小贝子编程

如何在春季启动管理中绕过SSL证书验证



因此,我可以禁止SBA管理服务器验证其尝试连接的客户端的SSL证书-对于SBA 2.6.2版本,它或多或少在其文档中概述:https://codecentric.github.io/spring-boot-admin/current/#_using_mutual_tls

以下是覆盖bean的完整配置:

package com.markham.mkmappadmin.config;
import javax.net.ssl.SSLException;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.reactive.ClientHttpConnector;
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import reactor.netty.http.client.HttpClient;
/**
* Custom http client class which overrides Spring Boot Admin's server default client.<br>
* The custom client will bypass any SSL Validation by configuring an instance of
*  {@link InsecureTrustManagerFactory}
* @author Hanif Rajabali
* @see <a href="https://codecentric.github.io/spring-boot-admin/current/#_using_mutual_tls">Spring Boot Admin 2.6.2 Using Mutual TLS</a>
*/
@Configuration
public class CustomHttpClientConfig {
@Bean
public ClientHttpConnector customHttpClient() throws SSLException {
SslContext sslContext = SslContextBuilder
.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE)
.build();
HttpClient httpClient = HttpClient.create().secure(
ssl -> ssl.sslContext(sslContext)
);
return new ReactorClientHttpConnector(httpClient);
}
}

我仍然没有弄清楚如何从SBA客户端禁用它。我在下面定义了一个自定义RestTemplate Config,但SBA客户端似乎没有接受它,即使我看到SBA客户端代码正在使用BlockingRegistrationClient,即RestTemplate

package com.markham.mkmemailerws.config;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;
/**
* Need to explicitly build Spring Boot's auto configured
* {@link #restTemplate(RestTemplateBuilder)}
*
* @author Hanif Rajabali
*
*/
@Configuration
public class RestTemplateConfig {
//   @Bean
//   public RestTemplate restTemplate(RestTemplateBuilder restTemplateBuilder) {
//      return restTemplateBuilder.build();
//   }

/**
* The following will bypass ssl validation altogether. Not ideal.
*/
@Bean
public RestTemplate restTemplate(RestTemplateBuilder builder)
throws NoSuchAlgorithmException, KeyManagementException {
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
} };
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
CloseableHttpClient httpClient = HttpClients.custom().setSSLContext(sslContext)
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build();
HttpComponentsClientHttpRequestFactory customRequestFactory = new HttpComponentsClientHttpRequestFactory();
customRequestFactory.setHttpClient(httpClient);
return builder.requestFactory(() -> customRequestFactory).build();
}
}

在我们的案例(Spring Boot Admin 2.7.10(中,第一个问题是,如果使用默认文档中提供的模板启动SBA,则配置类没有被选中。添加一个@ComponentScan注释,将使用该配置。

@Configuration
@EnableAutoConfiguration
@EnableAdminServer
public class SpringBootAdminApplication {
public static void main(String[] args) {
SpringApplication.run(SpringBootAdminApplication.class, args);
}
}

然后,问题中的customHttpClientbean按预期工作。如果您不想使整个证书检查过程无效,而只想使使用者替代名称检查无效,因为您使用的是SBA的IP而不是主机名,则可以使用以下方法。

@Bean
public ClientHttpConnector customHttpClient() throws SSLException {
SslContext sslContext = SslContextBuilder.forClient()
.build();
var httpClient = reactor.netty.http.client.HttpClient.create().secure(
ssl -> ssl.sslContext(sslContext)
.handlerConfigurator(sslHandler -> {
SSLEngine engine = sslHandler.engine();
SSLParameters params = new SSLParameters();
params.setEndpointIdentificationAlgorithm("");
engine.setSSLParameters(params);
}));
return new ReactorClientHttpConnector(httpClient);
}
}

在我们的例子中,在这里使用setEndpointIdentificationAlgorithm("");是很重要的,因为如果我们使用null,那么实际上在内部设置了另一个算法。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium