{"id":5232,"date":"2012-12-10T22:00:33","date_gmt":"2012-12-10T20:00:33","guid":{"rendered":"http:\/\/www.javacodegeeks.com\/?p=5232"},"modified":"2018-10-15T19:45:20","modified_gmt":"2018-10-15T16:45:20","slug":"securing-your-tomcat-app-with-ssl-and-spring-security","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html","title":{"rendered":"Securing your Tomcat app with SSL and Spring Security"},"content":{"rendered":"<p>If you&#8217;ve seen my last blog, you&#8217;ll know that I listed <a href=\"http:\/\/www.javacodegeeks.com\/2012\/11\/ten-things-you-can-do-with-spring-security.html\" target=\"new\">ten things that you can do with Spring Security<\/a>. However, before you start using Spring Security in earnest one of the first things you really must do is to ensure that your web app uses the right transport protocol, which in this case is HTTPS &#8211; after all there&#8217;s no point in having a secure web site if you&#8217;re going to broadcast your user&#8217;s passwords all over the internet in plain text. To setup SSL there are three basic steps&#8230;<\/p>\n<h2>Creating a Key Store<\/h2>\n<p>The first thing you need is a private keystore containing a valid certificate and the simplest way to generate one of these is to use Java&#8217;s <code>keytool<\/code> utility located in the <code>$JAVA_HOME\/bin<\/code> directory.<\/p>\n<pre class=\" brush:java\">keytool -genkey -alias MyKeyAlias -keyalg RSA -keystore \/Users\/Roger\/tmp\/roger.keystore<\/pre>\n<p>In the above example,<\/p>\n<ul>\n<li><code><strong>-alias<\/strong><\/code> is the unique identifier for your key.<\/li>\n<li><code><strong>-keyalg<\/strong><\/code> is the algorithm used to generate the key. Most examples you find on the web usually cite &#8216;RSA&#8217;, but you could also use &#8216;DSA&#8217; or &#8216;DES&#8217;<\/li>\n<li><code><strong>-keystore<\/strong><\/code> is an optional argument specifying the location of your key store file. If this argument is missing then the default location is your $HOME directory.<\/li>\n<\/ul>\n<p><strong>RSA<\/strong> stands for Ron Rivest (also the creator of the <a href=\"http:\/\/www.captaindebug.com\/2011\/08\/rc4-encryption.html#.UMNXcaUx_8s\" target=\"new\">RC4 algorithm<\/a>), Adi Shamir and Leonard Adleman<\/p>\n<p><strong>DSA<\/strong> stands for Digital Signature Algorithm<\/p>\n<p><strong>DES<\/strong> stands for Data Encryption Standard<\/p>\n<p>For more information on <code>keytool<\/code> and its arguments take a look at this <a href=\"http:\/\/www.informit.com\/articles\/article.aspx?p=407886&amp;seqNum=2\" target=\"new\">Informit article by Jon Svede<\/a><\/p>\n<p>When you run this program you&#8217;ll be asked a few questions:<\/p>\n<pre class=\" brush:bash\">Roger$ keytool -genkey -alias MyKeyAlias -keyalg RSA -keystore \/Users\/Roger\/tmp\/roger.keystore\r\nEnter keystore password: \r\nRe-enter new password:\r\nWhat is your first and last name?\r\n  [Unknown]:  localhost\r\nWhat is the name of your organizational unit?\r\n  [Unknown]:  MyDepartmentName\r\nWhat is the name of your organization?\r\n  [Unknown]:  MyCompanyName\r\nWhat is the name of your City or Locality?\r\n  [Unknown]:  Stafford\r\nWhat is the name of your State or Province?\r\n  [Unknown]:  NA\r\nWhat is the two-letter country code for this unit?\r\n  [Unknown]:  UK\r\nIs CN=localhost, OU=MyDepartmentName, O=MyCompanyName, L=Stafford, ST=UK, C=UK correct?\r\n  [no]:  Y\r\n\r\nEnter key password for \r\n\r\n     (RETURN if same as keystore password):<\/pre>\n<p>Most of the fields are self explanatory; however for the first and second name values, I generally use the machine name &#8211; in this case<br \/>\n<code>localhost<\/code>.<div style=\"display:inline-block; margin: 15px 0;\"> <div id=\"adngin-JavaCodeGeeks_incontent_video-0\" style=\"display:inline-block;\"><\/div> <\/div><\/p>\n<h2>Updating the Tomcat Configuration<\/h2>\n<p>The second step in securing your app is to ensure that your tomcat has an SSL connector. To do this you need to find tomcat&#8217;s <code>server.xml<\/code> configuration file, which is usually located in the <code>'conf'<\/code> directory. Once you&#8217;ve got hold of this and if you&#8217;re using tomcat, then it&#8217;s a matter of uncommenting:<\/p>\n<pre class=\" brush:xml\">&lt;Connector port='8443' protocol='HTTP\/1.1' SSLEnabled='true'\r\n               maxThreads='150' scheme='https' secure='true'\r\n               clientAuth='false' sslProtocol='TLS' \/&gt;<\/pre>\n<p>\u2026and making it look something like this:<\/p>\n<pre class=\" brush:xml\">&lt;Connector SSLEnabled='true' keystoreFile='\/Users\/Roger\/tmp\/roger.keystore' keystorePass='password' port='8443' scheme='https' secure='true' sslProtocol='TLS'\/&gt;<\/pre>\n<p>Note that the password &#8216;password&#8217; is in plain text, which isn&#8217;t very secure. There are ways around this, but that&#8217;s beyond the scope of this blog.