tomcat如何加密
2014-03-01 20:34
375 查看
1.tomcat安全配置之证书密码加密存储
http://www.2cto.com/Article/201308/239948.html
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="./conf/keystore" keystorePass="jackie.123"
clientAuth="false" sslProtocol="TLS" />
<Connector port="8443" protocol="demo.MyHttp11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="./conf/keystore" keystorePass="ADFADLJYNGHYVM=="
clientAuth="false" sslProtocol="TLS" />
package demo;
import org.apache.coyote.http11.Http11Protocol;
public class MyHttp11Protocol extends Http11Protocol {
@Override
public void init() throws Exception {
final String password = getKeypass();
final String realpassword = decipher(password);
setAttribute("keypass", realpassword);
super.init();
}
private String decipher(final String password) {
// 这里执行密码的解码操作;
}
}
我打开Tomcat7.0.42的源代码,发现Http11Protocol里面只有这种方法,看来init是过时了?
不要着急,继续看继承树上面的类AbstractProtocol,找到了
/*
* NOTE: There is no maintenance of state or checking for valid transitions
* within this class. It is expected that the connector will maintain state
* and prevent invalid state transitions.
*/
@Override
public void init() throws Exception {
if (getLog().isInfoEnabled())
getLog().info(sm.getString("abstractProtocolHandler.init",
getName()));
if (oname == null) {
// Component not pre-registered so register it
oname = createObjectName();
if (oname != null) {
Registry.getRegistry(null, null).registerComponent(this, oname,
null);
}
}
if (this.domain != null) {
try {
tpOname = new ObjectName(domain + ":" +
"type=ThreadPool,name=" + getName());
Registry.getRegistry(null, null).registerComponent(endpoint,
tpOname, null);
} catch (Exception e) {
getLog().error(sm.getString(
"abstractProtocolHandler.mbeanRegistrationFailed",
tpOname, getName()), e);
}
rgOname=new ObjectName(domain +
":type=GlobalRequestProcessor,name=" + getName());
Registry.getRegistry(null, null).registerComponent(
getHandler().getGlobal(), rgOname, null );
}
String endpointName = getName();
endpoint.setName(endpointName.substring(1, endpointName.length()-1));
try {
endpoint.init();
} catch (Exception ex) {
getLog().error(sm.getString("abstractProtocolHandler.initError",
getName()), ex);
throw ex;
}
}
================
2.如何实现admin用户密码非明文保存
可以把host-manager 这个应用deploy掉或者干脆删除了;
我们专注在manager这个app的安全设置上面就可以了
web.xml的设置
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
server.xml的设置
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="MD5" />
</Realm>
cd %Catalina_home%
bin\digest.bat -a MD5 <user-password>
user-password:9afdaff99sdfasdgfd3467a54b1
就把这个得到的一长串16进制的数字替换tomcat-user.xml中
原先的明文就成功成为密文了。
http://www.2cto.com/Article/201308/239948.html
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="./conf/keystore" keystorePass="jackie.123"
clientAuth="false" sslProtocol="TLS" />
<Connector port="8443" protocol="demo.MyHttp11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="./conf/keystore" keystorePass="ADFADLJYNGHYVM=="
clientAuth="false" sslProtocol="TLS" />
package demo;
import org.apache.coyote.http11.Http11Protocol;
public class MyHttp11Protocol extends Http11Protocol {
@Override
public void init() throws Exception {
final String password = getKeypass();
final String realpassword = decipher(password);
setAttribute("keypass", realpassword);
super.init();
}
private String decipher(final String password) {
// 这里执行密码的解码操作;
}
}
我打开Tomcat7.0.42的源代码,发现Http11Protocol里面只有这种方法,看来init是过时了?
不要着急,继续看继承树上面的类AbstractProtocol,找到了
/*
* NOTE: There is no maintenance of state or checking for valid transitions
* within this class. It is expected that the connector will maintain state
* and prevent invalid state transitions.
*/
@Override
public void init() throws Exception {
if (getLog().isInfoEnabled())
getLog().info(sm.getString("abstractProtocolHandler.init",
getName()));
if (oname == null) {
// Component not pre-registered so register it
oname = createObjectName();
if (oname != null) {
Registry.getRegistry(null, null).registerComponent(this, oname,
null);
}
}
if (this.domain != null) {
try {
tpOname = new ObjectName(domain + ":" +
"type=ThreadPool,name=" + getName());
Registry.getRegistry(null, null).registerComponent(endpoint,
tpOname, null);
} catch (Exception e) {
getLog().error(sm.getString(
"abstractProtocolHandler.mbeanRegistrationFailed",
tpOname, getName()), e);
}
rgOname=new ObjectName(domain +
":type=GlobalRequestProcessor,name=" + getName());
Registry.getRegistry(null, null).registerComponent(
getHandler().getGlobal(), rgOname, null );
}
String endpointName = getName();
endpoint.setName(endpointName.substring(1, endpointName.length()-1));
try {
endpoint.init();
} catch (Exception ex) {
getLog().error(sm.getString("abstractProtocolHandler.initError",
getName()), ex);
throw ex;
}
}
================
2.如何实现admin用户密码非明文保存
可以把host-manager 这个应用deploy掉或者干脆删除了;
我们专注在manager这个app的安全设置上面就可以了
web.xml的设置
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
server.xml的设置
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="MD5" />
</Realm>
cd %Catalina_home%
bin\digest.bat -a MD5 <user-password>
user-password:9afdaff99sdfasdgfd3467a54b1
就把这个得到的一长串16进制的数字替换tomcat-user.xml中
原先的明文就成功成为密文了。
相关文章推荐
- 在Eclipse中配置TOMCAT(安装目录为C:\J2EE\Tomcat)
- 关于TOMCAT 出现JDWP Unable to get JNI 1.2 environment问题
- tomcat 优化到每秒并发1000
- Apache+Tomcat负载均衡两种session共享方式的设置
- Eclipse中Maven WEB工程tomcat调试
- 自己动手编译mod_jk,Tomcat与JK连接器。
- jrebel(破解版)+eclipse +jetty/tomcat 配置,实现热部署
- TOMCAT内存溢出问题
- Apache与Tomcat整合
- Apache+Tomcat集群配置 采用mod_jk方法
- eclipse4.2配置tomcat+jdk
- win8无法用ip来访问tomcat解决方法
- Tomcat 全系安全漏洞,请尽快修复
- Tomcat直接访问ip-不输入项目名称和端口号-访问指定web项目的方法
- IDEA13 + Maven 3.1 + Tomcat6/7 + jrebel 4.5 热部署web应用
- tomcat6+mysql5.1+dbcp性能调优
- Apache+Tomcat集群配置
- tomcat 的缓存机制
- IIS-Apache-Tomcat的区别
- Tomcat中“Offending class: javax/servlet/Servlet.class”错误:重复的servlet包