Getting started
This page shows how to enable TLS on the embedded web server of a Spring Boot service by adding the
jeap-spring-boot-tls-starter. For the underlying mechanism see How it works; for
the available properties see the Configuration reference.
1. Add the dependency
<dependency>
<groupId>ch.admin.bit.jeap</groupId>
<artifactId>jeap-spring-boot-tls-starter</artifactId>
</dependency>
The version is managed by the jEAP Spring Boot parent. The starter requires an embedded web server,
so the service must already depend on a web stack such as spring-boot-starter-webmvc.
2. That is it
No code or configuration is required. Once the starter is on the classpath, TLS is enabled by default. At start-up the service:
- generates a self-signed RSA certificate for its hostname,
- registers it as the Spring SSL bundle
web-serverand pointsserver.ssl.bundleat it, - enables HTTP/2 (
server.http2.enabled=true).
The service is then reachable over https:// only; plain http:// requests are rejected.
3. When to use it
The generated certificate is self-signed: it provides encryption but not trust, because it is not issued by a trusted certificate authority. Restrict the starter to use cases where traffic is already authenticated by other means and only needs to be additionally encrypted — for example traffic between an AWS Application Load Balancer (ALB) and its targets.
Externally provided certificates are not supported. If you need a CA-issued certificate, configure
Spring Boot's server.ssl.* / SSL bundle support directly instead of using this starter (the starter
backs off when server.ssl.bundle is already set).
4. Tune the certificate (optional)
jeap:
web:
tls:
enabled: true
self-signed-cert:
hostname: jme-example-service
days-valid: 1100
See the Configuration reference for defaults and descriptions.