HTTPS in a Production-Grade Web Server

The HttpsPublisher is simple enough in structure to illustrate the basics of wire-level security. Among the several reasons for going with a production-grade web server such as Tomcat or Jetty is that these servers provide such good support for HTTPS, at the application and at the administrative level. Although these web servers provide first-rate HTTPS support, they do require setup comparable to that illustrated with the HttpsPublisher. This section focuses on Tomcat.

Tomcat does not ship with a keystore of digital certificates and, accordingly, does not enable HTTPS by default. The service must be turned on by editing the configuration file TOMCAT_HOME/conf/server.xml, with details provided shortly. The same keystore file used in the HttpsPublisher example, test.keystore, could be re-used for Tomcat. A modern browser connecting over HTTPS to Tomcat should complain that the digital certificate in test.keystore is self-signed and, therefore, worthless as a security credential. In production, a keystore with commercial-grade keystore digital certificates would be needed. Yet the point of immediate interest is that Tomcat does require the programmer to jump through a few hoops in order to switch from an HTTP-accessible to an HTTPS-accessible service. There are only three such hoops:

  • HTTPS connections must be enabled in Tomcat by editing the server.xml file. Details follow shortly.
  • A keystore must be made available so that Tomcat can perform ...

Get Java Web Services: Up and Running, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.