Spring REST服务证书auth
[英]Spring REST Service Certificate auth
问题描述
I have written Spring controller. 
我写过Spring控制器。 This get's requests from clients. 这得到了客户的要求。 It's just REST style. 这只是REST风格。
This is very good. 这是非常好的。 But I need certificate authentication. 但我需要证书身份验证。 Only the clients must have access to the rest service (spring controller), which have client certificates with key (In the other words client should have keystore with key). 只有客户端必须能够访问具有密钥的客户端证书的其余服务(spring控制器)(换句话说,客户端应该具有带密钥的密钥库)。
How can I configure this security to spring? 如何将此安全性配置为弹簧? Could you give me an example or link where this is written? 你能给我一个例子或链接吗?
Thanks 谢谢
2 个解决方案
解决方案1
20 已采纳 2014-10-29 17:03:32
What you are looking for is called Mutual Authentication . 您正在寻找的是相互认证 。
It is the servers responsibility to make/request the client to send its certificate. 服务器负责发出/请求客户端发送其证书。 Each server does this differently and you'll have to look up how to configure your particular server. 每个服务器都以不同的方式执行此操作,您必须查找如何配置特定服务器。
For Spring Security, I would recommend looking into X.509 Authentication . 对于Spring Security,我建议您查看X.509身份验证 。 This type of authentication is fairly easy to use and extend as needed. 这种类型的身份验证相当容易使用,并根据需要进行扩展。
EDIT 编辑
So, here are a couple of references that show examples of what you are asking: 所以,这里有几个参考资料,展示了你要问的例子:
http://whiteycode.blogspot.com/2012/04/part-3-x509-authentication-with-spring.html http://whiteycode.blogspot.com/2012/04/part-3-x509-authentication-with-spring.html
PDF Warning
PDF警告
http://www.promixis.com/pdfs/SpringSecurityAndX509ClientCertificates.pdf
http://www.promixis.com/pdfs/SpringSecurityAndX509ClientCertificates.pdf
The above pdf file is no longer reachable...
This example is really good about explaining how to setup your certificates and creating your own personal CA (Certificate Authority). 此示例非常适合解释如何设置证书和创建自己的个人CA(证书颁发机构)。 Warning, the way that they show making the client certificate is just A WAY, not the way. 警告,他们显示制作客户端证书的方式只是一种方式,而不是方式。 Your client (IE web browser or java httpclient client) should determine which way to create your client certificate. 您的客户端(IE Web浏览器或java httpclient客户端)应确定创建客户端证书的方式。 Java likes to use its java keystore of course and browsers tend to like the p12 style of certificates. Java当然喜欢使用它的java密钥库,浏览器倾向于喜欢p12样式的证书。
Final advice/warning... I don't know your level of knowledge with certificates, but... Mutual Authentication is all about who trusts whom. 最后的建议/警告......我不知道您对证书的知识水平,但......相互认证完全取决于谁信任谁。 It is the severs responsibility to say, I need you to authenticate yourself with a certificate and here is a list of certificate providers I trust. 委托人有责任说,我需要您使用证书对自己进行身份验证,这里是我信任的证书提供商列表。 It is then the clients responsibility to reply with a certificate signed by one of those server trusted certificate providers. 然后,客户有责任使用由其中一个服务器可信证书提供商签名的证书进行回复。 It is the applications responsibility to then say, do I trust this person based on their name inside of the certificate? 然后,应用程序有责任说,我是否根据证书中的姓名信任此人? If and when things start to go wrong think about who is and or isn't trusting who. 如果事情开始出错,请考虑谁是或不信任谁。
One great tool is using -Djavax.net.debug=ssl on your application. 一个很棒的工具是在你的应用程序上使用-Djavax.net.debug = ssl。 It will show the entire ssl handshake and what is being requested and what the specific responses are. 它将显示整个ssl握手以及请求的内容以及具体的响应。 That option is a bit verbose, but it is nice to have when needed. 该选项有点冗长,但在需要时很好。
EDIT X 2 编辑X 2
