Added example for spring with tomcat

README.MD

@@ -24,6 +24,7 @@ A repository containing different java tutorials
 
 ## Security 🔐
 - [Instant Server SSL Reloading with Spring Boot and Jetty](instant-server-ssl-reloading)
+- [Instant Server SSL Reloading with Spring Boot and Tomcat](instant-ssl-reloading-with-spring-tomcat)
 - [Instant Server SSL Reloading with Vert.x](instant-server-ssl-reloading-with-vertx/vertx-server)
 - [Instant Server SSL Reloading with Netty](instant-server-ssl-reloading-with-netty/netty-server)
 - [Instant Server SSL Reloading with gRPC](grpc-client-server-with-ssl/instant-server-ssl-reloading-with-grpc)

instant-ssl-reloading-with-spring-tomcat/README.md

@@ -0,0 +1,44 @@
+# Instant SSL Reloading 🔐
+A server configured with ssl has a key material and trust material. These materials are generated from a keypair and certificate which always have an expiration date.
+In a traditional server configuration a reboot of the server is required to apply the latest key material and trust material changes when the keystore and truststore are changed.
+A downtime is therefore unavoidable. This project demonstrates with a basic setup how update the server certificate from an external source without the need of restarting your server. In this way you can achieve zero downtime.
+
+The repository contains:
+- Server, based on Spring Boot with Tomcat as a server engine
+
+### SSL Updating entrypoint for the server:
+The server has two ways to update the existing ssl material:
+- File based aka file change listener, see here for the implementation: [FilesBasedSslUpdateService](src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java)
+- Databased based, aka database change listener. This option is hosted in a separate module within this repository, see here: [Instant SSL Reloading With Database](https://github.com/Hakky54/java-tutorials/tree/main/instant-ssl-reloading-with-spring-jetty-database)
+#### Requirements
+- Java 11
+- Terminal
+
+#### Start the server
+```
+mvn spring-boot:run
+```
+Visit the server with the following url on your browser: https://localhost:8443/api/hello
+Open the certificate details in your browser by clicking on the lock logo (on Chrome). You will see a similar certificate detail as shown below:
+
+![alt text](https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading/images/before-reloading.png?raw=true)
+
+Please note down the expiration date. Afterwords you will compare it when you have run the admin application.
+
+#### Refresh the server certificates with the file listener
+The file based ssl update service will listen to changes on a specific file on the file system. Adjust the path to your identity and truststore within [FilesBasedSslUpdateService](server/src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java).
+```java
+private static final Path identityPath = Path.of("/path/to/your/identity.jks");
+private static final Path trustStorePath = Path.of("/path/to/your/truststore.jks");
+```
+Also change the passwords if it is different.
+```java
+private static final char[] identityPassword = "secret".toCharArray();
+private static final char[] trustStorePassword = "secret".toCharArray();
+```
+Adjust the content of the identity and truststore and after 10 seonds the cron job will be triggered to validate if the content has been changed, and it will update the ssl configuration if there are any changes on it.
+
+Refresh your browser tab and open the certificate details again and compare the expiration date with the one you have noted down.
+You should have a similar certificate detail as shown below:
+
+![alt text](https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading/images/after-reloading.png?raw=true)

instant-ssl-reloading-with-spring-tomcat/pom.xml

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.github.hakky54</groupId>
+        <artifactId>java-tutorials</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>instant-ssl-reloading-with-spring-tomcat</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>sslcontext-kickstart</artifactId>
+            <version>${version.sslcontext-kickstart}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+            <version>${version.spring}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <version>${version.spring}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>${version.junit}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <version>${version.junit}</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>${version-tomcat}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+                <version>${version.spring}</version>
+                <configuration>
+                    <mainClass>nl.altindag.server.App</mainClass>
+                    <finalName>server</finalName>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>repackage</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/App.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.scheduling.annotation.EnableScheduling;
+
+@EnableScheduling
+@SpringBootApplication
+public class App {
+
+    public static void main(String[] args) {
+        SpringApplication.run(App.class, args);
+    }
+
+}

instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/SSLConfig.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.config;
+
+import nl.altindag.ssl.SSLFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class SSLConfig {
+
+    @Bean
+    public SSLFactory sslFactory(@Value("${ssl.keystore-path}") String keyStorePath,
+                                 @Value("${ssl.keystore-password}") char[] keyStorePassword,
+                                 @Value("${ssl.truststore-path}") String trustStorePath,
+                                 @Value("${ssl.truststore-password}") char[] trustStorePassword,
+                                 @Value("${ssl.client-auth}") boolean isClientAuthenticationRequired) {
+
+        return SSLFactory.builder()
+                .withSwappableIdentityMaterial()
+                .withSwappableTrustMaterial()
+                .withIdentityMaterial(keyStorePath, keyStorePassword)
+                .withTrustMaterial(trustStorePath, trustStorePassword)
+                .withNeedClientAuthentication(isClientAuthenticationRequired)
+                .build();
+    }
+
+}

instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/SSLConnectorCustomizer.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.config;
+
+import nl.altindag.ssl.SSLFactory;
+import org.apache.catalina.connector.Connector;
+import org.apache.coyote.http11.AbstractHttp11Protocol;
+import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class SSLConnectorCustomizer implements TomcatConnectorCustomizer {
+
+    private final SSLFactory sslFactory;
+    private final int port;
+
+    public SSLConnectorCustomizer(SSLFactory sslFactory, @Value("${server.port}") int port) {
+        this.sslFactory = sslFactory;
+        this.port = port;
+    }
+
+    @Override
+    public void customize(Connector connector) {
+        connector.setScheme("https");
+        connector.setSecure(true);
+        connector.setPort(port);
+
+        AbstractHttp11Protocol<?> protocol = (AbstractHttp11Protocol<?>) connector.getProtocolHandler();
+        protocol.setSSLEnabled(true);
+
+        SSLHostConfig sslHostConfig = new SSLHostConfig();
+        SSLHostConfigCertificate certificate = new SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
+        certificate.setSslContext(new TomcatSSLContext(sslFactory));
+        sslHostConfig.addCertificate(certificate);
+        protocol.addSslHostConfig(sslHostConfig);
+    }
+
+}

instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/ServerConfig.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.config;
+
+import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
+import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class ServerConfig {
+
+    @Bean
+    public ServletWebServerFactory servletContainer(SSLConnectorCustomizer sslConnectorCustomizer) {
+        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
+        tomcat.addConnectorCustomizers(sslConnectorCustomizer);
+        return tomcat;
+    }
+
+}

instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/TomcatSSLContext.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.config;
+
+import nl.altindag.ssl.SSLFactory;
+import org.apache.tomcat.util.net.SSLContext;
+
+import javax.net.ssl.*;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+
+public final class TomcatSSLContext implements SSLContext {
+
+    private final SSLFactory sslFactory;
+
+    public TomcatSSLContext(SSLFactory sslFactory) {
+        this.sslFactory = sslFactory;
+    }
+
+    @Override
+    public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) {
+        // not needed to initialize as it is already initialized
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+
+    @Override
+    public SSLSessionContext getServerSessionContext() {
+        return sslFactory.getSslContext().getServerSessionContext();
+    }
+
+    @Override
+    public SSLEngine createSSLEngine() {
+        return sslFactory.getSSLEngine();
+    }
+
+    @Override
+    public SSLServerSocketFactory getServerSocketFactory() {
+        return sslFactory.getSslServerSocketFactory();
+    }
+
+    @Override
+    public SSLParameters getSupportedSSLParameters() {
+        return sslFactory.getSslParameters();
+    }
+
+    @Override
+    public X509Certificate[] getCertificateChain(String alias) {
+        return sslFactory.getKeyManager()
+                .map(keyManager -> keyManager.getCertificateChain(alias))
+                .orElseThrow();
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return sslFactory.getTrustedCertificates().toArray(new X509Certificate[0]);
+    }
+
+}