我正在使用Spring-Boot版本1.5.6.Release。我在application.yml上声明了端口9443上配置了SSL。这在起作用。我也在为这个弹簧启动应用程序使用Universow。
server:
session:
cookie:
http-only: true
contextPath: /webapp
port: 9443
ssl:
key-store: /etc/pki/mycert.jks
key-store-password: ${SSL_KEYSTORE_PWD}
keyStoreType: JKS
keyAlias: alias
我已经通过编程配置了一个额外的SSL端口。这是一个片段:
@Configuration
public class UndertowAdditionalSSLConfig
{
@Bean
public UndertowEmbeddedServletContainerFactory embeddedServletContainerFactory()
{
UndertowEmbeddedServletContainerFactory factory = new UndertowEmbeddedServletContainerFactory();
factory.addBuilderCustomizers(new UndertowBuilderCustomizer()
{
@Override
public void customize(Undertow.Builder builder)
{
try
{
builder.addHttpsListener(9444, "0.0.0.0", getSSLContext());
}
catch (Exception e)
{
log.error(e,"Could not add additional listener for https");
}
}
});
return factory;
}
}
辅助SSL端口用于X509客户端认证,用于服务器之间的REST调用。我无法弄清楚如何以编程为辅助SSL端口进行以下操作:
client-auth=need
我遇到的问题是客户端证书似乎不是发送的,或者服务器未被服务器接受。我的想法是我错过了这篇文章。感谢您的任何帮助。
update
在挖掘春季启动源后。我发现了这个:
builder.setSocketOption(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED);
我将更改应用于我的代码:
@Override
public void customize(Undertow.Builder builder)
{
try
{
builder.addHttpsListener(8444, "0.0.0.0", getSSLContext());
builder.setSocketOption(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED);
}
catch (Exception e)
{
log.error(e,"Could not add additional listener for https");
}
}
我以为我有我正在寻找的解决方案,但是更改也流向了端口9443上的SSL,并且该应用程序对浏览器访问无反应。
真的,我要问的一个更好的问题是:如何在2个单独的端口上设置SSL并让1接受客户端证书,以便可以进行基于客户端的身份验证。
谢谢
而不是在builder的addHttpsListener方法中设置getSlContext,该方法自定义了所有连接器使用的整个SSLContext,而是需要在特定连接器上设置SSL
public Ssl ssl() {
Ssl ssl = new Ssl();
ssl.setProtocol("TLS");
ssl.setClientAuth(Ssl.ClientAuth.valueOf("need".toUpperCase()));
// Other SSL stuff
return ssl;
}
// Not sure where this function is for 1.5.6 spring boot, but for 1.5.2 it is a method of the container factory which you need to override
protected void customizeConnector(Connector aConnector) {
final Ssl theSsl = ssl();
// .. Other stuff to enable disable based on condition
// turn on SSL for our connector
theSsl.setEnabled(true);
this.setSsl(theSsl);
this.setPort(myConnector.getPort()); //otherwise customizeConnector will override port
}
您应该在application.properties文件中设置client-auth:want,如下所示:
server:
session:
cookie:
http-only: true
contextPath: /webapp
port: 9443
ssl:
key-store: /etc/pki/mycert.jks
key-store-password: ${SSL_KEYSTORE_PWD}
keyStoreType: JKS
keyAlias: alias
client-auth: want
,然后按以下方式打开另一个端口:
@Configuration
public class UndertowAdditionalSSLConfig
{
@Bean
public UndertowEmbeddedServletContainerFactory embeddedServletContainerFactory()
{
UndertowEmbeddedServletContainerFactory factory = new UndertowEmbeddedServletContainerFactory();
factory.addBuilderCustomizers(new UndertowBuilderCustomizer()
{
@Override
public void customize(Undertow.Builder builder)
{
try
{
builder.addListener(new Undertow.ListenerBuilder().setPort(8444)
.setType(Undertow.ListenerType.HTTPS)
.setSslContext(getSSLContext())
.setHost("0.0.0.0")
.setOverrideSocketOptions(OptionMap.create(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED)));
}
catch (Exception e)
{
log.error(e,"Could not add additional listener for https");
}
}
});
return factory;
}
}
,如果您想使用Java lambda表达式:
@Configuration
public class UndertowAdditionalSSLConfig {
@Bean
public UndertowEmbeddedServletContainerFactory embeddedServletContainerFactory() {
UndertowEmbeddedServletContainerFactory factory = new UndertowEmbeddedServletContainerFactory();
factory.addBuilderCustomizers((UndertowBuilderCustomizer) builder -> {
try {
builder.addListener(new Undertow.ListenerBuilder().setPort(8444)
.setType(Undertow.ListenerType.HTTPS)
.setSslContext(getSSLContext())
.setHost("0.0.0.0")
.setOverrideSocketOptions(OptionMap.create(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED)));
} catch (Exception e) {
log.error(e, "Could not add additional listener for https");
}
});
return factory;
}
}