swirl
Home Software Blog Wallpapers Webtools
Spring boot with mutual TLS authentication
Thursday 25, May 2023   |   Post link

Overview

Most applications, even internal applications are being developed with increased focus on security. One of the basic steps is to host all web applications over secure channel. This post discusses how to enable SSL and client authentication in a Spring boot application.

The basic application structure

Before anything, the sample code is available here on Github. The application is a Spring Boot application exposing one endpoint /health. We would like to run this over SSL. We also want only registered clients to be able to connect to the server.

The security infrastructure

We need to generate a server SSL certificate to host the server on secure channel. We also need to generate a certificate for the client who wants to connect to the server. Once the client's certificate is generated, it must be added to the server's trust store so that the server accepts connections from any client who presents this certificate at connection time. The security settings to enable SSL are controlled entirely by settings present in the application.properties file: 

server.ssl.enabled=true
server.ssl.client-auth=need
server.ssl.key-store=sec/server.p12
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=changeit
server.ssl.key-alias=server
server.ssl.trust-store=sec/server.p12
server.ssl.trust-store-password=changeit
server.ssl.trust-store-type=PKCS12
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2

Building the code

You need to have JDK 8 or above. You need to have Maven 3. Both should be present on the machine's PATH. After downloading the source code, run the following command to build the code: 

mvnw package

Running the server

Before the server can run successfully, we need to generate the servers certificate and a client certificate. The easiest way to do this is by running the gencerts.bat file. Create a folder named "sec" under the "target" folder which contains the built jar file. Copy the gencerts.bat file in the "sec" folder. Open a command prompt and navigate into the "sec" folder and execute the gencerts.bat file. It should generate the following files: 

client.crt
client.p12
server.crt
server.p12
server.pem

Next, navigate back to the "target" folder containing the jar and run it: 

java -jar server-0.0.1-SNAPSHOT.jar

Connecting to the server

We will use curl utility to connect to the server and invoke its endpoint. Since the server is protected using mutual authentication, we need to specify the client certificate else the server will reject the connection. The client (curl in this case) also need to trust the server's certificate explicitly since it's a self signed certificate. Navigate into the "sec" folder and run the following command to invoke the server endpoint: 

 
curl https://localhost:8080/health/ --cert client.p12:changeit --cacert server.pem
We should see the server's response like this: 
Uptime: : 1 minutes

References




Comments

Posts By Year

2024 (4)
2023 (5)
2022 (10)
2021 (5)
2020 (12)
2019 (6)
2018 (8)
2017 (11)
2016 (6)
2015 (17)
2014 (2)
2013 (4)
2012 (2)

Posts By Category

.NET (4)
.NET Core (2)
ASP.NET MVC (4)
AWS (5)
AWS API Gateway (1)
Android (1)
Apache Camel (1)
Architecture (1)
Audio (1)
Azure (2)
Book review (3)
Business (1)
C# (3)
C++ (2)
CloudHSM (1)
Containers (4)
Corporate culture (1)
Database (3)
Database migration (1)
Desktop (1)
Docker (1)
DotNet (3)
DotNet Core (2)
ElasticSearch (1)
Entity Framework (3)
Git (3)
IIS (1)
JDBC (1)
Java (10)
Kibana (1)
Kubernetes (1)
Lambda (1)
Learning (1)
Life (7)
Linux (2)
Lucene (1)
Multi-threading (1)
Music (1)
OData (1)
Office (1)
PHP (1)
Photography (1)
PowerShell (2)
Programming (28)
Python (1)
Rants (5)
SQL (2)
SQL Server (1)
Security (3)
Software (1)
Software Engineering (1)
Software development (2)
Solr (1)
Sql Server (2)
Storage (1)
T-SQL (1)
TDD (1)
TSQL (5)
Tablet (1)
Technology (1)
Test Driven (1)
Testing (1)
Tomcat (1)
Unit Testing (1)
Unit Tests (1)
Utilities (3)
VC++ (1)
VMWare (1)
VSCode (1)
Visual Studio (2)
Wallpapers (1)
Web API (2)
Win32 (1)
Windows (9)
XML (2)

Posts By Tags

.NET(6) API Gateway(1) ASP.NET(4) AWS(3) Adults(1) Advertising(1) Android(1) Anti-forgery(1) Asynch(1) Authentication(2) Azure(2) Backup(1) Beliefs(1) BlockingQueue(1) Book review(2) Books(1) Busy(1) C#(4) C++(3) CLR(1) CORS(1) CSRF(1) CTE(1) Callbacks(1) Camel(1) Certificates(1) Checkbox(1) Client authentication(1) CloudHSM(1) Cmdlet(1) Company culture(1) Complexity(1) Consumer(1) Consumerism(1) Containers(3) Core(2) Custom(2) DPI(1) Data-time(1) Database(4) Debugging(1) Delegates(1) Developer(2) Dockers(2) DotNetCore(3) EF 1.0(1) Earphones(1) Elastic Search(2) ElasticSearch(1) Encrypted(1) Entity framework(1) Events(1) File copy(1) File history(1) Font(1) Git(2) HierarchyID(1) Hyper-V(1) IIS(1) Installing(1) Intelli J(1) JDBC(1) JSON(1) JUnit(1) JWT(1) Java(3) JavaScript(1) Kubernetes(1) Life(1) LinkedIn(1) Linux(2) Localization(1) Log4J(1) Log4J2(1) Logging(1) Lucene(1) MVC(4) Management(2) Migration history(1) Mirror(1) Mobile Apps(1) Modern Life(1) Money(1) Music(1) NGINX(1) NTFS(1) NUnit(2) OData(1) OPENXML(1) Objects(1) Office(1) OpenCover(1) Organization(1) PHP(1) Paths(1) PowerShell(2) Processes(1) Producer(1) Programming(2) Python(2) QAAC(1) Quality(1) REDIS(2) REST(1) Runtimes(1) S3-Select(1) SD card(1) SLF4J(1) SQL(2) SQL Code-first Migration(1) SSH(2) SSL(1) Sattelite assemblies(1) School(1) Secrets Manager(1) Self reliance(1) Service(1) Shell(1) Solr(1) Sony VAIO(1) Spirituality(1) Spring(1) Sql Express(1) System Image(1) TDD(1) TSQL(3) Table variables(1) Tables(1) Tablet(1) Ubuntu(1) Url rewrite(1) VMWare(1) VSCode(1) Validation(2) VeraCode(1) Wallpaper(1) Wallpapers(1) Web Development(4) Windows(2) Windows 10(2) Windows 2016(2) Windows 8.1(1) Work culture(1) XML(1) Yii(1) iTunes(1) open file handles(1) renew(1) security(1) static ip address(1) ulimit(1)