Tomcat Notes: Web Security, HTTPS In Tomcat

这篇具有很好参考价值的文章主要介绍了Tomcat Notes: Web Security, HTTPS In Tomcat。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

This is a personal study notes of Apache Tomcat. Below are main reference material.

- YouTube Apache Tomcat Full Tutorial,owed by Alpha Brains Courses. https://www.youtube.com/watch?v=rElJIPRw5iM&t=801s


1、Overview

This article is about problems in web security, how HTTPS secure sending messages and some basic cryptology algorithm.

I’m not very confident with this article since I never make any practice on those concetions or theorys.

Any advice or correction is welcomed.

2、Two Levels Of Web Security

Web server and web app security covers two distinct but related levels.

  • Wire-level(transport-level): In this level it encrypts data transmission through all nodes.
  • Users/roles security: User authentication and role authorization. Good news is Tomcat supports ‘Container-managed security’ in which Catalina, rather than a particular web app does this heavy lifting.

HTTPS is a way to secure in this two levels. HTTPS is a way to secure in this level. S of course stands for secure, There a lot of layers atop HTTPS but HTTPS is the most popular and dominant one.

Tomcat uses HTTP by default. We need to turn HTTPS on in TOMCAT_HOME/conf/server.xml. And other operations are also required.

Three problems HTTPS need to solve.

1. The one who sends you messages is who you think it is rather than other one who pretends to be it.
2. The messages are encrypted, even though other people capture the messages but we have the confidence they can't decrypt it.
3. The request(response) recieved by the server(the browser) is exactly same with initially sent by the brower(the server). 

Here is the wire-level security and services in Alice-to-Bob messages sending scenario.

  1. Peer Authentication (aka mutual chanllenge)

     messages            #Is it real Bob?
     Alice <------------->Bob
     #Is it real Alice?     
    
  2. Confidentiality (message decryption/encryption)

            message                          encrypted message                   message
     Alice --------->encryption engine------------------>decryption engine--------> Bob
    
  3. Integrity:

           message		 message
     Alice--------->route------->Bob # does sent messge == recieved message?
    

2.1、Trace Of A Full Security Example

We are going to explore the details of web security with curl. The curlis used to issue a request over a HTTPSto a deployed web app.

Below is the output of curlissuing a HTTPSrequest.

* About to connect() to localhost port 8443 (#0)  # 8443 is the conventional port fo HTTPS in Tomcat
*   Trying ::1... connected						  # while 8080 is for HTTP
* Connected to localhost (::1) port 8443 (#0)
* successfully set certificate verify locations:
*   CAfile: none		
  CApath: /etc/ssl/certs		#Exchange for certificates
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):	#In handshake, the server and the client need to discuss
* SSL connection using EDH-RSA-DES-CBC3-SHA # which encryption to use and digital certificates.
* Server certificate:	
    ...
*   SSL certificate verify result: self signed certificate (18), continuing anyway.  
* Server auth using Basic with user 'moe'
# one the SSl and TLS secure the connection, server begins to handle request
> GET /predictions HTTP/1.1
> Authorization: Basic bW9lOk1vZU1vZU1vZQ==
> User-Agent: curl libcurl OpenSSL zlib libidn
> Host: localhost:8443
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Cache-Control: private
< Transfer-Encoding: chunked
...
<
<html>

3、Some Security Conceptions

3.1、Man-In-The-Middle

Man-in-the-middle scenario.

Alice(sender)---------------------->Bob(intended recepient)
						|
						|	
				Eve(eavesdropper)

Alice sends messages to Bob and Alice thinks the person she sent messages to is Bob but it is Eve in fact.

Bob thinks he receives messages from Alice but it is Eve in fact.

This is where peer authentication phase come in. It is meant to build trust on the Alice and Bob sides. In other words Alice
sends certificates to Bob to assure Bob that it is really Alice on the other side and Bob do the same thing to Alice to get trust.

3.2、 Key Store And Trust Store

Now let me intrduce more jargon which are key storeand trust store.

Java uses this terminology all over the place and it is also what we are going to use.

They bear directly on the topic of digital certificates.

The key storeis where we keep our digital certificates. So it’s database of our digital certificates. They are just some files.

