Spring Boot application secured by self-signed HTTPS

In this article we secure our Spring Boot application with HTTPS. First of all we become familiar with TLS/SSL  briefly. Then we see how we can generate a self-signed certificate and secure a simple Spring Boot application. We call this project Spring Boot HTTPS Seed and you can grab the code from my Github.

Remark!

Self-signed certificates are just for development and testing purposes. For your application, you need to have valid, legitimate certificate. You can read my other post about Let’s Encrypt to see how you can easily have one for free.

HTTPS Overview

In nutshell, HTTPS aims at securing and encrypting the data connection over HTTP protocol using Transport Layer Security (TLS) or Secure Socket Layer (SSL). This protocol ensure data integrity and data confidentiality.

Data integrity prevents third parties from tampering the data packets over the secured channel. In other words, no one can manipulate the data on the way to each of the endpoints. By confidentiality, it ensures the identity of the both endpoints: source and destination.

Screen Shot 2016-01-24 at 18.51.17

Secure channel is typically a bi-directional encrypted communication with symmetric encryption algorithm (e.g. AES). HTTPS basically has 2 main processes: Handshake and secure communication.

In the process of handshake (happens just before creation of a session), both parties negotiate on encryption algorithm and the most importantly a session key (also called Master Key). The session key is a secret key used in encryption of the secure channel in the course of this session.

Web server owns a pair of keys: Public and Private keys. Public key is used to encrypt a data and Private key is used to decrypt it. In addition, Private key is used to sign a piece of data and Public key is used to verify the signature.

Screen Shot 2016-01-24 at 19.33.14

Web servers ask trusted certificated authorities (CA) for issuing a certificate based on their public keys. Then CA’s (or a chain of CA’s) issue a certificate signed by their keys. Web servers use this certificate during the handshake process before initiation of the main secure session. Since we use trusted CA’s which are known to users (e.g. within browsers), they can verify the identity and correctness of the web servers by checking the certificate and signature of the issuer.

HTTPS Setup

Self-signed Certificate

For development purposes developers tend to use self-signed certificates as it’s produceable in local computer without any CA’s involved (usually CA’s do not function for free). These types of certificates are inappropriate for production setup and can be simply replaced by a valid certificate issued by a trusted CA. In other words, when you deploy your HTTPS using these certificates, browsers won’t be happy and show you an scary page like this:

not-trusted-cert

We can use several tools like OpenSSL, Keytool, etc. to generate a self-signed certificate. This is how we generate a key store (key bag) with keytool:

As you can see, we store the keys using PKCS #12 which is like a collection of keys such as private keys and public key certifications. We can look inside our generated keystore (keystore.p12) with OpenSSL.

 

Spring Boot application

We can use the hello world example of Spring documentation for this purpose or any other Spring Boot application. You can find our example here.

How to setup HTTPS in Spring Boot Application

You should copy your generated keysoter.p12 to the root of the application or to your desired folder in your operating system. Then you open the “application.properties” file in your Spring boot (located in ‘resources’ folder).

Surprisingly if you restart your Spring Boot application, you can access “https://127.0.0.1:8443/hello”. As simple as that!

To sum up what we have done so far, we’ve become briefly familiar with TLS and HTTPS protocols. Then we generated a self-signed certificate for development purposes. Afterwards, we modified the hello world example of Spring Boot and created a HTTPS secured application which can be a seed project for your projects.

Our story is not yet over. Configuring a tomcat server to support HTTPS and having an encrypted channel does not necessarily bring security and safety to your application. There are set of tools (a summary of them) to assess your TLS configuration. In upcomming articles we will take a look at fine tuning our configuration in Spring Boot and tomcat to get A+ HTTPS degree by assessment tools in general, SSLabs in specific.

In addition we may take a look at the new public CA called Let’s Encrypt which aims at serving its services for free, automated and open for everyone in order to bring HTTPS to the whole web.

Update: If you want to know about certificate generation by Let’s Encrypt and how to integrate it with Spring Boot, read my new article: Spring Boot Application Secured by Let’s Encrypt Certificate.

References and further materials

  1. Enable HTTPS in Spring Boot
  2. SSLabs assessment tool
Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

5 thoughts on “Spring Boot application secured by self-signed HTTPS

    • Nice catch! I didn’t see it before. I don’t have deep knowledge about internals of OpenSSL. Generally that works correctly with Spring as well as OpenSSL. I even have a valid certificate(Let’s Encrypt) and it works nicely (https://Seeld.eu).
      I am also curious to know why; so I may create a StackOverflow question.

Leave a Reply

Your email address will not be published. Required fields are marked *