diff --git a/README.MD b/README.MD
index 1026e15..ebe62e1 100644
--- a/README.MD
+++ b/README.MD
@@ -24,6 +24,7 @@ A repository containing different java tutorials
## Security 🔐
- [Instant Server SSL Reloading with Spring Boot and Jetty](instant-server-ssl-reloading)
+- [Instant Server SSL Reloading with Spring Boot and Tomcat](instant-ssl-reloading-with-spring-tomcat)
- [Instant Server SSL Reloading with Vert.x](instant-server-ssl-reloading-with-vertx/vertx-server)
- [Instant Server SSL Reloading with Netty](instant-server-ssl-reloading-with-netty/netty-server)
- [Instant Server SSL Reloading with gRPC](grpc-client-server-with-ssl/instant-server-ssl-reloading-with-grpc)
diff --git a/instant-ssl-reloading-with-spring-tomcat/README.md b/instant-ssl-reloading-with-spring-tomcat/README.md
new file mode 100644
index 0000000..2340375
--- /dev/null
+++ b/instant-ssl-reloading-with-spring-tomcat/README.md
@@ -0,0 +1,44 @@
+# Instant SSL Reloading 🔐
+A server configured with ssl has a key material and trust material. These materials are generated from a keypair and certificate which always have an expiration date.
+In a traditional server configuration a reboot of the server is required to apply the latest key material and trust material changes when the keystore and truststore are changed.
+A downtime is therefore unavoidable. This project demonstrates with a basic setup how update the server certificate from an external source without the need of restarting your server. In this way you can achieve zero downtime.
+
+The repository contains:
+- Server, based on Spring Boot with Tomcat as a server engine
+
+### SSL Updating entrypoint for the server:
+The server has two ways to update the existing ssl material:
+- File based aka file change listener, see here for the implementation: [FilesBasedSslUpdateService](src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java)
+- Databased based, aka database change listener. This option is hosted in a separate module within this repository, see here: [Instant SSL Reloading With Database](https://github.com/Hakky54/java-tutorials/tree/main/instant-ssl-reloading-with-spring-jetty-database)
+#### Requirements
+- Java 11
+- Terminal
+
+#### Start the server
+```
+mvn spring-boot:run
+```
+Visit the server with the following url on your browser: https://localhost:8443/api/hello
+Open the certificate details in your browser by clicking on the lock logo (on Chrome). You will see a similar certificate detail as shown below:
+
+![alt text](https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading/images/before-reloading.png?raw=true)
+
+Please note down the expiration date. Afterwords you will compare it when you have run the admin application.
+
+#### Refresh the server certificates with the file listener
+The file based ssl update service will listen to changes on a specific file on the file system. Adjust the path to your identity and truststore within [FilesBasedSslUpdateService](server/src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java).
+```java
+private static final Path identityPath = Path.of("/path/to/your/identity.jks");
+private static final Path trustStorePath = Path.of("/path/to/your/truststore.jks");
+```
+Also change the passwords if it is different.
+```java
+private static final char[] identityPassword = "secret".toCharArray();
+private static final char[] trustStorePassword = "secret".toCharArray();
+```
+Adjust the content of the identity and truststore and after 10 seonds the cron job will be triggered to validate if the content has been changed, and it will update the ssl configuration if there are any changes on it.
+
+Refresh your browser tab and open the certificate details again and compare the expiration date with the one you have noted down.
+You should have a similar certificate detail as shown below:
+
+![alt text](https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading/images/after-reloading.png?raw=true)
diff --git a/instant-ssl-reloading-with-spring-tomcat/pom.xml b/instant-ssl-reloading-with-spring-tomcat/pom.xml
new file mode 100644
index 0000000..f2d678a
--- /dev/null
+++ b/instant-ssl-reloading-with-spring-tomcat/pom.xml
@@ -0,0 +1,80 @@
+
+
+ 4.0.0
+
+ io.github.hakky54
+ java-tutorials
+ 1.0.0-SNAPSHOT
+
+
+ instant-ssl-reloading-with-spring-tomcat
+ 1.0.0-SNAPSHOT
+ jar
+
+
+
+ io.github.hakky54
+ sslcontext-kickstart
+ ${version.sslcontext-kickstart}
+
+
+
+ org.springframework.boot
+ spring-boot-starter-web
+ ${version.spring}
+
+
+
+ org.springframework.boot
+ spring-boot-starter-test
+ ${version.spring}
+ test
+
+
+ org.junit.jupiter
+ junit-jupiter-api
+ ${version.junit}
+ test
+
+
+ org.junit.jupiter
+ junit-jupiter-engine
+ ${version.junit}
+ test
+
+
+
+
+
+
+ org.apache.tomcat.embed
+ tomcat-embed-core
+ ${version-tomcat}
+
+
+
+
+
+
+
+ org.springframework.boot
+ spring-boot-maven-plugin
+ ${version.spring}
+
+ nl.altindag.server.App
+ server
+
+
+
+
+ repackage
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/App.java b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/App.java
new file mode 100644
index 0000000..8abd17d
--- /dev/null
+++ b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/App.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.scheduling.annotation.EnableScheduling;