The trust storeis database of digital certificates that I trust. The trust stroecould be the same with key storeby the way.

3.3、Message Digests

We see this thing before. When we download the Tomcat from Apache official site, we can see sha-1or md5used to verify the integrity, making sure the package we download has exactly same with that in Apache server.

By the way output of the Message Digestcould be encrypted forming a digital signature.

Tomcat Notes: Web Security, HTTPS In Tomcat,Tomcat,tomcat,java

Below is the processes of sending a message, and Message Digestis part of the encryption engine.

Tomcat Notes: Web Security, HTTPS In Tomcat,Tomcat,tomcat,java

3.4、Symmetric Encryption And Decryption

Now we are going to get further about the encryption keyand the decryption key.

In the modal called Symmetric encryption and decryption, encryption keyand decryption keyis the same one.

It brings a new problem, if Alice has the single key, how can she manage to send the single key to Bob safely or vice versa?

That’s sometimes called the key distribution problem.

The upside of this modal is that it’s fast. Roughly speaking it 1000 times faster than Asymmetric encryption and decryption.
Tomcat Notes: Web Security, HTTPS In Tomcat,Tomcat,tomcat,java


3.5、Asymmetric Encryption And Decryption

In this modal, it uses a pair of key, containing a public keyand a private key, to encryption and decryption.

This pair of key is generated by the recipient. The public keyis used to encryption and the encrypted message can be decrypted only with the private key.

The pulic key can be held by anyone just like its name so it basically can be percieved as an indentity, while the private name can only be held by the recipient.

Supposing Alice wants to send a message to Bob.

  1. Alice firstly get Bob’s public key.
  2. Alice encrypts message with the public key.
  3. Bob recieves the encrypted message then decrypts it with it’s private key.

In this way it assure Alice that her messages can be understood only by Bob.

While it’s not perfect, Alice knows who she sent messages to but Bob does’t know where the messages come from.

Tomcat Notes: Web Security, HTTPS In Tomcat,Tomcat,tomcat,java



4、Process Of HTTPS

With the basis of above conceptions we are going to get into how ‘S’ in HTTPSworks.

Three terms play a role in wire-level security ‘peer authentication’ in particular.

  • Key Pair: A pulic key and a private key. Unlike the asymmetric cryptology, the public key in here is used to decryption while the private key is used to encryption.

  • Digital Certificate: Including the key pairand a digital signature as a voucher for message sent by someone.

    Digital signature is a message digest encrypted by the private key.

  • Certificate Authority: Company that voucher for a digital certificate.

    Company voucher for a DCby adding it’s digital signature to the DC.

HTTPS addresses the man-in-the-middle by having the two sides(Alice and Bob) exchanges their DCto confirm their indenties.

Here’s is the five steps that Alice would go through in order to send messages to Bob.文章来源地址https://www.toymoban.com/news/detail-823595.html

  1. Alice sends a signed certificate reqeust containing her name her public key and perhaps some additional information to a CA.
  2. The CAcreates a message M from Alice’s request. signing the message M with its private key, thereby creating a seperate signature message SIG,
  3. The CAreturns Alice the message M with its signature message M. Together M and SIG form Alice’s certificate.
  4. Alice sends her newly minted certificate to Bob to give him access to her public key .
  5. Bob verfies the signature SIG using the CA'spublic key. If the signature proves valid, which means the message does come from Alice, he accepts the public key in the certificates as Alice’s public key which is her identity.

到了这里,关于Tomcat Notes: Web Security, HTTPS In Tomcat的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Java Web Tomcat 23.7.5

    1.1 简介 1.1.1 什么是Web服务器 Web服务器是一个应用程序( 软件 ),对HTTP协议的操作进行封装,使得程序员不必直接对协议进行操作,让Web开发更加便捷。主要功能是\\\"提供网上信息浏览服务\\\"。 Web服务器是安装在服务器端的一款软件,将来我们把自己写的Web项目部署到Web To

    2024年02月13日
    浏览(33)
  • Java Web(七)__Tomcat(二)

