I inherited Spring Boot application (version 1.5.8). I think it reads external foo.properties
file then creates Map
object having key/value pair then SpringApplication.setDefaultProperties
consumes it.
When I inspected the properties file, it has many ssl related key/value properties
server.ssl.key-alias=<some_value>
server.ssl.key-password=<some_value>
server.ssl.key-store=<some_value>
server.ssl.key-store-type=<some_value>
From its pom.xml file I don't see spring-boot-starter-security
as a dependency though. My assumption is it is ok. Although as newbie, when I went through simple tutorial of Spring Boot in regard to ssl, it has aforementioned lib as a dependency.
I plan to add more ssl key/value pairs like:
server.ssl.enabled=<some_value>
server.ssl.ciphers=<some_value>
server.ssl.protocol=<some_value>
My question is do I need spring-boot-starter-security
lib as a dependency or not. I am sure I'd find out once I update/execute the application but I decided to ask first if anyone knows in advance. My initial research didn't come up with an answer I was looking for.
Update:
From its pom.xml, I see following added as dependency. Another attempt of research makes me believe spring-boot-starter
comes with spring-boot-starter-security
but I am not positive about this.
spring-boot-starter
spring-boot-starter-log4j2
spring-boot-starter-web
CodePudding user response:
No, you definitely don't need spring-boot-starter-security
to enable SSL/TLS in your Spring Boot application.
As described in the Spring Boot documentation, you can enable SSL declaratively by setting the various server.ssl.*
properties, typically in application.properties
or application.yml
.
Refer to the Ssl
class for details of all of the supported properties. You may also consider checking the Spring Boot common application properties (in special the server properties).
CodePudding user response:
No.
Spring Boot does not need security for SSL, it's a Tomcat issue. I recommend you to read this tutorial