我正在研究一个web应用程序,其中包含一个keycloak认证的spring webflux web客户端,在抛出jwt后与rest微服务通信。这个web应用程序在本地工作得很好,但是当我将它部署在VPS上并使用自签名SSL保护它时,它不会。下面是堆栈和yaml文件和配置。
web客户端的堆栈跟踪信息
[80951c4f-3] 500 Server Error for HTTP GET "/login/oauth2/code/keycloak?st ate=_OL6ieI7ZLkxdwNUn-_r1KJW6iQpe-0UtgHR_t6R7MQ%3D&session_state=2de93ae4-4edb-4cc7-ba54-f3cd2bc78656&code=c2762a41-f07e-48c5-b548-4bfcaae7d7c7.2de93ae4-4edb-4cc7-ba54-f3cd2bc7 8656.54771ced-5411-4aff-9cd6-3553871f035e"
org.springframework.web.reactive.function.client.WebClientRequestException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to fin d valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBu ilderException: unable to find valid certification path to requested target
at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:141) ~[spring-webflux-5.3.9. jar!/:5.3.9]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
|_ checkpoint ⇢ Request to POST https://185.7.212.159:8543/auth/realms/haditvpas/protocol/openid-connect/token [DefaultWebClient]
|_ checkpoint ⇢ org.springframework.security.oauth2.client.web.server.authentication.OAuth2LoginAuthenticationWebFilter [DefaultWebFilterChain]
|_ checkpoint ⇢ org.springframework.security.oauth2.client.web.server.OAuth2AuthorizationRequestRedirectWebFilter [DefaultWebFilterChain]
|_ checkpoint ⇢ org.springframework.security.oauth2.client.web.server.OAuth2AuthorizationRequestRedirectWebFilter [DefaultWebFilterChain]
|_ checkpoint ⇢ org.springframework.security.web.server.context.ReactorContextWebFilter [DefaultWebFilterChain]
|_ checkpoint ⇢ org.springframework.security.web.server.csrf.CsrfWebFilter [DefaultWebFilterChain]
|_ checkpoint ⇢ org.springframework.security.web.server.header.HttpHeaderWriterWebFilter [DefaultWebFilterChain]
|_ checkpoint ⇢ org.springframework.security.config.web.server.ServerHttpSecurity$ServerWebExchangeReactorContextWebFilter [DefaultWebFilterChain]
|_ checkpoint ⇢ org.springframework.security.web.server.WebFilterChainProxy [DefaultWebFilterChain]
|_ checkpoint ⇢ org.springframework.boot.actuate.metrics.web.reactive.server.MetricsWebFilter [DefaultWebFilterChain]
|_ checkpoint ⇢ HTTP GET "/login/oauth2/code/keycloak?state=_OL6ieI7ZLkxdwNUn-_r1KJW6iQpe-0UtgHR_t6R7MQ%3D&session_state=2de93ae4-4edb-4cc7-ba54-f3cd2bc78656&code=c2762 a41-f07e-48c5-b548-4bfcaae7d7c7.2de93ae4-4edb-4cc7-ba54-f3cd2bc78656.54771ced-5411-4aff-9cd6-3553871f035e" [ExceptionHandlingWebHandler]
restful微服务的yaml文件
server:
ssl:
key-store: classpath:ssl-server.jks
key-store-password: changeit
key-store-type: JKS
key-store-provider: SUN
enabled: true
port: 9090
error:
include-stacktrace: never
spring:
thymeleaf:
cache: false
security:
oauth2:
client:
registration:
keycloak:
client-id: 'PAS-client'
scope: openid
client-secret: 'c16bbf0d-6281-461c-8a09-3eddeb3a229d'
authorizationGrantType: authorization_code
redirectUri: '{baseUrl}/login/oauth2/code/{registrationId}'
provider:
keycloak:
authorizationUri: https://185.7.212.159:8543/auth/realms/haditvpas/protocol/openid-connect/auth
tokenUri: https://185.7.212.159:8543/auth/realms/haditvpas/protocol/openid-connect/token
jwkSetUri: https://185.7.212.159:8543/auth/realms/haditvpas/protocol/openid-connect/certs
##
user-name-attribute: name
app-server:
url: https://185.7.212.159:9091
weblient
management:
endpoints:
web:
exposure:
include: '*'
endpoint:
health:
show-details: always
spring:
data:
mongodb:
host: localhost
port: 27017
database: production
auto-index-creation: true
jackson:
date-format: com.fasterxml.jackson.databind.util.StdDateFormat
default-property-inclusion: non-null
security:
oauth2:
resourceserver:
jwt:
jwkSetUri: https://185.7.212.159:8543/auth/realms/haditvpas/protocol/openid-connect/certs
issuerUri: https://185.7.212.159:8543/auth/realms/haditvpas
tokenUri: https://185.7.212.159:8543/auth/realms/haditvpas/protocol/openid-connect/token
server:
port: 9091
error:
include-stacktrace: never
我找到了答案;问题是密钥存储库不包含我的SSL .crt文件。