如何使用Spring Boot和Tomcat指定我的.keystore文件? [英] How can I specify my .keystore file with Spring Boot and Tomcat?

问题描述

我正在尝试将Spring Security设置为与Spring Boot的嵌入式Tomcat实例一起使用.有很多基本示例可以执行此操作，但我被困在它们的后面，他们通过HTTP(不是HTTPS)执行基本身份验证.

I'm trying to set up Spring Security to work with Spring Boot's embedded Tomcat instance. There are quite a few basic samples that do this but I'm stuck where they leave off -- they do basic authentication over HTTP (not HTTPS).

如果我可以访问Tomcat配置文件(server.xml)，则可能可以使它工作，但是由于Spring Boot使用嵌入式Tomcat实例(否则非常方便)，因此我无权访问Tomcat配置文件(至少，据我所知).

I could probably make it work if I had access to the Tomcat configuration files (server.xml) but since Spring Boot uses an embedded Tomcat instance (which is otherwise a huge convenience), I dont have access to the Tomcat configuration files (at least, not to my knowledge).

可能为此设置了application.properties，但是我无法对其进行跟踪.我已经看到对application.properties中server.contextPath字段的引用，我怀疑这可能与替换Tomcat配置文件有关.即使是相关的，我也仍然不知道从哪里开始-我见过的所有Tomcat SSL指令都是从编辑现有的server.xml文件开始的，而不是从头开始构建一个.

There may be an application.properties setting for this but I haven't been able to track it down. I've seen references to a server.contextPath field in application.properties that I suspect may have something to do with replacement Tomcat config files. Even if it is related, I wouldn't know where to begin anyway -- all of the Tomcat SSL instructions I've seen start with editing an existing server.xml file, not building one from scratch.

这可以通过Spring Boot来完成(通过指定server.xml的片段或通过其他方式)吗?如果没有，最简单的方法是什么?我知道我可能需要排除Spring Boot的Tomcat组件，但如果可能的话，我宁愿避免这种情况.

Can this be done with Spring Boot (either by somehow specifying a snippet of server.xml or through other means)? If not, what would be the simplest way to do this? I understand that I may need to exclude the Tomcat component of Spring Boot but I'd prefer to avoid that if possible.

推荐答案

事实证明，有一种方法可以做到这一点，尽管由于不确定的阅读时间，我不确定是否找到了正确的"方法来自多个项目的源代码.换句话说，这可能是很多愚蠢的工作(但它确实可行).

It turns out that there is a way to do this, although I'm not sure I've found the 'proper' way since this required hours of reading source code from multiple projects. In other words, this might be a lot of dumb work (but it works).

首先，无法获取嵌入式Tomcat中的server.xml，无法对其进行扩展或替换.这必须以编程方式完成.

First, there is no way to get at the server.xml in the embedded Tomcat, either to augment it or replace it. This must be done programmatically.

第二，"require_https"设置无济于事，因为您不能以这种方式设置证书信息.它确实设置了从http到https的转发，但是它没有提供使https正常工作的方法，因此转发无济于事.但是，请将其与下面的东西结合使用，可以使https正常工作.

Second, the 'require_https' setting doesn't help since you can't set cert info that way. It does set up forwarding from http to https, but it doesn't give you a way to make https work so the forwarding isnt helpful. However, use it with the stuff below, which does make https work.

首先，您需要提供EmbeddedServletContainerFactory，如

To begin, you need to provide an EmbeddedServletContainerFactory as explained in the Embedded Servlet Container Support docs. The docs are for Java but the Groovy would look pretty much the same. Note that I haven't been able to get it to recognize the @Value annotation used in their example but its not needed. For groovy, simply put this in a new .groovy file and include that file on the command line when you launch spring boot.

