我有一个spring oauth2服务,当服务试图创建beanjwtDecoderByIssuerUri时,它失败了,因为:
...
Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of <issuer>
...
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "<issuer>": No subject alternative names present; nested exception is javax.net.ssl.SSLHandshakeException: No subject alternative names present
在执行以下操作禁用ssl验证后出现此错误:
public final class SSLUtil {
private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};
public static void turnOffSslChecking() throws NoSuchAlgorithmException, KeyManagementException {
// Install the all-trusting trust manager
final SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, UNQUESTIONING_TRUST_MANAGER, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
public static void turnOnSslChecking() throws KeyManagementException, NoSuchAlgorithmException {
// Return it to the initial state (discovered by reflection, now hardcoded)
SSLContext.getInstance("SSL").init(null, null, null);
}
private SSLUtil() {
throw new UnsupportedOperationException("Do not instantiate libraries.");
}
}
@Bean
JwtDecoder jwtDecoderByIssuerUri(final OAuth2ResourceServerProperties properties) throws KeyManagementException, NoSuchAlgorithmException {
turnOffSslChecking();
return JwtDecoders.fromIssuerLocation(properties.getJwt().getIssuerUri());
}
在我添加turnOffSslChecking()之前,错误是:
...
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
是否有一种方法可以避免所有这些ssl验证的东西?
Oauth2服务器要求SSL/TLS的使用。(第2.3.1节,然后引用了Oauth规范的第1.6节TLS Version- https://www.rfc-editor.org/rfc/rfc6749)你最好解决你的原始问题,而不是禁用SSL。
您最初的问题是因为您需要将证书的公钥安装到TrustStore中,而不是创建一个完全信任的TrustManager。您没有指定,但我假设您使用的是带有默认java TrustStore的自签名证书。如果是这样,本文中的步骤应该可以解决这个问题。https://medium.com/expedia-group-tech/how-to-import-public-certificates-into-javas-truststore-from-a-browser-a35e49a806dc
如果我做了一个错误的假设,请张贴更多的信息。