如何告诉org.apache.http.impl.client.DefaultHttpClient使用OWASP Zed攻击代理(ZAP)

时间:2013-07-31 20:28:58

标签: java configuration proxy httpclient

我有一个正在运行的REST服务,现在我想通过使用OWASP ZAP代理进行自动测试。 DefaultHttpCient配置为HTTPS,如下所示:

public DefaultHttpClient getSSLClient(final String user, final String pwd)
        throws KeyManagementException, UnrecoverableKeyException,
        NoSuchAlgorithmException, KeyStoreException {

    SSLContext ctx = SSLContext.getInstance("TLS");
    ctx.init(null, new TrustManager[] { new CustomX509TrustManager() },
            null);

    HttpClient client = new DefaultHttpClient();

    SSLSocketFactory ssf = new CustomSSLSocketFactory(ctx, hostVerifier);
    ClientConnectionManager ccm = client.getConnectionManager();
    SchemeRegistry sr = ccm.getSchemeRegistry();
    sr.register(new Scheme("https", port, ssf));
    DefaultHttpClient sslClient = new DefaultHttpClient(ccm,
            client.getParams());

    sslClient.getCredentialsProvider().setCredentials(
            new AuthScope(host, port),
            new UsernamePasswordCredentials(user, pwd));

    /*
     * Those two lines are new and should force the client to use the ZAP proxy!
     */
    HttpHost proxy = new HttpHost("192.168.2.100", 8444, "https");
    sslClient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, proxy);

    return sslClient;
}

和TrustManager:

public class CustomX509TrustManager implements X509TrustManager {

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType)
            throws CertificateException {
    }

    @Override
    public void checkServerTrusted(java.security.cert.X509Certificate[] certs,
            String authType) throws CertificateException {
        /*
         * Don't validate server's certificate. There is no need for.
         */
    }

    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

}

和ZAP的代理配置: enter image description here

通过使用Web浏览器,代理工作正常,但JUnit测试用例提供错误:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
    at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
    at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:109)
    at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39)
    at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40)
    at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45)
    at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:443)
    at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:674)
    at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:565)
    at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:570)
    at at.fhj.ase.business.ServiceAddressImplTest.a100_insertAddressTest(ServiceAddressImplTest.java:70)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
    at org.junit.rules.ExpectedException$ExpectedExceptionStatement.evaluate(ExpectedException.java:168)
    at org.junit.rules.RunRules.evaluate(RunRules.java:20)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
    at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
    at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
    at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
    at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
    at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
    at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)

似乎请求永远不会到达服务器,因为没有记录请求。

1 个答案:

答案 0 :(得分:0)

我在localhost方法中更新了应从192.168.2.100getSSLClient(...)应用凭据的主机,现在可以使用。

public DefaultHttpClient getSSLClient(final String user, final String pwd)
        throws KeyManagementException, UnrecoverableKeyException,
        NoSuchAlgorithmException, KeyStoreException {

    ...

    sslClient.getCredentialsProvider().setCredentials(
            new AuthScope("192.168.2.100", port),
            new UsernamePasswordCredentials(user, pwd));

   ...
}