我们在单个tomcat上开发期间有两个war个应用程序。
第一次战争是服务于JSP和其他html内容的前端服务器和后端服务器,它应该通过使用JBoss ReastEasy连接到后端REST端点的前端服务器通过浏览器的请求处理所有数据。
从Tomcat-7.0.57迁移到Tomcat-9.0.6期间,我遇到了一个问题,即证书没有从前端服务器发送到后端服务器。
更准确地说,我使用.JKS,配置文件,证书和修改后的配置复制了所有关键文件夹,以符合tomcat 9中新的SSLHostConfig标记。
不幸的是,我们遇到了从前端服务器到后端的请求问题,看起来证书没有在请求中发送,因此后端服务器Spring Security会抛出AccessDeniedException,因为它会创建一个匿名会话。 / p>
以下是来自后端服务器的Spring安全性:
2018-03-28 15:46:58,607 [https-openssl-nio-8443-exec-6] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository.readSecurityContextFromSession:174 - No HttpSession currently exists
2018-03-28 15:46:58,607 [https-openssl-nio-8443-exec-6] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository.loadContext:116 - No SecurityContext was available from the HttpSession: null. A new one will be created.
2018-03-28 15:46:58,624 [https-openssl-nio-8443-exec-6] DEBUG o.s.security.web.FilterChainProxy.doFilter:325 - /service/admin/users/filteredSearch at position 3 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-03-28 15:46:58,655 [https-openssl-nio-8443-exec-6] DEBUG o.s.security.web.FilterChainProxy.doFilter:325 - /service/admin/users/filteredSearch at position 4 of 10 in additional filter chain; firing Filter: 'X509AuthenticationFilter'
2018-03-28 15:46:58,656 [https-openssl-nio-8443-exec-6] DEBUG o.s.s.w.a.p.x.X509AuthenticationFilter.doFilter:113 - Checking secure context token: null
2018-03-28 15:46:58,657 [https-openssl-nio-8443-exec-6] DEBUG o.s.s.w.a.p.x.X509AuthenticationFilter.extractClientCertificate:57 - No client certificate found in request.
2018-03-28 15:46:58,658 [https-openssl-nio-8443-exec-6] DEBUG o.s.s.w.a.p.x.X509AuthenticationFilter.extractClientCertificate:57 - No client certificate found in request.
2018-03-28 15:46:58,658 [https-openssl-nio-8443-exec-6] DEBUG o.s.s.w.a.p.x.X509AuthenticationFilter.doAuthenticate:169 - No pre-authenticated principal found in request
2018-03-28 15:46:58,679 [https-openssl-nio-8443-exec-6] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor.authenticateIfRequired:348 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2018-03-28 15:46:58,723 [https-openssl-nio-8443-exec-6] DEBUG o.s.s.w.a.ExceptionTranslationFilter.handleSpringSecurityException:173 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
使用server.xml SSL连接器进行更新:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/json,text/javascript,text/css,text/plain,application/javascript,application/x-javascript,application/xml,application/xml+xhtml,application/json"
useSendfile="false" URIEncoding="UTF-8">
<SSLHostConfig>
<Certificate certificateKeystoreFile="${catalina.home}/conf/server.jks" certificateKeystorePassword="certKeyPass" type="RSA" truststoreFile="${catalina.home}/conf/server.jks" truststorePassword="passwordHere" certificateKeyAlias="certAlias" />
</SSLHostConfig>
</Connector>
Rest Client代码
@PostConstruct
public void init() throws IOException, GeneralSecurityException {
if (sslDebug) {
System.setProperty("javax.net.debug", "SSL:handshake");
}
final File file = new File(sslKeystoreFilepath);
final FileInputStream is = new FileInputStream(file);
keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(is, sslKeystorePassword.toCharArray());
trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
final SSLContext sslContext = SSLContext.getInstance("TLS");
final PortalKeyManager manager = new PortalKeyManager(keyStore, serverKeyPassword, endpointAlias, serverAlias);
sslContext.init(new KeyManager[] { manager }, trustManagerFactory.getTrustManagers(), new SecureRandom());
manager.getCertificateChain(serverAlias)[0].getSubjectDN().getName();
builder = new ResteasyClientBuilder().connectionPoolSize(maxTotal)
.hostnameVerification(HostnameVerificationPolicy.ANY)
.trustStore(keyStore)
.socketTimeout(soTimeout, TimeUnit.MILLISECONDS)
.maxPooledPerRoute(defaultMaxPerRoute)
.connectionCheckoutTimeout(connectionTimeout, TimeUnit.MILLISECONDS)
.connectionTTL(connectionTimeout, TimeUnit.MILLISECONDS)
.establishConnectionTimeout(connectionTimeout, TimeUnit.MILLISECONDS)
.sslContext(sslContext);
}