如何在curl -k客户端中实现feign?
我知道我可以做到这一点。只是想知道是否有办法忽略或禁用。
new Client.Default(SSLSocketFactory sslContextFactory, HostnameVerifier hostnameVerifier)
答案 0 :(得分:14)
出于多种原因,您实际上不应该这样做。解决SSL问题的最简单方法是实际遵循SSL最佳做法并使用有效证书。有一些优秀的在线项目,如https://letsencrypt.org/,如果主机可以公开访问(如果它有一个可以验证的真实主机名),它甚至可以让你免费获得很好的安全性。
自行承担使用风险。请确认你理解你违反了很多最好的做法,只有在你理解的情况下才能使用它。
如果您使用此示例代码导致某些类型的主要问题,则您需要承担责任。
我在处理我想从spring-boot应用程序调用的内部(公共不可访问)服务时遇到了同样的问题,我使用以下代码解决了这个问题。
很多人会告诉您,您可以接受所有证书,在其中硬编码您的特定证书,或其他。实际上,您只能通过代码路径允许某些可信主机,这就是我在这里尝试获得额外的安全层。
在此示例代码中,您可以将多个主机传递给类,并且它应该允许仅向那些主机发出无效证书的请求,而其他所有主机都将通过正常的命令链。
这不是真正的生产级代码,但希望你可以使用它。
足够的讲课,以下内容可能会让您最感兴趣。
这用于Java 8和spring-boot。
<强>配置
@Configuration
public class FeignClientConfiguration {
@Bean
public Client client() throws NoSuchAlgorithmException, KeyManagementException {
return new Client.Default(new NaiveSSLSocketFactory("your.host.here"),
new NaiveHostnameVerifier("your.host.here"));
}
}
<强> NaiveHostnameVerifier
public class NaiveHostnameVerifier implements HostnameVerifier {
private final Set<String> naivelyTrustedHostnames;
private final HostnameVerifier hostnameVerifier =
HttpsURLConnection.getDefaultHostnameVerifier();
public NaiveHostnameVerifier(String ... naivelyTrustedHostnames) {
this.naivelyTrustedHostnames =
Collections.unmodifiableSet(new HashSet<>(Arrays.asList(naivelyTrustedHostnames)));
}
@Override
public boolean verify(String hostname, SSLSession session) {
return naivelyTrustedHostnames.contains(hostname) ||
hostnameVerifier.verify(hostname, session);
}
}
<强> NaiveSSLSocketFactory
public class NaiveSSLSocketFactory extends SSLSocketFactory {
private final SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
private final SSLContext alwaysAllowSslContext;
private final Set<String> naivelyTrustedHostnames;
public NaiveSSLSocketFactory(String ... naivelyTrustedHostnames) throws NoSuchAlgorithmException, KeyManagementException {
this.naivelyTrustedHostnames =
Collections.unmodifiableSet(new HashSet<>(Arrays.asList(naivelyTrustedHostnames)));
alwaysAllowSslContext = SSLContext.getInstance("TLS");
TrustManager tm = new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
alwaysAllowSslContext.init(null, new TrustManager[] { tm }, null);
}
@Override
public String[] getDefaultCipherSuites() {
return sslSocketFactory.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return sslSocketFactory.getSupportedCipherSuites();
}
@Override
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException {
return (naivelyTrustedHostnames.contains(host)) ?
alwaysAllowSslContext.getSocketFactory().createSocket(socket, host, port, autoClose) :
sslSocketFactory.createSocket(socket, host, port, autoClose);
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return (naivelyTrustedHostnames.contains(host)) ?
alwaysAllowSslContext.getSocketFactory().createSocket(host, port) :
sslSocketFactory.createSocket(host, port);
}
@Override
public Socket createSocket(String host, int port, InetAddress localAddress, int localPort) throws IOException, UnknownHostException {
return (naivelyTrustedHostnames.contains(host)) ?
alwaysAllowSslContext.getSocketFactory().createSocket(host, port, localAddress, localPort) :
sslSocketFactory.createSocket(host, port, localAddress, localPort);
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return (naivelyTrustedHostnames.contains(host.getHostName())) ?
alwaysAllowSslContext.getSocketFactory().createSocket(host, port) :
sslSocketFactory.createSocket(host, port);
}
@Override
public Socket createSocket(InetAddress host, int port, InetAddress localHost, int localPort) throws IOException {
return (naivelyTrustedHostnames.contains(host.getHostName())) ?
alwaysAllowSslContext.getSocketFactory().createSocket(host, port, localHost, localPort) :
sslSocketFactory.createSocket(host, port, localHost, localPort);
}
}
我从这个答案中大量借用:
答案 1 :(得分:2)
使用 Spring Cloud Netflix> = 1.4.4.RELEASE 时,您还可以执行以下操作:
添加 okhttp 客户端Maven依赖项:
<dependency>
<groupId>io.github.openfeign</groupId>
<artifactId>feign-okhttp</artifactId>
</dependency>
并添加以下属性:
feign.httpclient.disableSslValidation=true
feign.httpclient.enabled=false
feign.okhttp.enabled=true
参考: https://github.com/spring-cloud/spring-cloud-netflix/issues/2729
答案 2 :(得分:1)
通过在application.yaml中添加以下属性来禁用ssl验证。
feign.httpclient.disableSslValidation = true
或作为VM参数
-Dfeign.httpclient.disableSslValidation = true
答案 3 :(得分:0)
feign.httpclient.disableSslValidation = true对我不起作用。
通过以下代码在“配置”中创建Client bean的工作:
import feign.Client;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.ssl.SSLContexts;
import org.springframework.context.annotation.Bean;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
public class ClientConfiguration {
@Bean
public Client feignClient() {
return new Client.Default(getSSLSocketFactory(), new NoopHostnameVerifier());
}
private SSLSocketFactory getSSLSocketFactory() {
try {
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, new TrustSelfSignedStrategy()).build();
return sslContext.getSocketFactory();
} catch (Exception ex) {
throw new RuntimeException(ex);
}
}
}
pom.xml可能需要添加依赖项:
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.8</version>
</dependency>
答案 4 :(得分:0)
通过伪装配置覆盖
@Bean
public Client feignClient()
{
Client trustSSLSockets = new Client.Default(getSSLSocketFactory(), new NoopHostnameVerifier());
return trustSSLSockets;
}
private SSLSocketFactory getSSLSocketFactory() {
try {
TrustStrategy acceptingTrustStrategy = new TrustStrategy() {
@Override
public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
return true;
}
};
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
return sslContext.getSocketFactory();
} catch (Exception exception) {
}
return null;
}
答案 5 :(得分:0)
将以下类添加到您的存储库并将此类用作配置
这段代码对我有用:
@Configuration
public class SSLSocketClient {
@Bean
public Client feignClient() {
return new Client.Default(getSSLSocketFactory(),getHostnameVerifier());
}
//SSLSocketFactory
// Install the all-trusting trust manager
public static SSLSocketFactory getSSLSocketFactory() {
try {
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, getTrustManager(), new SecureRandom());
return sslContext.getSocketFactory();
}
catch (Exception e) {
throw new RuntimeException(e);
}
}
//TrustManager
// trust manager that does not validate certificate chains
private static TrustManager[] getTrustManager() {
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {
}
@Override
public X509Certificate[] getAcceptedIssuers()
{
return new X509Certificate[]{};
}
}};
return trustAllCerts;
}
//HostnameVerifier
public static HostnameVerifier getHostnameVerifier() {
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
@Override
public boolean verify(String s, SSLSession sslSession)
{
return true;
}
};
return hostnameVerifier;
}}