Create a HTTPs Spring Boot Application, Why SSL is required and How it works
Create a secure service is highly required for the production services. in this story we will understand why HTTPs is required and how it works.
Why HTTPs and SSL
For handling web request there are 2 popular protocols available HTTP (running on port 80) and HTTPS (running on port 443). Out of these two http is used for plain text (non encrypted data) transformation from the source to destination or client to server and vice-versa. So if any body in the middle want to read your message S/he can read the message easily. To make that message encrypted and secure we can use HTTPS.
Https is used for 2 reason
- Authentication (what ever response my end user receive is sent by me)
- Encryption (Only my end user understand the message i have passed to him)
How it works
For HTTPs we need an SSL certificate, which needs to be placed in the server side. lets see how this works as below
- Once you decided to use HTTPs for your website, you have to buy or get a free SSL certificate (personal suggestion not to use free certificate in production)from an Certificate authority.
2. Place that certificate in your hosing server.(according to your web application server the location/path will change)
3.Then change your server code redirection to receive the request in the HTTPs port.
4. When your end user call to your Application using any browser there is public key sent to user’s web browser along with the certificate from your server.
5. Now web browser calls to Certificate authority and pass the certificate. and certificate authority returns with an authorized response.
6. (Authentication)Once browser got the authorized response from the CA (Certificate Authority) Web browser create a symmetric key and encrypt the symmetric key with the public key and sent it to the server.
7. (Encryption) Now server will receive the symmetric key which is encrypted using servers public key, then server use it’s private key to decrypt the symmetric key. Now the symmetric key will be used for the further encryption both client and server side.
Once https implemented we can stop Man in the middle attack some how.
Now we will see how to use SSL in our spring boot application. In this below steps
Step-1
SSL Certificate : There are 2 ways to get the SSL certificate, 1. Buy it from CA 2. Generate it from the server (for development purpose we are generating one in my local system)
For generating SSL certificate we are using keytool (which by default come with any JVM package), Check if the keytool is installed in your laptop? run the below command
keytool — help
It should return the below response
keytool - help
Key and Certificate Management Tool
Commands:
-certreq Generates a certificate request
-changealias Changes an entry's alias
-delete Deletes an entry
-exportcert Exports certificate
-genkeypair Generates a key pair
-genseckey Generates a secret key
-gencert Generates certificate from a certificate request
-importcert Imports a certificate or a certificate chain
-importpass Imports a password
-importkeystore Imports one or all entries from another keystore
-keypasswd Changes the key password of an entry
-list Lists entries in a keystore
-printcert Prints the content of a certificate
-printcertreq Prints the content of a certificate request
-printcrl Prints the content of a CRL file
-storepasswd Changes the store password of a keystore
Use "keytool -command_name -help" for usage of command_nameif you got the above response congratulation, you are good to go to next steps
Run the below command to generate the SSL file
keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
It will prompt for few information like below
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yesOnce you give all the informations then it will generate an keystore.p12 file in your current directory.
Step-2
Spring Boot Application: Place the keystore.p12 in your src/main/resources folder
put the below configuration detail in your application.properties file
server.port: 8443
server.ssl.key-store-password: changeit
server.ssl.key-store=classpath:keystore.p12
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcatfind the project structor below
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class ShubhApplication {
public static void main(String[] args) {
SpringApplication.run(ShubhApplication.class, args);
}
}
package com.example.demo.controler;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class MyControler {
@RequestMapping(value = "/home", method = RequestMethod.GET)
@ResponseBody
public String getHomePage() {
return "Hello World";
}
}Step-3
Run the Application and go to the browser to check the result