<\/p>\n<p>If you&#8217;re using Spring&#8217;s tcServer, then you&#8217;ll find that it already has a SSL connector that&#8217;s configured something like this:<\/p>\n<pre class=\" brush:xml\">&lt;Connector SSLEnabled='true' acceptCount='100' connectionTimeout='20000' executor='tomcatThreadPool' keyAlias='tcserver' keystoreFile='${catalina.base}\/conf\/tcserver.keystore' keystorePass='changeme' maxKeepAliveRequests='15' port='${bio-ssl.https.port}' protocol='org.apache.coyote.http11.Http11Protocol' redirectPort='${bio-ssl.https.port}' scheme='https' secure='true'\/&gt;<\/pre>\n<p>\u2026in which case it&#8217;s just a matter of editing the various fields including keyAlias, keystoreFile and keystorePass.<\/p>\n<h2>Configuring your App<\/h2>\n<p>If you now start tomcat and run your web application, you&#8217;ll now find that it&#8217;s accessible using HTTPS. For example typing <code>https:\/\/localhost:8443\/my-app<\/code> will work, but so will <code>http:\/\/localhost:8080\/my-app<\/code> This means that you also need to do some jiggery-pokery on your app to ensure that it only responds to HTTPS and there are two approaches you can take.<\/p>\n<p>If you&#8217;re not using Spring Security, then you can simply add the following to your<code>web.xml<\/code> before the last <code>web-app<\/code> tag:<\/p>\n<pre class=\" brush:xml\">&lt;security-constraint&gt;\r\n    &lt;web-resource-collection&gt;\r\n        &lt;web-resource-name&gt;my-secure-app&lt;\/web-resource-name&gt;\r\n        &lt;url-pattern&gt;\/*&lt;\/url-pattern&gt;\r\n    &lt;\/web-resource-collection&gt;\r\n    &lt;user-data-constraint&gt;\r\n        &lt;transport-guarantee&gt;CONFIDENTIAL&lt;\/transport-guarantee&gt;\r\n    &lt;\/user-data-constraint&gt;\r\n&lt;\/security-constraint&gt;<\/pre>\n<p>If you are using Spring Security, then there are a few more steps to getting things going. Part of the general Spring Security setup is to add the following to your <code>web.xml<\/code> file. Firstly you need to add a Spring Security application context file to the <code>contextConfigLocation<\/code> <code>context-param<\/code>:<\/p>\n<pre class=\" brush:xml\">&lt;context-param&gt;\r\n          &lt;param-name&gt;contextConfigLocation&lt;\/param-name&gt;\r\n          &lt;param-value&gt;\/WEB-INF\/spring\/root-context.xml\r\n           \/WEB-INF\/spring\/appServlet\/application-security.xml           \r\n          &lt;\/param-value&gt;\r\n     &lt;\/context-param&gt;<\/pre>\n<p>Secondly, you need to add the Spring Security <code>filter<\/code> and <code>filter-mapping<\/code>:<\/p>\n<pre class=\" brush:xml\">&lt;filter&gt;\r\n    &lt;filter-name&gt;springSecurityFilterChain&lt;\/filter-name&gt;\r\n    &lt;filter-class&gt;org.springframework.web.filter.DelegatingFilterProxy&lt;\/filter-class&gt;\r\n  &lt;\/filter&gt;\r\n  &lt;filter-mapping&gt;\r\n    &lt;filter-name&gt;springSecurityFilterChain&lt;\/filter-name&gt;\r\n    &lt;url-pattern&gt;\/*&lt;\/url-pattern&gt;\r\n  &lt;\/filter-mapping&gt;<\/pre>\n<p>Lastly, you need to create, or edit, your <code>application-security.xml<\/code> as shown in the very minimalistic example below:<\/p>\n<pre class=\" brush:xml\">&lt;?xml version='1.0' encoding='UTF-8'?&gt;\r\n&lt;beans:beans xmlns='http:\/\/www.springframework.org\/schema\/security'\r\n  xmlns:beans='http:\/\/www.springframework.org\/schema\/beans'\r\n  xmlns:xsi='http:\/\/www.w3.org\/2001\/XMLSchema-instance'\r\n  xsi:schemaLocation='http:\/\/www.springframework.org\/schema\/beans\r\n           http:\/\/www.springframework.org\/schema\/beans\/spring-beans-3.0.xsd\r\n           http:\/\/www.springframework.org\/schema\/security\r\n           http:\/\/www.springframework.org\/schema\/security\/spring-security-3.1.xsd'&gt;\r\n\r\n       &lt;http auto-config='true' &gt;\r\n          &lt;intercept-url pattern='\/**' requires-channel='https' \/&gt;    \r\n       &lt;\/http&gt;\r\n\r\n       &lt;authentication-manager&gt;\r\n       &lt;\/authentication-manager&gt;\r\n\r\n&lt;\/beans:beans&gt;<\/pre>\n<p>In the example above <code>intercept-url<\/code> element has been set up intercept all URLs and force them to use the https channel.<\/p>\n<p>The configuration details above may give the impression that it&#8217;s quicker to use the simple <code>web.xml<\/code> config change, but if you&#8217;re already using Spring Security, then it&#8217;s only a matter of adding a <code>requires-channel<\/code> attribute to your existing configuration.<\/p>\n<p>A sample app called tomcat-ssl demonstrating the above is available on git hub at: https:\/\/github.com\/roghughe\/captaindebug<br \/>\n<strong><em>Reference: <\/em><\/strong><a href=\"http:\/\/www.captaindebug.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and.html#.UMXvPHdy2So\">Securing your Tomcat app with SSL and Spring Security<\/a> from our <a href=\"http:\/\/www.javacodegeeks.com\/p\/jcg.html\">JCG partner<\/a> Roger Hughes at the <a href=\"http:\/\/www.captaindebug.com\/\">Captain Debug&#8217;s Blog <\/a> blog.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you&#8217;ve seen my last blog, you&#8217;ll know that I listed ten things that you can do with Spring Security. However, before you start using Spring Security in earnest one of the first things you really must do is to ensure that your web app uses the right transport protocol, which in this case is &hellip;<\/p>\n","protected":false},"author":65,"featured_media":84,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[32,297,30,125],"class_list":["post-5232","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-java","tag-apache-tomcat","tag-security","tag-spring","tag-spring-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Securing your Tomcat app with SSL and Spring Security<\/title>\n<meta name=\"description\" content=\"If you&#039;ve seen my last blog, you&#039;ll know that I listed ten things that you can do with Spring Security. However, before you start using Spring Security in\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing your Tomcat app with SSL and Spring Security\" \/>\n<meta property=\"og:description\" content=\"If you&#039;ve seen my last blog, you&#039;ll know that I listed ten things that you can do with Spring Security. However, before you start using Spring Security in\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html\" \/>\n<meta property=\"og:site_name\" content=\"Java Code Geeks\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/javacodegeeks\" \/>\n<meta property=\"article:published_time\" content=\"2012-12-10T20:00:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-10-15T16:45:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/apache-tomcat-logo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Roger Hughes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:site\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Roger Hughes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html\"},\"author\":{\"name\":\"Roger Hughes\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/c9feacaf8e783104a69621cd65bf1f07\"},\"headline\":\"Securing your Tomcat app with SSL and Spring Security\",\"datePublished\":\"2012-12-10T20:00:33+00:00\",\"dateModified\":\"2018-10-15T16:45:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html\"},\"wordCount\":674,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/apache-tomcat-logo.jpg\",\"keywords\":[\"Apache Tomcat\",\"Security\",\"Spring\",\"Spring Security\"],\"articleSection\":[\"Enterprise Java\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html\",\"name\":\"Securing your Tomcat app with SSL and Spring Security\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/apache-tomcat-logo.jpg\",\"datePublished\":\"2012-12-10T20:00:33+00:00\",\"dateModified\":\"2018-10-15T16:45:20+00:00\",\"description\":\"If you've seen my last blog, you'll know that I listed ten things that you can do with Spring Security. However, before you start using Spring Security in\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html#primaryimage\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/apache-tomcat-logo.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/apache-tomcat-logo.jpg\",\"width\":150,\"height\":150},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2012\\\/12\\\/securing-your-tomcat-app-with-ssl-and-spring-security.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Enterprise Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\\\/enterprise-java\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Securing your Tomcat app with SSL and Spring Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"name\":\"Java Code Geeks\",\"description\":\"Java Developers Resource Center\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"alternateName\":\"JCG\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.javacodegeeks.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\",\"name\":\"Exelixis Media P.C.\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"width\":864,\"height\":246,\"caption\":\"Exelixis Media P.C.\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/javacodegeeks\",\"https:\\\/\\\/x.com\\\/javacodegeeks\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/c9feacaf8e783104a69621cd65bf1f07\",\"name\":\"Roger Hughes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/db9d1e5362dbc3f8007b383b852473b59fb8c5282a6066a13ab1cef761a9d5d6?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/db9d1e5362dbc3f8007b383b852473b59fb8c5282a6066a13ab1cef761a9d5d6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/db9d1e5362dbc3f8007b383b852473b59fb8c5282a6066a13ab1cef761a9d5d6?s=96&d=mm&r=g\",\"caption\":\"Roger Hughes\"},\"sameAs\":[\"http:\\\/\\\/www.captaindebug.com\\\/\"],\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/author\\\/Roger-Hughes\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Securing your Tomcat app with SSL and Spring Security","description":"If you've seen my last blog, you'll know that I listed ten things that you can do with Spring Security. However, before you start using Spring Security in","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html","og_locale":"en_US","og_type":"article","og_title":"Securing your Tomcat app with SSL and Spring Security","og_description":"If you've seen my last blog, you'll know that I listed ten things that you can do with Spring Security. However, before you start using Spring Security in","og_url":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html","og_site_name":"Java Code Geeks","article_publisher":"https:\/\/www.facebook.com\/javacodegeeks","article_published_time":"2012-12-10T20:00:33+00:00","article_modified_time":"2018-10-15T16:45:20+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/apache-tomcat-logo.jpg","type":"image\/jpeg"}],"author":"Roger Hughes","twitter_card":"summary_large_image","twitter_creator":"@javacodegeeks","twitter_site":"@javacodegeeks","twitter_misc":{"Written by":"Roger Hughes","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html#article","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html"},"author":{"name":"Roger Hughes","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/c9feacaf8e783104a69621cd65bf1f07"},"headline":"Securing your Tomcat app with SSL and Spring Security","datePublished":"2012-12-10T20:00:33+00:00","dateModified":"2018-10-15T16:45:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html"},"wordCount":674,"commentCount":3,"publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/apache-tomcat-logo.jpg","keywords":["Apache Tomcat","Security","Spring","Spring Security"],"articleSection":["Enterprise Java"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html","url":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html","name":"Securing your Tomcat app with SSL and Spring Security","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html#primaryimage"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/apache-tomcat-logo.jpg","datePublished":"2012-12-10T20:00:33+00:00","dateModified":"2018-10-15T16:45:20+00:00","description":"If you've seen my last blog, you'll know that I listed ten things that you can do with Spring Security. However, before you start using Spring Security in","breadcrumb":{"@id":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html#primaryimage","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/apache-tomcat-logo.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/apache-tomcat-logo.jpg","width":150,"height":150},{"@type":"BreadcrumbList","@id":"https:\/\/www.javacodegeeks.com\/2012\/12\/securing-your-tomcat-app-with-ssl-and-spring-security.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.javacodegeeks.com\/"},{"@type":"ListItem","position":2,"name":"Java","item":"https:\/\/www.javacodegeeks.com\/category\/java"},{"@type":"ListItem","position":3,"name":"Enterprise Java","item":"https:\/\/www.javacodegeeks.com\/category\/java\/enterprise-java"},{"@type":"ListItem","position":4,"name":"Securing your Tomcat app with SSL and Spring Security"}]},{"@type":"WebSite","@id":"https:\/\/www.javacodegeeks.com\/#website","url":"https:\/\/www.javacodegeeks.com\/","name":"Java Code Geeks","description":"Java Developers Resource Center","publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"alternateName":"JCG","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.javacodegeeks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.javacodegeeks.com\/#organization","name":"Exelixis Media P.C.","url":"https:\/\/www.javacodegeeks.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","width":864,"height":246,"caption":"Exelixis Media P.C."},"image":{"@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/javacodegeeks","https:\/\/x.com\/javacodegeeks"]},{"@type":"Person","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/c9feacaf8e783104a69621cd65bf1f07","name":"Roger Hughes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/db9d1e5362dbc3f8007b383b852473b59fb8c5282a6066a13ab1cef761a9d5d6?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/db9d1e5362dbc3f8007b383b852473b59fb8c5282a6066a13ab1cef761a9d5d6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/db9d1e5362dbc3f8007b383b852473b59fb8c5282a6066a13ab1cef761a9d5d6?s=96&d=mm&r=g","caption":"Roger Hughes"},"sameAs":["http:\/\/www.captaindebug.com\/"],"url":"https:\/\/www.javacodegeeks.com\/author\/Roger-Hughes"}]}},"_links":{"self":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/5232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/comments?post=5232"}],"version-history":[{"count":0,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/5232\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media\/84"}],"wp:attachment":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media?parent=5232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/categories?post=5232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/tags?post=5232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}