security6.html

j2eePDF格式的电子书

For testing purposes, and to verify that SSL support has been correctly installed, load the default introduction page with a URL that connects to port defined in the server deployment descriptor:
</p>
<div class="pPreformattedRelative"><pre class="pPreformattedRelative">
https://localhost:1043/<a name="wp148661"> </a>
</pre></div>
<a name="wp148662"> </a><p class="pBody">
The <code class="cCode">https</code> in this URL indicates that the browser should be using the SSL protocol. The <code class="cCode">localhost</code> in this example assumes you are running the example on your local machine as part of the development process. The <code class="cCode">1043</code> in this example is the secure port that was specified where the SSL Connector was created in <a  href="Security6.html#wp142440">Configuring the SSL Connector</a>. If you are using a different server or port, modify this value accordingly.
</p>
<a name="wp148663"> </a><p class="pBody">
The first time a user loads this application, the New Site Certificate or Security Alert dialog displays. Select Next to move through the series of dialogs, select Finish when you reach the last dialog. The certificates will only display the first time. When you accept the certificates, subsequent hits to this site assume that you still trust the content.
</p>
<a name="wp159613"> </a><h4 class="pHeading3">
General Tips on Running SSL
</h4>
<a name="wp159614"> </a><p class="pBody">
The SSL protocol is designed to be as efficient as securely possible. However, encryption/decryption is a computationally expensive process from a performance standpoint. It is not strictly necessary to run an entire Web application over SSL, and it is customary for a developer to decide which pages require a secure connection and which do not. Pages that might require a secure connection include login pages, personal information pages, shopping cart checkouts, or any pages where credit card information could possibly be transmitted. Any page within an application can be requested over a secure socket by simply prefixing the address with <code class="cCode">https:</code> instead of <code class="cCode">http:</code>. Any pages which absolutely require a secure connection should check the protocol type associated with the page request and take the appropriate action if <code class="cCode">https:</code> is not specified. 
</p>
<a name="wp159615"> </a><p class="pBody">
Using name-based virtual hosts on a secured connection can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, where the client browser accepts the server certificate, must occur before the HTTP request is accessed. As a result, the request information containing the virtual host name cannot be determined prior to authentication, and it is therefore not possible to assign multiple certificates to a single IP address. If all virtual hosts on a single IP address need to authenticate against the same certificate, the addition of multiple virtual hosts should not interfere with normal SSL operations on the server. Be aware, however, that most client browsers will compare the server's domain name against the domain name listed in the certificate, if any (applicable primarily to official, CA-signed certificates). If the domain names do not match, these browsers will display a warning to the client. In general, only address-based virtual hosts are commonly used with SSL in a production environment.
</p>
<a name="wp148545"> </a><h4 class="pHeading3">
Enabling Mutual Authentication Over SSL
</h4>
<a name="wp148546"> </a><p class="pBody">
This section discusses setting up client-side authentication. When both server and client-side authentication are enabled, this is called mutual, or two-way, authentication. In client authentication, clients are required to submit certificates that are issued by a certificate authority that you choose to accept. There are at least two ways to enable client authentication. No matter which way you choose, you must enter the keystore location and password in the Web server configuration file to enable SSL, as discussed in <a  href="Security6.html#wp142440">Configuring the SSL Connector</a>. The two ways to enable mutual authentication over SSL are:
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp386898"> </a><div class="pSmartList1"><li>Set the <code class="cCode">clientAuth</code> property in the certificate realm to <code class="cCode">true</code>. To do this,</li></div>
<div class="pSmartList2"><ol type="a" class="pSmartList2">
<a name="wp386899"> </a><div class="pSmartList2"><li>Start the Application Server if you haven't already done so. Information on starting the Application Server can be found at <a  href="WebApp3.html#wp213803">Starting and Stopping the J2EE Application Server</a>.</li></div>
<a name="wp386903"> </a><div class="pSmartList2"><li>Start the Admin Console. Information on starting the Admin Console can be found at <a  href="WebApp3.html#wp213824">Starting the Admin Console</a>.</li></div>
<a name="wp386907"> </a><div class="pSmartList2"><li>In the Admin Console tree, expand Security, then expand Realms, and select <code class="cCode">certificate</code>. The <code class="cCode">certificate</code> realm is used for all transfers over HTTP with SSL.</li></div>
<a name="wp386909"> </a><div class="pSmartList2"><li>Select Add to add the property of <code class="cCode">clientAuth</code> to the server. Enter <code class="cCode">clientAuth</code> for the Name field and enter <code class="cCode">true</code> for the Value field.</li></div>
<a name="wp386910"> </a><div class="pSmartList2"><li>Click Save to save these new properties.</li></div>
<a name="wp386911"> </a><div class="pSmartList2"><li>Logout of the Admin Console.</li></div>
<a name="wp160446"> </a><p class="pBodyRelative">
When you enable client authentication by setting the <code class="cCode">clientAuth</code> property to &quot;<code class="cCode">true&quot;</code>, client authentication will be required for all the requests going through the specified SSL port. 
</p>
</ol></div>
<a name="wp148549"> </a><div class="pSmartList1"><li>Set the method of authentication to <code class="cCode">Client-Certificate</code> using <code class="cCode">deploytool</code>. By enabling client authentication in this way, client authentication is enabled only for a specific resource controlled by the security constraint. Setting client authentication in this way is discussed in <a  href="Security7.html#wp129121">Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC</a>.</li></div>
</ul></div>
<a name="wp148551"> </a><p class="pBody">
When client authentication is enabled in both ways mentioned above, client authentication will be performed twice.
</p>
<a name="wp148553"> </a><h5 class="pHeading4">
Verifying Mutual Authentication is Running
</h5>
<a name="wp148554"> </a><p class="pBody">
You can verify that mutual authentication is working by obtaining debug messages. This should be done at the client end, and this example shows how to pass a system property in <code class="cCode">targets.xml</code> so that <code class="cCode">targets.xml</code> forks a client with <code class="cCode">javax.net.debug</code> in its system properties, which could be added in a file such as <code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/security/common/targets.xml</code>. 
</p>
<a name="wp148555"> </a><p class="pBody">
To enable debug messages for SSL mutual authentication, pass the system property <code class="cCode">javax.net.debug=ssl,handshake</code>, which will provide information on whether mutual authentication is working or not. The following example modifies the <code class="cCode">run-mutualauth-client</code> target from the <code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/security/common/targets.xml</code> file by adding <code class="cCode">sysproperty</code> as shown in <span style="font-weight: bold">bold</span>:
</p>
<div class="pPreformattedRelative"><pre class="pPreformattedRelative">
&lt;target name=&quot;run-mutualauth-client&quot; 
description=&quot;Runs a client with mutual authentication over 
SSL&quot;&gt;
&nbsp;&nbsp;&lt;java classname=&quot;${client.class}&quot; fork=&quot;yes&quot; &gt;
&nbsp;&nbsp;&nbsp;&nbsp;&lt;arg line=&quot;${key.store} ${key.store.password} 
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;${trust.store} ${trust.store.password} 
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;${endpoint.address}&quot; /&gt;
<code class="cCodeBold">&nbsp;&nbsp;&nbsp;&nbsp;&lt;sysproperty key=&quot;javax.net.debug&quot; value=&quot;ssl, 
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;handshake&quot; /&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&lt;sysproperty key=&quot;javax.net.ssl.keyStore&quot;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;value=&quot;${key.store}&quot; /&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&lt;sysproperty key=&quot;java.net.ssl.keyStorePassword&quot;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;value=&quot;${key.store.password}&quot;/&gt;
</code>&nbsp;&nbsp;&nbsp;&nbsp;&lt;classpath refid=&quot;run.classpath&quot; /&gt;
&nbsp;&nbsp;&lt;/java&gt;
&lt;/target&gt;<a name="wp294513"> </a>
</pre></div>
    </blockquote>