+
+@EnableScheduling
+@SpringBootApplication
+public class App {
+
+ public static void main(String[] args) {
+ SpringApplication.run(App.class, args);
+ }
+
+}
diff --git a/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/SSLConfig.java b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/SSLConfig.java
new file mode 100644
index 0000000..66e67fd
--- /dev/null
+++ b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/SSLConfig.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.config;
+
+import nl.altindag.ssl.SSLFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class SSLConfig {
+
+ @Bean
+ public SSLFactory sslFactory(@Value("${ssl.keystore-path}") String keyStorePath,
+ @Value("${ssl.keystore-password}") char[] keyStorePassword,
+ @Value("${ssl.truststore-path}") String trustStorePath,
+ @Value("${ssl.truststore-password}") char[] trustStorePassword,
+ @Value("${ssl.client-auth}") boolean isClientAuthenticationRequired) {
+
+ return SSLFactory.builder()
+ .withSwappableIdentityMaterial()
+ .withSwappableTrustMaterial()
+ .withIdentityMaterial(keyStorePath, keyStorePassword)
+ .withTrustMaterial(trustStorePath, trustStorePassword)
+ .withNeedClientAuthentication(isClientAuthenticationRequired)
+ .build();
+ }
+
+}
diff --git a/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/SSLConnectorCustomizer.java b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/SSLConnectorCustomizer.java
new file mode 100644
index 0000000..b5afde7
--- /dev/null
+++ b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/SSLConnectorCustomizer.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.config;
+
+import nl.altindag.ssl.SSLFactory;
+import org.apache.catalina.connector.Connector;
+import org.apache.coyote.http11.AbstractHttp11Protocol;
+import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class SSLConnectorCustomizer implements TomcatConnectorCustomizer {
+
+ private final SSLFactory sslFactory;
+ private final int port;
+
+ public SSLConnectorCustomizer(SSLFactory sslFactory, @Value("${server.port}") int port) {
+ this.sslFactory = sslFactory;
+ this.port = port;
+ }
+
+ @Override
+ public void customize(Connector connector) {
+ connector.setScheme("https");
+ connector.setSecure(true);
+ connector.setPort(port);
+
+ AbstractHttp11Protocol> protocol = (AbstractHttp11Protocol>) connector.getProtocolHandler();
+ protocol.setSSLEnabled(true);
+
+ SSLHostConfig sslHostConfig = new SSLHostConfig();
+ SSLHostConfigCertificate certificate = new SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
+ certificate.setSslContext(new TomcatSSLContext(sslFactory));
+ sslHostConfig.addCertificate(certificate);
+ protocol.addSslHostConfig(sslHostConfig);
+ }
+
+}
diff --git a/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/ServerConfig.java b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/ServerConfig.java
new file mode 100644
index 0000000..d4a6f83
--- /dev/null
+++ b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/ServerConfig.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.config;
+
+import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
+import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class ServerConfig {
+
+ @Bean
+ public ServletWebServerFactory servletContainer(SSLConnectorCustomizer sslConnectorCustomizer) {
+ TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
+ tomcat.addConnectorCustomizers(sslConnectorCustomizer);
+ return tomcat;
+ }
+
+}
diff --git a/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/TomcatSSLContext.java b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/TomcatSSLContext.java
new file mode 100644
index 0000000..16eac4c
--- /dev/null
+++ b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/config/TomcatSSLContext.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.config;
+
+import nl.altindag.ssl.SSLFactory;
+import org.apache.tomcat.util.net.SSLContext;
+
+import javax.net.ssl.*;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+
+public final class TomcatSSLContext implements SSLContext {
+
+ private final SSLFactory sslFactory;
+
+ public TomcatSSLContext(SSLFactory sslFactory) {
+ this.sslFactory = sslFactory;
+ }
+
+ @Override
+ public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) {
+ // not needed to initialize as it is already initialized
+ }
+
+ @Override
+ public void destroy() {
+
+ }
+
+ @Override
+ public SSLSessionContext getServerSessionContext() {
+ return sslFactory.getSslContext().getServerSessionContext();
+ }
+
+ @Override
+ public SSLEngine createSSLEngine() {
+ return sslFactory.getSSLEngine();
+ }
+
+ @Override
+ public SSLServerSocketFactory getServerSocketFactory() {
+ return sslFactory.getSslServerSocketFactory();
+ }
+
+ @Override
+ public SSLParameters getSupportedSSLParameters() {
+ return sslFactory.getSslParameters();
+ }
+
+ @Override
+ public X509Certificate[] getCertificateChain(String alias) {
+ return sslFactory.getKeyManager()
+ .map(keyManager -> keyManager.getCertificateChain(alias))
+ .orElseThrow();
+ }
+
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return sslFactory.getTrustedCertificates().toArray(new X509Certificate[0]);