    Tomcat作为Servlet容器,有以下三种工作模式。 1) 独立的Servlet容器 ,由Java虚拟机进程来运行 Tomcat作为独立的Web服务器来单独运行,Servlet容器组件作为Web服务器中的一部分而存在。 这是Tomcat的默认工作模式。 在这种模式下,Tomcat是一个独立运行的Java程序。和运行其他Java程序

    2024年02月21日
    浏览(36)
  • 从tomcat说起全面理解Java web开发原理

            简介:Java开发分为Java ME,Java SE,Java EE。回顾过去这些的开发工作基本上都是围绕着Java EE的,在开发经历中分别经历了Java EE开发框架从jsp servlet一路经历了ssh, ssm, springboot mybatis ,spring cloud演化,但是Java web开发过程中web容器却是一路相随tomcat,本篇文章将

    2024年02月09日
    浏览(44)
  • Java web项目打包成war包,本地tomcat运行

    一、javaWeb项目(非maven项目,IntelliJ IDEA环境下)打包的方式如下: (1)首先在IntelliJ IDEA中选中自己要打包的项目,点击file,选择Project Structure。 (2)在Project Structure中选中Artifacts。 (3)点击左上角绿色的+号,选择Web Application Archive,选中你要打包的项目,图中即为for ‘

    2024年02月13日
    浏览(61)
  • 34、springboot切换内嵌Web服务器(Tomcat服务器)与 生成SSL证书来把项目访路径从 HTTP 配置成 HTTPS

    知识点1:springboot切换内嵌Web服务器(Tomcat服务器) 知识点2:生成SSL证书来把项目访路径从 HTTP 配置成 HTTPS spring-boot-starter-web 默认依赖 Tomcat 内置服务器 改为 Jetty 服务器 改为 Undertow 服务器 目的:把请求路径 http://xxxxx 改成 https://xxxxx 如图:原本普通的项目,启动后是http的

    2024年02月11日
    浏览(49)
  • Visual Studio Code配置Tomcat运行Java Web项目

    ctrl+shift+p 打开搜索Maven原型, 并选择从maven原型创建新项目 或者按如下方式:选择从Maven原型创建Web项目 从 maven-archetype-webapp 原型创建项目 接着选择原型版本、输入包名、项目名、选择项目存放位置 注意:到此需要按一下回车来继续 输入Y或者回车确认 通过Maven原型创建的

    2024年02月05日
    浏览(52)
  • Java | 详解 创建Web项目、配置Tomcat服务器、实现登录效果

    目录 一、相关工具及技术         1、相关工具         2、相关技术         3、相关 jar 包 二、IDEA 创建 web 项目         1、创建空项目         2、classes目录和lib目录配置         3、tomcat 服务器配置 三、MySQL 配置         1、登录 mysql         2、创建 user 表      

    2024年02月03日
    浏览(54)
  • IDEA中在Java项目中添加Web模块 与配置tomcat服务器

    现有项目添加直接走第二步 勾选 Web Application 选项, 点击OK 得到项目目录结构 , 出现web目录结构, 且web目录文件夹出现小蓝点 说明web配置没有出现或是手动构建的目录结构 , 在IDE关闭或者迁移项目时会出现 这时web模块是无法运行的 解决 打开 Project Stucture 选中web模块, 配置De

    2024年01月16日
    浏览(115)
  • IDEA2023.1.3创建Java Web项目并配置Tomcat(傻瓜式教程)

    本篇教程只针对IDEA2023.1.3版的Java Web项目创建以及配置Tomcat,不包含Tomcat下载教程 1.选择New Project,设置好项目名和JDK,点击Create  2.打开Project Structure 3.在Modules里点击加号选择Web,这样IDEA会帮我们创建好webapp文件夹和web.xml配置文件 4. 为项目创建一个web应用artifacts,IDEA在这里

    2024年02月11日
    浏览(62)
  • 保姆级!如何在Window Server服务器上用tomcat部署java web项目

    首先,打开idae软件(我项目用的idea,也可以其他)导入你的项目,然后运行项目,确保项目能在localhost:8080,即在本地上运行。 确保能在本地上运行,且项目所有的已实现的功能没有bug,多测试几次。 然后打包项目,在打包前,看看数据库的.sql文件放在哪个位置(如果有的

    2024年02月06日
    浏览(51)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包