我有一个Spring Boot应用程序,它公开了REST API(HTTPS),并且希望对客户端进行2种双向身份验证。客户端证书安装在服务器端信任库上。在我的笔记本电脑中同时测试客户端和服务器时,相互身份验证可以正常工作。但是,当应用程序部署在测试服务器中时,Spring Security将使用HTTP 403拒绝所有客户端调用(禁止)。在调试日志中,我可以看到- “ DEBUG o.s.s.w.a.p.x.X509AuthenticationFilter-在请求中找不到客户端证书。”
pom.xml-
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.1.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.1.2.RELEASE</version>
</dependency>
SecurityConfig.java-
@Configuration
@EnableWebSecurity (debug = true)
@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class})
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/health", "/error", "/ecp**", "/getHtmlStatus", "/callOut")
.permitAll()
.anyRequest()
.authenticated()
.and().x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(userDetailsService());
}
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
if (username.equalsIgnoreCase("iwc4-qa.abc.com") ||
username.equalsIgnoreCase("qawr-backend.abc.com")) {
return new User(username, "", true, true, true, true,
AuthorityUtils.createAuthorityList("ROLE_USER"));
} else {
// Throw exception
}
}
};
}
}
application.yml-
spring:
profiles: "e1"
main:
allow-bean-definition-overriding: true
server:
port: 8443
ssl:
client-auth: want
key-store: /opt/app-root/ssl/truststore
key-store-password: Password#123
key-store-type: JKS
ciphers: ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV
trust-store: /opt/app-root/ssl/truststore
trust-store-password: Password#123
trust-store-type: JKS
enabled: true
security:
require-ssl: true
在本地计算机上下载相同的信任库时,它可以正常工作。使用curl命令尝试-
curl -ik --cert iwc_e1_chain.crt --key iwc_e1_key.crt "https://sparc-dev.abc.com/ssltest"
请帮助。