使用代理时,Weblogic中断CXF证书身份验证
[英]Weblogic breaks CXF certificate authentication when using proxy
问题描述
I've got a CXF client configured in code. 
我已经在代码中配置了CXF客户端。 It uses certificate authentication to the WS server and proxy settings(which is without authentication). 它使用对WS服务器和代理设置的证书身份验证(不进行身份验证)。 Everything works perfectly fine from the unit test and on Tomcat, but breaks when deployed on Weblogic. 在单元测试和Tomcat上,一切工作都很好,但是在Weblogic上部署时会中断。 It goes through the proxy, but doesn't authenticate with the certificate. 它通过代理,但不使用证书进行身份验证。 The strange thing is, that if I'm not going throught the proxy, the certificate authentication works. 奇怪的是,如果我不通过代理,则证书认证有效。 What can be the problem? 可能是什么问题?
The code I'm using for initializing the client: 我用于初始化客户端的代码:
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
factory.setEndpointName(SERVICE_NAME);
factory.setAddress("Address of the WS server");
factory.setServiceClass(MyService.class);
this.port = (MyService) factory.create();
Client client = ClientProxy.getClient(port);
HTTPConduit conduit = (HTTPConduit) client.getConduit();
//proxy settings
HTTPClientPolicy policy = new HTTPClientPolicy();
policy.setProxyServer("IP OF THE PROXY");
policy.setProxyServerPort("PORT OF THE PROXY");
conduit.setClient(policy);
//TLS
KeyStore keyStore = KeyStore.getInstance(ARCHIVE_FILE_FORMAT);
keyFile = getKeyFileUrl().openStream();
keyStore.load(keyFile, getPassword().toCharArray());
KeyManager[] myKeyManagers = getKeyManagers(keyStore, getPassword());
TLSClientParameters tlsCP = new TLSClientParameters();
tlsCP.setKeyManagers(myKeyManagers);
tlsCP.setDisableCNCheck(true);
FiltersType cipherSuiteFilter = new FiltersType();
cipherSuiteFilter.getInclude().add(SSL_RSA_WITH_3_DES_EDE_CBC_SHA);
cipherSuiteFilter.getExclude().add(DH_ANON);
tlsCP.setCipherSuitesFilter(cipherSuiteFilter);
conduit.setTlsClientParameters(tlsCP);
When I enabled SSL debugging, I'm getting tyhese messages in the log file: 启用SSL调试后,我在日志文件中收到tyhese消息:
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133523> <BEA-000000> <weblogic user specified trustmanager validation status 0>
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133523> <BEA-000000> <SSLTrustValidator returns: 0>
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133523> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: No trust failure, validateErr=0.>
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133524> <BEA-000000> <Performing hostname validation checks: www.cfmu.eurocontrol.int>
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133524> <BEA-000000> <Proxying through 85.125.226.9>
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133525> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Successfully completed post-handshake processing.>
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133526> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 230 bytesProduced = 261.>
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133528> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 1729 bytesProduced = 1786.>
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133627> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 733 bytesProduced = 705.>
What does status=OK mean? status = OK是什么意思? Do I have ssl connection? 我有ssl连接吗? Then why the server sends the response as if not using certificate. 然后,为什么服务器发送响应就像没有使用证书一样。
I have tried different versions of CXF(including latest 2.7.7) and different versions of weblogic. 我尝试了不同版本的CXF(包括最新的2.7.7)和不同版本的weblogic。
2 个解决方案
解决方案1
1 已采纳 2013-10-02 23:05:05
As I read the Oracle documentation, it seems Weblogic Server rejects any certificates in a certificate chain that do not have the basic constraint extension defined as CA. 在阅读Oracle文档时,似乎Weblogic Server拒绝了证书链中没有定义为CA的基本约束扩展的任何证书。 You can use the command line argument: 您可以使用命令行参数:
-Dweblogic.security.SSL.enforceConstraints=option
Where option can be 'strong' or 'true', strict, or off. 其中选项可以是“强”或“真”,严格或关闭。 Look at the documentation: 查看文档:
http://docs.oracle.com/cd/E11035_01/wls100/secmanage/ssl.html#wp1194346
Have you set this flag? 你设置这个标志了吗?
What worked:
Start your weblogic server. 启动您的weblogic服务器。 Go to 'Servers' under 'Environment'. 转到“环境”下的“服务器”。 Click on the server name. 单击服务器名称。 Under the 'General' tab, set the ClientCertProxyEnabled flag to true. 在“常规”标签下,将ClientCertProxyEnabled标志设置为true。
解决方案2
0 2013-11-13 20:06:35
i've had the same kind of problem a while ago (CXF, mutual SSL authentication, proxy server,weblogic) , i patched the CXF client to apply a (temporary) workaround ( http://pastebin.com/VfKA7MRC ) , because it's a bug in the weblogic code since 10.3 in the method weblogic.net.https.HttpsClient.openServer() when using a proxy . 我前段时间遇到过类似的问题(CXF,相互SSL身份验证,代理服务器,weblogic),我修补了CXF客户端以应用(临时)解决方法( http://pastebin.com/VfKA7MRC ),因为自从10.3开始使用代理时,在weblogic.net.https.HttpsClient.openServer()方法中,这是weblogic代码中的错误。 Maybe the problem is already fixed now i didn't look into it for 1,5 year 也许问题已经解决了,我已经有1.5年没有研究了
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.