HTTPS in a Production-Grade Web Server
HttpsPublisher is simple enough in structure to illustrate the basics of wire-level security. Among the
several reasons for going with a production-grade web server such as Tomcat or Jetty is that these
servers provide such good support for HTTPS, at the application and at the administrative level.
Although these web servers provide first-rate HTTPS support,
they do require setup comparable to that illustrated with the
HttpsPublisher. This section focuses on Tomcat.
Tomcat does not ship with a keystore of digital certificates and, accordingly, does not enable HTTPS by default. The
service must be turned on by editing the configuration file TOMCAT_HOME/conf/server.xml, with details
provided shortly. The same keystore file used in the
HttpsPublisher example, test.keystore, could be
re-used for Tomcat. A modern browser connecting over HTTPS to Tomcat should complain that the
digital certificate in test.keystore is self-signed and, therefore, worthless as a security credential.
In production, a keystore with commercial-grade keystore digital certificates would be needed. Yet the point of immediate interest is
that Tomcat does require the programmer to jump through a few hoops in order to switch from an HTTP-accessible
to an HTTPS-accessible service. There are only three such hoops:
- HTTPS connections must be enabled in Tomcat by editing the server.xml file. Details follow shortly.
- A keystore must be made available so that Tomcat can perform ...