I'm writing a Java Servlet (javax.servlet.http.HttpServlet) using Tomcat 8 to provide an restful API. I want to configure a Tomcat server to use https and I want all data to be transferred as encrypted.
Despite much searching, I can't find:
Despite much searching, I can't find:
How to create an http servlet that can be accessed via https://
It's the same as writing any other servlet. There is no HTTPS-specific aspect to it.
Configuring SSL in Tomcat such that there is a secure key exchange; no hassle with certificates, etc.
There is no such thing as SSL without certificates, unless you want it completely insecure, in which case there's no point in using SSL at all. The Tomcat documentation has extensive information about generating certificates, keystores, etc.
An answer to what the best security method is. e.g. Is SSL still the way to go?
Yes.
There is no such a thing called https servlet. SSL is handled by the servlet container. To enable SSL in tomcat, follow the instructions here to generate a key and have tomcat accepts https - http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
2- You can either force https by validating isSecure and redirect to https or use security constraint inside web.xml of your app. Check example here http://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html