现在，说明说您可以自定义在该代码中创建的TomcatEmbeddedServletContainerFactory类，以便可以更改web.xml行为，这是事实，但是就我们的目的而言，重要的是要知道您也可以使用它来定制server.xml行为.确实，阅读该类的源代码并将其与Embedded Tomcat文档进行比较，您会发现这是唯一的实现方式.有趣的功能是TomcatEmbeddedServletContainerFactory.addConnectorCustomizers()，它在Javadocs中可能看起来不多，但实际上为您提供了嵌入式Tomcat对象以自定义您自己.只需传递您自己的TomcatConnectorCustomizer实现，然后在void customize(Connector con)函数中的给定Connector上设置所需的内容即可.现在，您可以使用Connector进行大约十亿操作，但我找不到适合的文档，但是createConnector()函数-embedded-tomcat/blob/master/etomcat6/src/main/java/ru/concerteza/springtomcat/etomcat6/EmbeddedTomcat.java>这家伙个人的Spring-embedded-Tomcat项目是非常实用的指南.我的实现最终看起来像这样:

Now, the instructions say that you can customize the TomcatEmbeddedServletContainerFactory class that you created in that code so that you can alter web.xml behavior, and this is true, but for our purposes its important to know that you can also use it to tailor server.xml behavior. Indeed, reading the source for the class and comparing it with the Embedded Tomcat docs, you see that this is the only place to do that. The interesting function is TomcatEmbeddedServletContainerFactory.addConnectorCustomizers(), which may not look like much from the Javadocs but actually gives you the Embedded Tomcat object to customize yourself. Simply pass your own implementation of TomcatConnectorCustomizer and set the things you want on the given Connector in the void customize(Connector con) function. Now, there are about a billion things you can do with the Connector and I couldn't find useful docs for it but the createConnector() function in this this guys personal Spring-embedded-Tomcat project is a very practical guide. My implementation ended up looking like this:

package com.deepdownstudios.server

import org.springframework.boot.context.embedded.tomcat.TomcatConnectorCustomizer
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory
import org.apache.catalina.connector.Connector;
import org.apache.coyote.http11.Http11NioProtocol;
import org.springframework.boot.*
import org.springframework.stereotype.*

@Configuration
class MyConfiguration {

@Bean
public EmbeddedServletContainerFactory servletContainer() {
final int port = 8443;
final String keystoreFile = "/path/to/keystore"
final String keystorePass = "keystore-password"
final String keystoreType = "pkcs12"
final String keystoreProvider = "SunJSSE"
final String keystoreAlias = "tomcat"

TomcatEmbeddedServletContainerFactory factory = 
        new TomcatEmbeddedServletContainerFactory(this.port);
factory.addConnectorCustomizers( new TomcatConnectorCustomizer() {
    void    customize(Connector con) {
        Http11NioProtocol proto = (Http11NioProtocol) con.getProtocolHandler();
            proto.setSSLEnabled(true);
        con.setScheme("https");
        con.setSecure(true);
        proto.setKeystoreFile(keystoreFile);
        proto.setKeystorePass(keystorePass);
        proto.setKeystoreType(keystoreType);
        proto.setProperty("keystoreProvider", keystoreProvider);
        proto.setKeyAlias(keystoreAlias);
    }
});
return factory;
}
}

自动装配"将自动执行此实现.一旦我修复了无效的密钥库文件(确保您使用-storetype pkcs12而不是其他地方报告的-storepass pkcs12调用keytool)，此方法就会奏效.另外，最好提供参数(端口，密码等)作为测试的配置设置，例如……我敢肯定，如果您可以使用@Value批注与Groovy一起使用，是可能的.

The Autowiring will pick up this implementation an run with it. Once I fixed my busted keystore file (make sure you call keytool with -storetype pkcs12, not -storepass pkcs12 as reported elsewhere), this worked. Also, it would be far better to provide the parameters (port, password, etc) as configuration settings for testing and such... I'm sure its possible if you can get the @Value annotation to work with Groovy.

这篇关于如何使用Spring Boot和Tomcat指定我的.keystore文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！