+ }
+
+}
diff --git a/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/controller/HelloWorldController.java b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/controller/HelloWorldController.java
new file mode 100644
index 0000000..204ce62
--- /dev/null
+++ b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/controller/HelloWorldController.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.controller;
+
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class HelloWorldController {
+
+ @GetMapping(value = "/api/hello", produces = MediaType.TEXT_PLAIN_VALUE)
+ public ResponseEntity hello() {
+ return ResponseEntity.ok("Hello");
+ }
+
+}
diff --git a/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java
new file mode 100644
index 0000000..70491fc
--- /dev/null
+++ b/instant-ssl-reloading-with-spring-tomcat/src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.service;
+
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.util.SSLFactoryUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.scheduling.annotation.Scheduled;
+import org.springframework.stereotype.Service;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.time.Instant;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+
+@Service
+public class FileBasedSslUpdateService {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(FileBasedSslUpdateService.class);
+
+ private static final Path identityPath = Path.of("/path/to/your/identity.jks");
+ private static final Path trustStorePath = Path.of("/path/to/your/truststore.jks");
+ private static final char[] identityPassword = "secret".toCharArray();
+ private static final char[] trustStorePassword = "secret".toCharArray();
+
+ private ZonedDateTime lastModifiedTimeIdentityStore = ZonedDateTime.ofInstant(Instant.EPOCH, ZoneOffset.UTC);
+ private ZonedDateTime lastModifiedTimeTrustStore = ZonedDateTime.ofInstant(Instant.EPOCH, ZoneOffset.UTC);
+
+ private final SSLFactory baseSslFactory;
+
+ public FileBasedSslUpdateService(SSLFactory baseSslFactory) {
+ this.baseSslFactory = baseSslFactory;
+ }
+
+ /**
+ * Checks every 10 seconds if the keystore files have been updated.
+ * If the files have been updated the service will read the content and update the ssl material
+ * within the existing ssl configuration.
+ */
+ @Scheduled(cron = "*/10 * * * * *")
+ private void updateSslMaterial() throws IOException {
+ if (Files.exists(identityPath) && Files.exists(trustStorePath)) {
+ BasicFileAttributes identityAttributes = Files.readAttributes(identityPath, BasicFileAttributes.class);
+ BasicFileAttributes trustStoreAttributes = Files.readAttributes(trustStorePath, BasicFileAttributes.class);
+
+ boolean identityUpdated = lastModifiedTimeIdentityStore.isBefore(ZonedDateTime.ofInstant(identityAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC));
+ boolean trustStoreUpdated = lastModifiedTimeTrustStore.isBefore(ZonedDateTime.ofInstant(trustStoreAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC));
+
+ if (identityUpdated && trustStoreUpdated) {
+ LOGGER.info("Keystore files have been changed. Trying to read the file content and preparing to update the ssl material");
+
+ SSLFactory updatedSslFactory = SSLFactory.builder()
+ .withIdentityMaterial(identityPath, identityPassword)
+ .withTrustMaterial(trustStorePath, trustStorePassword)
+ .build();
+
+ SSLFactoryUtils.reload(baseSslFactory, updatedSslFactory);
+
+ lastModifiedTimeIdentityStore = ZonedDateTime.ofInstant(identityAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC);
+ lastModifiedTimeTrustStore = ZonedDateTime.ofInstant(trustStoreAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC);
+
+ LOGGER.info("Updating ssl material finished");
+ }
+ }
+ }
+
+}
diff --git a/instant-ssl-reloading-with-spring-tomcat/src/main/resources/application.yml b/instant-ssl-reloading-with-spring-tomcat/src/main/resources/application.yml
new file mode 100644
index 0000000..c795d4b
--- /dev/null
+++ b/instant-ssl-reloading-with-spring-tomcat/src/main/resources/application.yml
@@ -0,0 +1,9 @@
+server:
+ port: 8443
+
+ssl:
+ client-auth: true
+ keystore-path: identity.jks
+ keystore-password: secret
+ truststore-path: truststore.jks
+ truststore-password: secret
diff --git a/instant-ssl-reloading-with-spring-tomcat/src/main/resources/identity.jks b/instant-ssl-reloading-with-spring-tomcat/src/main/resources/identity.jks
new file mode 100644
index 0000000..0b23ff6
Binary files /dev/null and b/instant-ssl-reloading-with-spring-tomcat/src/main/resources/identity.jks differ
diff --git a/instant-ssl-reloading-with-spring-tomcat/src/main/resources/truststore.jks b/instant-ssl-reloading-with-spring-tomcat/src/main/resources/truststore.jks
new file mode 100644
index 0000000..8f898ee
Binary files /dev/null and b/instant-ssl-reloading-with-spring-tomcat/src/main/resources/truststore.jks differ
diff --git a/pom.xml b/pom.xml
index eb9dfb6..403b8e7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -22,6 +22,7 @@
console-captor-examples
instant-ssl-reloading-with-spring-jetty-database
instant-server-ssl-reloading-with-quarkus
+ instant-ssl-reloading-with-spring-tomcat
@@ -57,9 +58,10 @@
UTF-8
2022
- 8.1.6
+ 8.3.1
2.9.0
2.7.5
+ 10.1.19
1.9.9.1
2.14.1
2.0.6