我正在使用spring-boot版本1.5.6.RELEASE。我在application.yml中以声明方式在端口9443上配置了SSL。这很有效。我也在使用Undertow这个Spring-boot应用程序。
server:
session:
cookie:
http-only: true
contextPath: /webapp
port: 9443
ssl:
key-store: /etc/pki/mycert.jks
key-store-password: ${SSL_KEYSTORE_PWD}
keyStoreType: JKS
keyAlias: alias
我已经以编程方式配置了其他SSL端口。这是一个片段:
@Configuration
public class UndertowAdditionalSSLConfig
{
@Bean
public UndertowEmbeddedServletContainerFactory embeddedServletContainerFactory()
{
UndertowEmbeddedServletContainerFactory factory = new UndertowEmbeddedServletContainerFactory();
factory.addBuilderCustomizers(new UndertowBuilderCustomizer()
{
@Override
public void customize(Undertow.Builder builder)
{
try
{
builder.addHttpsListener(9444, "0.0.0.0", getSSLContext());
}
catch (Exception e)
{
log.error(e,"Could not add additional listener for https");
}
}
});
return factory;
}
}
辅助ssl端口用于服务器之间REST调用的x509客户端身份验证。我一直无法弄清楚如何以编程方式为辅助ssl端口执行以下操作:
client-auth=need
我遇到的问题是客户端证书似乎没有被发送或者它没有被服务器接受。我的想法是我错过了这篇文章。 谢谢你的帮助。
更新
经过一番挖掘Spring引导源。我发现了这个:
builder.setSocketOption(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED);
我将更改应用于我的代码:
@Override
public void customize(Undertow.Builder builder)
{
try
{
builder.addHttpsListener(8444, "0.0.0.0", getSSLContext());
builder.setSocketOption(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED);
}
catch (Exception e)
{
log.error(e,"Could not add additional listener for https");
}
}
我认为我有我正在寻找的解决方案,但是此更改也流失到了端口9443上的SSL,并且应用程序对浏览器访问没有响应。
真的,我要问的一个更好的问题是: 如何在2个单独的端口上设置SSL,并且1个接受客户端证书,以便可以进行基于客户端的身份验证。
感谢
答案 0 :(得分:1)
您无需在addHttpsListener的{{1}}方法中设置getSslContext来自定义所有连接器使用的整个sslContext,而是需要在特定的连接器上设置ssl
builder答案 1 :(得分:0)
您应在client-auth:want文件中设置application.properties,如下所示:
server:
session:
cookie:
http-only: true
contextPath: /webapp
port: 9443
ssl:
key-store: /etc/pki/mycert.jks
key-store-password: ${SSL_KEYSTORE_PWD}
keyStoreType: JKS
keyAlias: alias
client-auth: want
,然后以编程方式打开另一个端口,如下所示:
@Configuration
public class UndertowAdditionalSSLConfig
{
@Bean
public UndertowEmbeddedServletContainerFactory embeddedServletContainerFactory()
{
UndertowEmbeddedServletContainerFactory factory = new UndertowEmbeddedServletContainerFactory();
factory.addBuilderCustomizers(new UndertowBuilderCustomizer()
{
@Override
public void customize(Undertow.Builder builder)
{
try
{
builder.addListener(new Undertow.ListenerBuilder().setPort(8444)
.setType(Undertow.ListenerType.HTTPS)
.setSslContext(getSSLContext())
.setHost("0.0.0.0")
.setOverrideSocketOptions(OptionMap.create(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED)));
}
catch (Exception e)
{
log.error(e,"Could not add additional listener for https");
}
}
});
return factory;
}
}
,如果您想使用Java lambda表达式:
@Configuration
public class UndertowAdditionalSSLConfig {
@Bean
public UndertowEmbeddedServletContainerFactory embeddedServletContainerFactory() {
UndertowEmbeddedServletContainerFactory factory = new UndertowEmbeddedServletContainerFactory();
factory.addBuilderCustomizers((UndertowBuilderCustomizer) builder -> {
try {
builder.addListener(new Undertow.ListenerBuilder().setPort(8444)
.setType(Undertow.ListenerType.HTTPS)
.setSslContext(getSSLContext())
.setHost("0.0.0.0")
.setOverrideSocketOptions(OptionMap.create(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED)));
} catch (Exception e) {
log.error(e, "Could not add additional listener for https");
}
});
return factory;
}
}