Grails中基于证书的RESTful(X509)登录验证

时间:2014-05-22 12:37:48

标签: tomcat grails ssl spring-security x509certificate

我想在Grails说REST中设置基于证书的登录身份验证。

按照Burt Beckwith的文档,我使用Spring Security Plugin(spring-security-core:2.0-RC3)来设置X509身份验证:

grails.plugin.springsecurity.userLookup.userDomainClassName = 'de.app.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'de.app.UserRole'
grails.plugin.springsecurity.authority.className = 'de.app.Role'
grails.plugin.springsecurity.useX509 = true
grails.plugin.springsecurity.portMapper.httpsPort = "8443"
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/':                              ['permitAll'],
    '/index':                         ['permitAll'],
    '/index.gsp':                     ['permitAll'],
    '/**/js/**':                      ['permitAll'],
    '/**/css/**':                     ['permitAll'],
    '/**/images/**':                  ['permitAll'],
    '/**/favicon.ico':                ['permitAll']
]

证书文件和Tomcat配置的生成似乎有点棘手,但已在another answer中指出。我这样做并使用当前标准我必须配置Tomcat 7,首先是keystoreFile,keystorePass和clientAuth。我无法直接访问server.xml。因此,我必须找到另一个地方。关于此的Tomcat plugin's configuration看起来仅限于参数keystorePath和keystorePassword。我试着将它添加到BuildConfig:

grails.tomcat.keystorePath = "${basedir}/grails-app/conf/server.jks"
grails.tomcat.keystorePassword = "password"

不知道这两行是否足够。我发现了这个solution setting more connector arguments 但显然事件不再被触发,所以代码没有效果。

我找到了三种使用证书来处理我的请求的方法,即Firefox,cURL和wget。没有工作!记录我的Grails应用程序中的所有内容我发现显然没有证书到达Spring Security:

web.FilterChainProxy /vehicle at position 3 of 9 in additional filter chain; firing Filter: 'X509AuthenticationFilter'
x509.X509AuthenticationFilter Checking secure context token: null
x509.X509AuthenticationFilter No client certificate found in request.
x509.X509AuthenticationFilter No pre-authenticated principal found in request

卷曲请求:

curl -v -H "Content-Type: application/xml" --cert ./username.p12 -k -i https://localhost:8443/de.app/vehicle

及其替代方案:

wget —v --header='Content-Type: application/xml' --certificate='./username.p12' --no-check-certificate -S https://localhost:8443/de.app/vehicle

(Mac OS X Mavericks上有一个我想要解决的问题。)响应总是403(禁止):

* Adding handle: conn: 0x7f840280fe00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f840280fe00) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8443 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 8443 (#0)
* TLS 1.0 connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate: Web Server
> GET /de.app/vehicle HTTP/1.1
> User-Agent: curl/7.30.0
> Host: localhost:8443
> Accept: */*
> Content-Type: application/xml
> 
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1

我做错了什么?证书尚未发送或证书未从请求中正确获取。我相信后者。有什么猜测我怎么能深入了解?

1 个答案:

答案 0 :(得分:0)

您需要告诉Tomcat您要使用SSL的客户端身份验证。除了已经添加到BuildConfig的密钥库配置外,还要添加:

grails.tomcat.clientAuth = "want"


grails.tomcat.clientAuth = "true"

如果证书不存在,第一个会自动失败身份验证,而true值会出现。

此外,如果您计划为客户端使用自签名证书,则需要创建受信任的密钥库并配置Tomcat以使用它。

grails.tomcat.truststorePath = "${grailsSettings.baseDir}/conf/ssl/server/truststore.jks"
grails.tomcat.truststorePassword = "changeit"
相关问题
最新问题