How to develop https site with Spring 3.x?

Question

I am a newbie in Spring based web development.

Our site is Spring based and is currently http based (so quite insecure). Since, the site is not live yet, we are sending login/password also through a normal JSON request to server and have focussed mostly on JSP, UI design, SQL queries etc.

Now, we want to shift to focus on security and shift to https as a first step.

I have read a no. of web-pages and some spring books but none seems to provide a clear answer on how Spring can be used to provide https security. Can some one please help me in achieving the above?

Please let me know if my question is not clear. I will try to add more details ASAP.

Our web.xml is as follows:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
  http://java.sun.com/xml/ns/javaee 
  http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd
  http://www.springframework.org/schema/mvc
  http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd    
"
id="WebApp_ID" version="2.5">

<display-name>Spring3MVC</display-name>
<welcome-file-list>
    <welcome-file>index.html</welcome-file>
</welcome-file-list>

<servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>
        org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>spring</servlet-name>
    <url-pattern>*.html</url-pattern>
</servlet-mapping>

<!--> Mapping for serving static web-content <-->
<!--> The resources folder must be in parallel to WEB-INF <-->
<!--> The mvc:resources gives "not bound" exception unless bound to a namespace as above for xmlns:mvc <-->
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:resources mapping="/scripts/**" location="/scripts/" />

</web-app>

There is only one controller right now for which, spring-servlet.xml is as follows:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:p="http://www.springframework.org/schema/p"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.0.xsd">

<context:component-scan
    base-package="console.controllerpkg" />

<bean id="viewResolver"
    class="org.springframework.web.servlet.view.UrlBasedViewResolver">
    <property name="viewClass"
        value="org.springframework.web.servlet.view.JstlView" />
    <property name="prefix" value="/WEB-INF/jsp/" />
    <property name="suffix" value=".jsp" />
</bean>

</beans>

Thanks a lot in advance!

P.S. If you can recommend me a good example based site/book on spring, it would be much appreciated. Most of the sites/books I have seen lay much emphasis on theory but very little examples. That has left me a little confused.

Answer 1

Spring is not 100% responsible for configuring SSL. For that you need to configure the container (jetty, tomcat, etc) to handle SSL.

Answer 2

As Dave says, you need to configure your container to serve SSL, and then deploy your spring app into that container. Learn about configuring Tomcat for SSL.

Alternately, and more flexibly you can front your container using Apache, and enable SSL there.

Answer 3

Thanks for all the help guys. I will re-iterate what I did just for my own record purposes.

First of all, the link provided by nont about 'Tomcat for SSL' was really helpful. I read all about SSL and Tomcat there and this is what I did:

On the command prompt, enter: keytool -genkey -alias tomcat -keyalg RSA The above command asked me some simple questions needed for a Certificate. I used the password 'changeit' wherever asked (as that is the default password).

On finishing with the above command, it generated a keystore file in C:/Documents and Settings//.keystore I copied this .keystore file to tomcat/conf/myKeyStore.jks

Then I added the following to conf/server.xml :

<Connector protocol="org.apache.coyote.http11.Http11Protocol"
    port="8443" minSpareThreads="5" 
   maxSpareThreads="75"
   enableLookups="true" 
   disableUploadTimeout="true"
   acceptCount="100" 
   maxThreads="200" debug="5"
   scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="${catalina.home}/conf/myKeyStore.jks"
   keystoreType="JKS" keystorePass="changeit"
   truststoreFile="${catalina.home}/conf/cacerts"
   truststoreType="JKS" truststorePass="changeit"
   SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" 
   sslProtocol="TLS" />

And that's it!! Next time, I ran tomcat my old http link did not work. Then I tried adding sweet 's' to http with a port number of 8443 and lo! everything was up and running again.

Thanks nont for the wonderful link!!