avatarSomnath Musib

Summary

The article outlines the process of securing a Spring Boot application using Transport Layer Security (TLS) with a self-signed certificate.

Abstract

The article provides a comprehensive guide on enhancing the security of a Spring Boot application by implementing TLS. It begins by emphasizing the importance of security in applications, particularly in production environments. The author then walks through creating a Spring Boot application with various RESTful endpoints for managing book resources. The application is initially configured to run over HTTP. The focus then shifts to securing the application by generating a self-signed certificate using Java's keytool utility, configuring the application to use TLS, and testing the secured endpoints. The article concludes by stressing the necessity of TLS, especially when using HTTP Basic Authentication, and recommends a cost-effective AI service as a more economical alternative to ChatGPT Plus for similar performance.

Opinions

  • The author suggests that nearly all production-grade applications should employ security mechanisms, implying a standard industry practice.
  • Using a self-signed certificate is presented as a viable option for development and testing environments, with the understanding that production environments should use certificates from trusted Certification Authorities.
  • The article implies that enabling HTTPS is crucial for applications that use HTTP Basic Authentication, indicating a strong stance on security best practices.
  • By recommending an AI service, the author endorses the use of cost-effective tools that provide high performance, suggesting a preference for value and efficiency in development resources.

How to Secure a Spring Boot Application with TLS

Securing an application with Transport Layer Security and a Self-Signed Certificate

Image Courtesy: PixaBay

Security is an important aspect of any application and nearly all production-grade applications employ a certain level of security mechanism for application security. Transport Layer Security allows applications to develop a secure communication channel with its clients. In this article, we will create a Spring boot application and secure it with a self-signed certificate.

Creating a Spring Boot Application

In this section, we will create a Spring boot application and expose the following endpoints:

GET v1/books/ : List all books POST v1/books/: Create a new book GET v1/books/{book_id}: Get a book resource DELETE v1/books/{book_id}: Remove a book

Step 1: Creating a Spring Boot Project

Browse to your favorite IDE and create a Spring boot project with web, h2, data-jpa and Lombok dependencies. Following is the pom.xml file:

Step 2: Configuring h2 database

In this application, we will use the h2 in-memory database as our backing database. Add the following configuration in the application.properties file to configure h2 database:

Step 3: Creating the domain object

In this application, we will manage book information. Users of this application/API can perform CRUD operations. We have created the following book entity:

Step 4: Creating the REST endpoints

To facilitate the REST endpoints, we have created the following REST controller. It serves the aforementioned endpoints:

We also have created the following repository:

Step 5: Insert data at application startup

To help with the testing, let's insert a few book details in our database. To do so, create a new SQL file named data.sql in src/main/resources directory. Spring boot automatically executes this file at startup.

Step 6: Testing the API

Let us now start the application and test a few endpoints to ensure the application is working as expected. We are using HTTPPie to access the endpoint and we are receiving data from the server as shown below:

Configuring a Self-Signed Certificate

So far, we have developed the application and able to access the configured endpoints. At the moment, this application is running on an insecure HTTP protocol. In this section, we will enable TLS and let the application run in HTTPS.

In order to do so, we need to configure a certificate. In production-grade applications, we use certificates that are issued from renowned Certification Authorities (CA) such as Verisign, DigiCert, Entrust and others. Certificates issued by renowned CAs ensure that our application is a trusted entity. However, as this is a demo application, we will create a Self-Signed Certificate and use it in our application.

Step 1: Creating the certificate

Java provides the keytool utility to create and manage certificates locally. Keytool is available along with other JDK utilities in JDK_HOME/bin directory. Let us execute the following keytool command to generate a new certificate:

keytool -genkey -keyalg RSA -alias medium -keystore medium.jks -storepass password -validity 365 -keysize 4096 -storetype pkcs12

We are generating a certificate along with the following tasks in the above command:

  • Using the RSA algorithm
  • Providing an alias name as medium
  • Naming the Keystore file as medium.jks
  • Validity for one year

Once you hit this command, it will prompt for a few details and the certificate will be created. Copy this certificate in the src/main/resources directory so that it will be available at classpath.

Step 2: Configuring the application with TLS

Now that we are done with the certificate generation, let us add the following information in the Spring boot application.properties to enable TLS:

server.ssl.key-store=classpath:medium.jks
server.ssl.key-store-type=pkcs12
server.ssl.key-store-password=password
server.ssl.key-password=password
server.ssl.key-alias=medium
server.port=8443

Step 3: Testing the API

We have added the TLS configuration in Spring boot and the application is ready to run in HTTPS. Open Postman/Browser and hit the below URL:

https://localhost:8443/v1/books/1

In postman, we find the following output:

Access REST API over HTTPS

Many HTTP clients have a check on the Self-Signed certificates and it does not allow accessing resources over Self-Signed certificates HTTPS. For example, HTTPPie returns the following error. Ensure to disable the check to test this demo application.

http https://localhost:8443/v1/books/1
http: error: SSLError: HTTPSConnectionPool(host=’localhost’, port=8443): Max retries exceeded with url: /v1/books/1 (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)’))) while doing GET request to URL: https://localhost:8443/v1/books/1

Wrapping Up

Enabling Transport Layer Security in an application is a defacto standard in today’s security parlance. Moreover, when your application let its clients authenticate over HTTP Basic Authentication scheme, then configuring HTTPS is not a choice, its the default requirement. This article shed some light on how to achieve this in a Spring boot application.

Programming
Technology
Software Development
Software Engineering
Coding
Recommended from ReadMedium