库，然后对客户端一事无动于衷。在我的servlet情况下，托管SQL服务器的服务器是服务器，托管servlet的服务器是客户端。托管servlet的服务器（客户端）已经在其上设置了密钥库来处理对Oracle数据库的加密以及适合Tomcat server.xml文件的条目。





非常感谢任何帮助。我真的被这个坚持了





提前谢谢





AJFarroll

Hello All,


I am fairly knew to Java and Tomcat etc as I came from a non Java\Tomcat previous role but have inherited a project which is a Java servlet (Java 1.6.0.29) running on Windows with Tomcat (Tomcat 7) as the container. The servlet communicates with both an Oracle database on a Unix server and a SQL server database on a Windows server. I now require to secure the communication with the SQL Server database using SSL (Two way communication) and would really like some straight forward guidance on how to do this, i.e. what exactly do I do?


I ask this because there is a lot of information on the Tomcat website and other web sites but I find it becomes very ambiguous and confusing. They mostly talk about setting up a Keystore for the root certificate on the server and then say nothing about the "client". In my servlets situation the server hosting the SQL server is the "server" and the server hosting the servlet is the "client". The server hosting the servlet ("the client") already has a keystore set up on it to handle the encryption to the Oracle database and a entry to suit in the Tomcat server.xml file.


Any assistance would be greatly appreciated. I am really stuck with this


Thank you in advance


AJFarroll

推荐答案

请澄清一点：



来自正文您的问题是，您实际上是在询问与MS SQL Server进行通信，而SQL Server需要通过SSL进行通信。这是正确的吗？



如果是，那么通信来自servlet这一事实大多无关紧要。一旦您将Tomcat，SSL，Servlet投入Google搜索，结果将集中于保护Tomcat服务器（因此引用根证书和密钥库）。



听起来你有一个jdbc驱动程序配置问题。如果您知道JDBC驱动程序（名称，来源和版本），那么您可以使用Google加SSL或在此处发布，我会尝试提供帮助。



David



解决后总结：



对于TL; DR人群：有一个Microsoft sqljdbc.jar驱动程序配置的几个问题。似乎原始servlet从不同的context.xml获取其配置设置，而不是乍一看。提问者能够找到正确的context.xml并对池化连接进行必要的更改，并且它有效。似乎有另一个问题，即同时运行多个servlet实例，但OP能够解决该问题。

Please clarify one point:

From the text of your question, you are actually asking about communicating with a MS SQL Server, and the SQL Server requires communication over SSL. Is this correct?

If it is, then the fact that the communication is coming from a servlet is mostly immaterial. Once you throw "Tomcat","SSL", "Servlet" into a Google search, the results are going to be centered on securing the Tomcat server (thus the references to root certificates and the keystore).

It sounds like you are having a jdbc driver configuration issue. If you know the JDBC driver (name, source, and version), then you can either Google that plus "SSL" or post it here and I'll try to help.

David

Summarized after resolution:

For the TL;DR crowd: There were a couple of issues with the Microsoft sqljdbc.jar driver configuration. It seems that the original servlet was getting its configuration settings from a different context.xml than was obvious at first glance. The questioner was able to find the correct context.xml and make the required change to the pooled connection, and it worked. There seemed to be another issue with having multiple instances of the servlet running at the same time, but the OP was able to resolve that issue.

得到它。



有很多信息可供使用，并非所有信息都适用于一个帖子;但是，我会尽力让你开始朝着正确的方向前进。我可能是Tomcat的几个版本，但听起来这个项目可能也是如此，所以这些信息不应该过时。



