description

this week ,In the project we need to finish the story of a https, visiting our website by the https.now we develop our code in the localhost using http, so questions is how to in Spring Forcing URLs to use HTTPS?

Questions?

Q1: What's the differences between https and http?

• HTTP is unsecured while HTTPS is secured.
• HTTP sends data over port 80 while HTTPS uses port 443.
• HTTP operates at application layer, while HTTPS operates at transport layer.
• No SSL certificates are required for HTTP, with HTTPS it is required that you have an SSL certificate and it is signed by a CA.
• HTTP doesn’t require domain validation, where as HTTPS requires at least domain validation and certain certificates even require legal document validation.
• No encryption in HTTP, with HTTPS the data is encrypted before sending.

Q2: how https work?

https work process.png

1. The client initiates an HTTPS request, that is, the user enters an https URL in the browser and then connects to server port 443

2. Server configuration
   The server using the HTTPS protocol must have a set of digital certificates that can be made by itself or can be applied to the organization. The difference is that the certificate issued by their own need to verify the client through, you can continue to visit, and the use of trusted companies to apply for the certificate will not pop up the prompt page (startssl is a good choice, 1 year free service). This certificate is actually a pair of public and private keys. If you do not understand the public and private keys, you can imagine a key and a lock, and then sent to you, because only you have a key, so only you can see the lock locked things The

3. Send a certificate
   This certificate is actually a public key, but contains a lot of information, such as the certificate of the issuing agency, expiration time and so on.

4. The client resolves the certificate
   This part of the work is a client to complete the TLS, the first will verify whether the public key, such as issuing agencies, expiration time, etc., if found abnormal, it will pop up a warning box, suggesting that there is a problem with the certificate. If the certificate is not a problem, then a random value is generated. The certificate is then encrypted with the random value.

5. Send encrypted information
   This part of the transmission is encrypted with the certificate after the random value, the purpose is to let the server get this random value, after the client and server-side communication can be encrypted by this random value to decrypt.

6. Service segment decryption information
   After the server decrypts the private key, it obtains the random value (private key) from the client, and then encrypts the content through the value. The so-called symmetric encryption is the information and private key through some kind of algorithm mixed together, so unless you know the private key, or can not get the content, and just the client and the server know this private key, so long as the encryption algorithm is sturdy, The private key is complicated and the data is safe enough.

7. Transmit encrypted information
   This part of the information is encrypted with the private key service information, the client can be restored

8. The client decrypts the information
   The client uses the previously generated private key to decrypt the information sent by the service segment, and then obtain the decrypted content. The whole process even if the third party to monitor the data, but also helpless.

Q3: how we use https in our project?

1. In Spring:Spring Security has a simple configuration that allows us to redirect all HTTP-based URLs to HTTPS. All we have to do is to set requires-channel="https" on <security:intercept-url/> tag.

<security:http auto-config="true">
    <security:form-login .../>
    <security:logout .../>
     
    <security:intercept-url pattern="/reports" access="ROLE_ADMIN" requires-channel="https"/>
    <security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
    <security:intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
</security:http>

2. In server：In our project, we use jetty is our server.

• Gretty provides very simple way to auto-configure HTTPS protocol. All you have to do is set httpsEnabled=true and launch Gretty start task. Upon successful start HTTPS is immediately available without any additional configuration.

gretty {
  httpsEnabled = true
  // optionally you can specify port. 8443 is the default.
  // httpsPort = 443
}

• HTTPS Manual configuration
  Gretty provides the way to specify [key-store and trust-store], so that pre-existing key and certificate are used.

gretty { sslKeyStorePath = '/some/path/keystore' 
sslKeyStorePassword = 'someKeystorePassword' 
sslKeyManagerPassword = 'someKeyManagerPassword' 
sslTrustStorePath = '/another/path/trust_keystore' 
sslTrustStorePassword = 'someTrustStorePassword'
}

• Disabling HTTP
  You might want to run your web-app with HTTPS only, without HTTP. It’s easy to do:

gretty {
  httpEnabled = false
  httpsEnabled = true
}

Q4: What problems we have met?How to solve?
we have finished the code, but now it has a question, the browser shows that our website is not safe.It's a new questions. From the https process, we guess that reason is that we have not a useful certification. so finally we send eamil to tech-ops make him give a certificate, and we solve the problem finally.

reflection

the first time, I do this story card,I feel it's very hard, because I don't know what to begin. we spend much time to search how to make http becomes https in spring.But it donen't work,we forget to setting the server...

actions:

When we are blocked, we should first analyze the whole process, try to think about which part of the problem, and then try to solve, aimless search will only waste time.