What is the difference between javax.net.ssl.keyStore and server.ssl.key-store properties when specifying keystore for a SpringBoot app

huangapple go评论76阅读模式
英文:

What is the difference between javax.net.ssl.keyStore and server.ssl.key-store properties when specifying keystore for a SpringBoot app

问题

  1. 我可以使用这两个属性之一来指定密钥库吗 - Java特定的javax.net.ssl.keyStore,或Spring Boot特定的server.ssl.key-store?有什么区别吗?我想使用密钥库通过https为我的应用提供服务,并与一些REST服务进行相互客户端身份验证。

  2. 如果在启动时使用自定义代码读取密钥库,而不是将其指定为属性或JVM参数,Spring Boot应用是否可以使用https进行服务?或者如果应用程序必须使用https进行服务,密钥库的指定是否必须在此之前进行?

英文:
  1. Can I specify keystore using either of these properties - the Java-specific javax.net.ssl.keyStore or the spring boot specific server.ssl.key-store. Any differences? I would like to use the keystore for serving my app using https as well as mutual client authentication with some REST services

  2. Can the SpringBoot application be served using https if the keystore is not specified as a property or jvm argument, rather is read at the startup using custom code? Or does the keystore specification have to come before that if the app has to be served using https?

答案1

得分: 3

这两个属性具有互补的角色:

  • javax.net.ssl.keyStore 是一个由Java安全提供程序使用的系统属性,用于配置默认的SSLContext。大多数SSL 客户端使用默认的SSLContext

    您不需要将此属性作为-D参数传递给JVM,您可以在应用程序启动的非常早期阶段以编程方式设置它,但我建议不要这样做:因为您的应用程序可能不是JVM中唯一的应用程序(例如,将其作为WAR存档运行),您将影响其他应用程序的行为。改用非默认的SSLContext

  • server.ssl.keyStore 是一个Spring属性,用于配置嵌入式servlet容器的服务器套接字。它可以来自许多不同的来源

    虽然从理论上讲,servlet容器可以使用默认的SSLContext,并从默认的KeyManager(从通过javax.net.ssl.keyStore指定的密钥库加载其密钥)检索其证书,但我不知道任何实际执行此操作的servlet容器。

    通常用作SSL客户端的证书与用作SSL服务器的证书不同。

英文:

Those two properties have complementary roles:

  • javax.net.ssl.keyStore is a system property used by the Java security providers to configure the default SSLContext. Most SSL clients use the default SSLContext.

    You don't need to pass this property as -D argument to the JVM, you can set it programmatically at a very early stage of your application startup, but I would advise against it: since your application may not be the only application in the JVM (e.g. your run it as WAR archive), you will influence the behavior of other applications. Use a non-default SSLContext instead.

  • server.ssl.keyStore is a Spring property to configure the server socket of the embedded servlet container. It can come from many different sources.

    While in theory a servlet container can use the default SSLContext and retrieve its certificate from the default KeyManager (which loads its keys from the keystore specified through javax.net.ssl.keyStore), I don't know any servlet container that would actually do it.

    Usually the certificate used as SSL client is not the same as the one used as SSL server.

huangapple
  • 本文由 发表于 2020年4月7日 12:04:53
  • 转载请务必保留本文链接:https://go.coder-hub.com/61072648.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定