小贝子编程

带有SSL身份验证的SOAP Web服务在Spring Boot中



我使用地铁堆栈在Java中制作了2个肥皂Web服务。为了防止不需要的请求,只要请求者拥有客户端证书,就只能提出它们。为此,web.xml看起来像以下代码:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
  <display-name>PadronExterno</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  <listener>
    <listener-class>
            com.sun.xml.ws.transport.http.servlet.WSServletContextListener
        </listener-class>
  </listener>
  <servlet>
    <servlet-name>WebServicePort</servlet-name>
    <servlet-class>
            com.sun.xml.ws.transport.http.servlet.WSServlet
        </servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>TomcatStartupServlet</servlet-name>
    <servlet-class>com.company.TomcatStartupServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>WebServicePort</servlet-name>
    <url-pattern>/theWebService</url-pattern>
  </servlet-mapping>
  <security-constraint>
    <display-name>Constraint1</display-name>
    <web-resource-collection>
      <web-resource-name>theWebService</web-resource-name>
      <description></description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <description></description>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
  </login-config>
</web-app>

最近,我已经开发了全新的肥皂WS,但我想尝试春季靴子。我开始使用Spring Initializr。Web服务已完全编码,完成,但缺少SSL身份验证/授权的一部分。

编辑

我提出了一个可能的解决方案,但是我缺少一些解决方案。到目前为止,这就是我能够写的:

@Configuration
@EnableWebSecurity
public class SecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    @Autowired
    private Configuracion config;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // Add support for HSTS
        http
            .headers()
                .httpStrictTransportSecurity()
                    .includeSubDomains(true)
                    .maxAgeInSeconds(31536000);
        // Disable HTTP         
        http.httpBasic().disable();
        Integer httpPuerto = config.getHttpPuerto();
        Integer httpsPuerto = config.getHttpsPuerto();
        http
            .portMapper()
                .http(httpPuerto)
                .mapsTo(httpsPuerto);
        http.requiresChannel().anyRequest().requiresSecure();
    }
}

不幸的是,当遇到我的App Server(启用SSL/TLS的Tomcat 8.5(时,您可以在不拥有客户端证书的情况下运行它。根据要求,您是我的Tomcat连接器配置:

<Connector 
    connectionTimeout="20000" 
    port="9090" 
    protocol="HTTP/1.1" 
    redirectPort="9443"/>
<Connector 
    SSLEnabled="true" 
    keystorePass="***d" 
    keystoreType="JKS" 
    maxThreads="200" 
    port="9443" 
    protocol="org.apache.coyote.http11.Http11Nio2Protocol" 
    scheme="https" 
    secure="true" 
    sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" 
    sslProtocol="TLSv1.2"
    clientAuth="want" 
    keystoreFile="D:apacheTomcat8.5certstomcat.jks" 
<Connector port="9009" protocol="AJP/1.3" redirectPort="9443"/>
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />

我在WebSecurityConfigurerAdapter中缺少某些东西吗?谢谢

您首先说您有一个没有弹簧的工作示例,但是查看tomcat配置似乎缺少某些部分(例如,使用客户端证书授权的TrustStoreFile(

按照tomcat 7

在此处提供的步骤

例如生成服务器和客户端证书:

keytool -genkeypair -alias tomcat -keyalg RSA -dname "CN=tomcat.com" -keystore tomcat.keystore -keypass tomcat -storepass tomcat
keytool -genkeypair -alias user -keyalg RSA -dname "CN=user" -keypass usertomcat -keystore client.keystore -storepass usertomcat
keytool -exportcert -rfc -alias user -file client.cer -keypass usertomcat -keystore client.keystore -storepass usertomcat
keytool -importcert -alias user -file client.cer -keystore tomcat.keystore -storepass tomcat -noprompt
keytool -importkeystore -srckeystore client.keystore -destkeystore client.p12 -deststoretype PKCS12 -srcalias user -deststorepass usertomcat -destkeypass usertomcat

然后配置server.xml:

<!-- remove AprLifecycleListener!! -->
<Connector port="9443"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
truststoreFile="/path-to/tomcat.keystore"
truststorePass="tomcat"
keystoreFile="/path-to/tomcat.keystore"
keystorePass="tomcat"
clientAuth="true"
keyAlias="tomcat"
sslProtocol="TLS"/>

在浏览器中配置了tomcat和客户端证书后,它应该要求它,但是该应用程序会因http403错误而失败,因为您的春季配置需要https,但并未指定它需要客户端认证(因为您是您是客户的认证在没有弹簧的情况下进行Web.xml(。

您需要在SecurityConfigurerAdapter中指定:

http.x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)");

它最终应该起作用。

如果要以tomcat之外的独立弹簧启动执行它,则还应在application.properties

中配置 
server.port: 8443
server.ssl.key-store: tomcat.keystore
server.ssl.key-store-password: tomcat
server.ssl.keyStoreType: JKS
server.ssl.keyAlias: tomcat
server.ssl.trust-store=tomcat.keystore
server.ssl.trust-store-password=tomcat
server.ssl.client-auth:need

编辑:Tomcat中的信托店应仅包含客户端使用的根证书,而不是实际客户端证书

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium