我有一个包含5个REST API的Web应用程序。所有API都是启用了SSL的HTTPS。 这是server.xml中的连接器标记:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
clientAuth="true" sslProtocol="TLSv1.2"/>
现在我必须只使用onw-way SSL通过HTTP公开其中一个API。其他4个API只能通过具有双向SSL证书的HTTPS访问。
使用Spring启动和Spring 4安全性解决此问题的最佳方法是什么。
更新
我已经取得了一些进展。我已设置clientAuth="want"并且无需在客户端提供证书即可访问所需的API。但我不确定在为其他API强制执行2-way并编写自定义过滤器来检查SSL握手的方法。有没有办法在Spring Security中执行此操作。
我有以下MultiHttpSecurityConfig课程:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MultiHttpSecurityConfig {
private static final Logger LOG = LoggerFactory
.getLogger(MultiHttpSecurityConfig.class);
@Configuration
@Order(1)
public static class SecureApiConfigurationAdapter extends
WebSecurityConfigurerAdapter {
@Autowired
private HttpAuthEntryPoint httpAuthEntryPoint;
@Autowired
private X509UserDetSer x509UserUserDetSer;
protected void configure(
final HttpSecurity http)
throws Exception {
LOG.debug("/SSL2waysecureAPI/");
http.csrf().disable()
.antMatcher("/SSL2waysecureAPI/**")
.x509()
.subjectPrincipalRegex("CN=(.*?),")
// .subjectPrincipalRegex(".*")
.authenticationUserDetailsService(x509UserUserDetSer)
.and().exceptionHandling()
.authenticationEntryPoint(httpAuthEntryPoint)
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
Tomcat中的新连接器标记如下所示:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
clientAuth="want" sslProtocol="TLSv1.2"/>
答案 0 :(得分:2)
所以如果有人需要它 - 我就这样做了这样的事情
首先 - server.xml配置文件
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
clientAuth="want" sslProtocol="TLSv1.2"/>
然后是web.xml:
<filter>
<filter-name>ServletFilter</filter-name>
<filter-class>securechat.filter.ServletFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>ServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
之后,任何端点的任何请求都将挂钩到此过滤器。在其内部,您可以手动检查任何请求。如
@Component
public class ServletFilter implements Filter {
public static final String X_CLACKS_OVERHEAD = "X-Clacks-Overhead";
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
X509Certificate[] certificates = (X509Certificate[]) req
.getAttribute("javax.servlet.request.X509Certificate");
String servletPath = null;
int port = -1;
if (req instanceof HttpServletRequest) {
servletPath = ((HttpServletRequest)req).getServletPath();
port = ((HttpServletRequest)req).getServerPort();
System.out.println("getServletPath = " + ((HttpServletRequest)req).getServletPath() );
System.out.println(" ((HttpServletRequest)req).getServerPort() = " + ((HttpServletRequest)req).getServerPort());
//Just in memory of....
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader(X_CLACKS_OVERHEAD, "GNU Terry Pratchett");
//Here you can do checking for port and destination.
if(port == 8080 && !servletPath.equals("/notSecureDest/something")
//log error - we try to enter secured enpoint bu non-secured port and url
return; // we decline request
}else if(port == ??? && ???? ) {
//if all checkings age good - we do
chain.doFilter(req, res);
}
}
希望有所帮助。