   <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">


    <table width="550" summary="layout" id="SummaryNotReq1">
      <tr>
	<td align="left" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/download.html#tutorial" target="_blank">Download</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/faq.html" target="_blank">FAQ</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/history.html" target="_blank">History</a>
	</td>
        <td align="center" valign="center">
<a accesskey="p" href="Security5.html"><img id="LongDescNotReq1" src="images/PrevArrow.gif" width="26" height="26" border="0" alt="Prev" /></a><a accesskey="c" href="J2EETutorialFront.html"><img id="LongDescNotReq1" src="images/UpArrow.gif" width="26" height="26" border="0" alt="Home" /></a><a accesskey="n" href="Security7.html"><img id="LongDescNotReq3" src="images/NextArrow.gif" width="26" height="26" border="0" alt="Next" /></a><a accesskey="i" href="J2EETutorialIX.html"></a>
        </td>
	<td align="right" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/docs/api/index.html" target="_blank">API</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/search.html" target="_blank">Search</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/sendusmail.html" target="_blank">Feedback</a></font>
	</font>
	</td>
      </tr>
    </table>

    <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">

<p><font size="-1">All of the material in <em>The J2EE(TM) 1.4 Tutorial</em> is 
<a href="J2EETutorialFront2.html">copyright</a>-protected and may not be published in other works
without express written permission from Sun Microsystems.</font>

  </body>
</html>