HTTP transfers data as plain text. To make it more secure, we can use HTTPS.
To do this, we need to:
1. Use a SSL certificate
2. Configure Tomcat to use HTTPS
In real world, you get a SSL certificate from an issuing authority like VeriSign.
In our example, we will generate our own certificate.
HTTPS itself does not care who generated the certificate. It is for the user of the application to choose whether to accept the certificate. Most browsers are, by default, configured to accept certificates only from official authorities, like Verisign. If they see a certificate whose authority they do not recognize - they either do not connect to the website, or most likely, they ask the user what to do.
To generate your own certificate that Tomcat can use:
- Open a command prompt
- cd to your home directory
- Give the following command:
C:\Documents and Settings\LavanniM>keytool -genkey -alias tomcat -keyalg RSA
It will ask you several questions.
Specify a password value of "changeit".
Now that we have our certificate created, let us configure Tomcat to use HTTPS.
Open the /config/server.xml file in your Tomcat 7 installation.
Comment out:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
Uncomment:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Note that the HTTPS server runs on port 8443.
Now if you restart Tomcat, and try to access http://localhost:8080 - you will get a "Unable to connect" error.
If instead you point to https://localhost:8443, you will be able to access Tomcat.
Note: For some reason, the Tomcat Monitor utility runs into trouble with starting Tomcat on HTTPS. So start Tomcat from command line by going to the /bin directory and running Tomcat7.exe
You can now run HelloWorld by going to:
https://localhost:8443/HelloWorld/jsp/HelloWorld.jsp
All exchange between browser and server will now be encrypted, hence more secure.
If you try to run the JSON example from the previous post, note that you will need to update the HelloWorld.jsp to use https in its AJAX call.
Like this:
<html>
<head>
<script src="../js/jquery-1.7.1.min.js"></script>
<script type="text/javascript">
function getMusicSchool()
{
// Create AJAX object
var xmlhttp;
if (window.XMLHttpRequest)
xmlhttp=new XMLHttpRequest(); // IE7+, Firefox, Chrome, Opera, Safari
else
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); // IE6, IE5
// Associate a method for AJAX response
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200) // Successful response
getJSONObject(xmlhttp.responseText);
}
// Send AJAX request
xmlhttp.open("GET","https://localhost:8443/HelloWorld/music-school",true);
xmlhttp.send();
}
function getJSONObject(jsonStr)
{
if (null != jsonStr && 0 != jsonStr.length)
{
alert(jsonStr)
try
{
jsonObj = $.parseJSON( jsonStr );
displatStr = jsonObj.name + ", located at " + jsonObj.address + " teaches " + jsonObj.instruments.length + " instruments, including " + jsonObj.instruments[1] + ".";
alert(displatStr);
}
catch(e)
{
alert(e.toString());
}
}
}
</script>
</head>
<body>
<form>
<button type="button" onclick="getMusicSchool()">Show Music School</button>
</form>
</body>
</html>
REMEMBER TO REVERT BACK to HTTP port 8080 when you are done!!!
No comments:
Post a Comment