启用HTTPS

server.port=8443server.ssl.key-store=classpath:keystore.jksserver.ssl.key-store-password=secretserver.ssl.key-password=another-secret

management server可以使用不同的端口，不使用HTTPS:

server.port=8443server.ssl.enabled=trueserver.ssl.key-store=classpath:store.jksserver.ssl.key-password=secretmanagement.server.port=8080management.server.ssl.enabled=false

management server也可以使用不同的key store：

server.port=8443server.ssl.enabled=trueserver.ssl.key-store=classpath:main.jksserver.ssl.key-password=secretmanagement.server.port=8080management.server.ssl.enabled=truemanagement.server.ssl.key-store=classpath:management.jksmanagement.server.ssl.key-password=secret

通过配置application.properties不支持同时启用HTTP和HTTPS，如要两者同时启用，推荐在配置文件中配置HTTPS，在程序中增加HTTP支持：

import org.apache.catalina.connector.Connector;import org.springframework.boot.SpringApplication;import org.springframework.boot.autoconfigure.SpringBootApplication;import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;import org.springframework.boot.web.servlet.server.ServletWebServerFactory;import org.springframework.context.annotation.Bean;/** * Sample Application to show Tomcat running two connectors. * * @author Brock Mills * @author Andy Wilkinson */@SpringBootApplicationpublic class SampleTomcatTwoConnectorsApplication {    @Bean    public ServletWebServerFactory servletContainer() {        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();        tomcat.addAdditionalTomcatConnectors(createStandardConnector());        return tomcat;    }    private Connector createStandardConnector() {        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");        connector.setPort(0);        return connector;    }    public static void main(String[] args) {        SpringApplication.run(SampleTomcatTwoConnectorsApplication.class, args);    }}

使用keytool生成证书：

keytool -genkeypair -alias itrunner -keyalg RSA -dname "cn=www.itrunner.org, ou=itrunner, o=itrunner, c=CN" -validity 365 -keystore keystore.jks -storepass secret -storetype pkcs12

调用HTTPS REST服务

在调用HTTPS REST服务时需要配置受信证书，可使用keytool导入证书，生成trust-store文件：

keytool -import -alias "my server cert" -file server.crt -keystore my.truststore

Java默认受信证书存储在${JAVA_HOME}/jre/lib/security/cacerts内，初始密码为"changeit"，可使用keytool查看：

keytool -list -keystore cacerts -v

也可自定义信任策略(TrustStrategy)，忽略标准的信任验证流程。下面分别示例使用Spring RestTemplate和JAX-RS调用HTTPS REST服务，忽略验证证书和Hostname。

RestTemplate

import org.apache.http.client.HttpClient;import org.apache.http.conn.ssl.NoopHostnameVerifier;import org.apache.http.conn.ssl.SSLConnectionSocketFactory;import org.apache.http.impl.client.HttpClientBuilder;import org.apache.http.ssl.SSLContextBuilder;import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;import org.springframework.web.client.RestTemplate;import javax.net.ssl.SSLContext;import java.security.cert.X509Certificate;public class HttpsRest {    public static void main(String[] args) throws Exception {        SSLContext sslContext = SSLContextBuilder.create().loadTrustMaterial(null, (X509Certificate[] x509Certificates, String s) -> true).build();        SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext, new String[]{"SSLv3", "TLSv1", "TLSv1.2"}, null, NoopHostnameVerifier.INSTANCE);        HttpClient httpClient = HttpClientBuilder.create().setSSLSocketFactory(sslSocketFactory).build();        HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();        requestFactory.setHttpClient(httpClient);        RestTemplate restTemplate = new RestTemplate(requestFactory);        restTemplate.postForObject(url, request, responseType);    }}

JAX-RS

如使用Jboss服务器，配置如下依赖：

      
     
      org.jboss.spec.javax.ws.rs
       
     
      jboss-jaxrs-api_2.1_spec
       
     
      1.0.2.Final
       
     
      provided
     
    

示例代码：

import org.apache.http.conn.ssl.NoopHostnameVerifier;import org.apache.http.ssl.SSLContextBuilder;import javax.net.ssl.SSLContext;import javax.ws.rs.client.Client;import javax.ws.rs.client.ClientBuilder;import javax.ws.rs.client.Entity;import javax.ws.rs.core.MediaType;import java.security.cert.X509Certificate;public class HttpsRest {    public static void main(String[] args) throws Exception {        SSLContext sslContext = SSLContextBuilder.create().loadTrustMaterial(null, (X509Certificate[] x509Certificates, String s) -> true).build();        Client client = ClientBuilder.newBuilder().hostnameVerifier(NoopHostnameVerifier.INSTANCE).sslContext(sslContext).build();        Entity
    
      requestEntity = Entity.entity(new User(), MediaType.APPLICATION_JSON_TYPE);        client.target(url).request().post(requestEntity, responseType);        client.close();    }}
    

参考文档