（我也很抱歉没有给你任何直接的代码或配置 - 我现在没有设置可用，所以这将主要是挥手的建议。）



这里有三个配置要求，听起来其中有两个（相当）完整。服务器凭据和访问，驱动程序正确性和Tomcat配置。



您说您使用Eclipse成功ping了SQL Server，因此驱动程序，凭据和网络访问权限都是证实。这就离开了Tomcat配置。



Tomcat（和servlets）是由xml配置文件设置的（大部分），你似乎已经熟悉了它们。有server.xml，它控制着高级的东西，然后有一些名为Context的配置 - 基本上，服务器的细分用于不同的站点，应用程序，子目录等。这些上下文文件提供了类似的东西。访问控制，重命名，以及在您的情况下公共资源，如数据库连接。连接信息没有在上下文文件中，但最佳做法是这样做，因为您可以一次性交换数据库连接，而不是使用不同的Web应用程序或数百个servlet。



如果您有权访问服务器，则可以更改这些文件，因为它们只是文本文件。如果您花时间学习Tomcat管理界面（并且已经安装并可访问），您也可以在那里进行更改。



我一直在说context.xml文件 （复数）因为有各个应用程序的上下文文件，并且整个服务器都有一个大妈妈。如果希望此连接可用于所有应用程序，则将配置条目放在服务器的大Context.xml文件中。这是一个关于context.xml文件的位置和位置的良好文章，以及它们对系统。



从它的声音来看，您要么尝试添加新的SQL服务器连接，要么替换Oracle连接。无论哪种方式，您将在其中一个context.xml文件中更改条目（或添加条目）。



因为您有Eclipse，我会建议以下设置好所有内容。

• 阅读我提供的配置链接。这些将带您了解一些您可能需要了解的其他概念，但将所有内容都集中在在Tomcat中配置sqljdbc
• 创建一个 简单的servlet应用程序 （例如，从数据库服务器执行非常特定记录计数的页面。）
• 继续测试servlet，直到可以在IDE中运行它
• 查看有效的context.xml和资源配置。然后，当您已经阅读了足够的Tomcat JNDI配置指令时，可以在相应的context.xml中添加或替换资源配置。
• 安装测试应用程序以查看它是否有效。

Got it.

There's a lot of information to work with, and not all of it will fit into a single post; however, I will try to get you started in the right direction. I may be a few versions of Tomcat behind, but it sounds like this project may be, also, so this information shouldn't be too out of date.

(I also apologize for not giving you any direct code or configuration--I don't have a setup to play with at the moment, so this will be mostly "hand waving" advice.)

You have three configuration requirements here, and it sounds like two of them are (fairly) complete. Server credentials and access, driver "correctness", and Tomcat config.

You said you successfully pinged the SQL Server using Eclipse, so driver, credentials, and network access are confirmed. That just leaves the Tomcat config.

Tomcat (and the servlets) are set up (mostly) by xml config files, which you already seem to be familiar with. There is the server.xml, which controls the high-level stuff, and then there are what are named "Context" configurations--basically, subdivisions of the server for different sites, applications, subdirectories, etc. These context files provide things like access controls, renaming, and, in your case, common resources like database connections. The connectivity info doesn't have to be in the context files, but it's best practice to do so because you can swap around database connections in one go instead of hitting umpteen different web apps or hundreds of servlets.

If you have access to the server, you can change these files, since they are just text files. If you take the time to learn the Tomcat admin interface (and it's installed and accessible) you can also make the changes there.

I keep saying "context.xml files" (plural) because there are context files for individual applications, and there is one big mama for the entire server. If you want this connection available to all applications, you put the configuration entry in the big Context.xml file for the server. Here's a good writeup on how, and where, context.xml files are located, and what scope they have on the system.

From the sound of it, you are either trying to add a new SQL server connection, or replace the Oracle connection. Either way, you will be changing the entry (or adding an entry) in one of the context.xml files.

Since you have Eclipse, I would recommend the following to get everything set up.

• Read the configuration links I've provided. Those will take you to a few other concepts that you may need to understand, but keep everything focused on "configure sqljdbc in Tomcat"
• Create a simple servlet app (say, a page that does a very specific record count from your database server.)
• Keep testing the servlet until you can get it running in the IDE
• Look at the context.xml and resource config that works. Then, when you've read through the Tomcat JNDI config instructions enough, either add or replace the resource config in the appropriate context.xml
• Install your test app to see if it works.

这篇关于使用SSL的Servlet安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！