Here is how to enable mutual authentication on Tomcat 7. 以下是如何在Tomcat 7上启用相互身份验证。
In your server.xml config file you should see close to the following for an SSL connector: 在您的server.xml配置文件中,您应该看到SSL连接器的以下内容:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="C:\Java\Certs\localhost.jks"
keystorePass="changeit"
URIEncoding="UTF-8" />
The important value to note is the clientAuth value. 需要注意的重要值是clientAuth值。
Setting clientAuth to 'want' tells the client to send a signed client ssl certificate from a list of certificates that the server trusts if you have one. 将clientAuth设置为“want”会告诉客户端从服务器信任的证书列表中发送签名的客户端ssl证书(如果有的话)。 If not, go ahead and make your request as normal. 如果没有,请继续正常处理您的请求。
Setting clientAuth to 'true' tells the client that they HAVE to send a signed client ssl certificate from a list of certificates that the server trusts. 将clientAuth设置为“true”会告诉客户端他们必须从服务器信任的证书列表中发送签名的客户端ssl证书。 If you do not have a certificate signed by a list of certificates that the server trusts, the client is NOT allowed to make the request. 如果您没有由服务器信任的证书列表签名的证书,则不允许客户端发出请求。
The list of certificates that the server trusts either comes from the default java truststore or can be set using the -Djavax.net.ssl.trustStore="C:\\Java\\Certs\\jssecacerts1" VM option. 服务器信任的证书列表来自默认的Java信任库,或者可以使用-Djavax.net.ssl.trustStore="C:\\Java\\Certs\\jssecacerts1" VM选项进行设置。
Generally, when having a specific CA Certificate that you trust that isn't in the default Java truststore, the default truststore is copied, the new CA certificate is imported into the copied truststore and then used with above VM option. 通常,如果您信任的特定CA证书不在默认Java信任库中,则会复制默认信任库,新CA证书将导入复制的信任库,然后与上面的VM选项一起使用。
WARNING 警告
It is super important NOT to change the default Java truststore in place. 非常重要的是不要更改默认的Java信任库。 If you do, all java applications by default on that machine will be using the new updated truststore. 如果这样做,则该计算机上默认的所有Java应用程序都将使用新更新的信任库。 Not always what people want and can possible cause security risks. 并不总是人们想要的,并且可能导致安全风险。
解决方案2
4 2017-11-09 11:02:24
I created a 100% comprehensible example project with everything needed to setup a Spring Boot app with a REST endpoint that is secured by client certificate - and a Testcase with the RestTemplate that is configured to use the client certificate to communicate with the secured Server: https://github.com/jonashackt/spring-boot-rest-clientcertificate 我创建了一个100%易于理解的示例项目,其中包含设置Spring Boot应用程序所需的一切 ,该应用程序具有由客户端证书保护的REST端点 - 以及配置为使用客户端证书与安全服务器通信的RestTemplate的Testcase: https ://github.com/jonashackt/spring-boot-rest-clientcertificate
It also contains all steps needed to generate the .key , .crt and .jks files. 它还包含生成.key , .crt和.jks文件所需的所有步骤。 Just adjust the steps accordingly, if you don´t want to use a self-signed certificate. 如果您不想使用自签名证书,只需相应地调整步骤即可。
The RestTemplate is configured like this: RestTemplate的配置如下:
package de.jonashackt.restexamples;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.util.ResourceUtils;
import org.springframework.web.client.RestTemplate;
import javax.net.ssl.SSLContext;
@Configuration
public class RestClientCertTestConfiguration {
private String allPassword = "allpassword";
@Bean
public RestTemplate restTemplate(RestTemplateBuilder builder) throws Exception {
SSLContext sslContext = SSLContextBuilder
.create()
.loadKeyMaterial(ResourceUtils.getFile("classpath:keystore.jks"), allPassword.toCharArray(), allPassword.toCharArray())
.loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword.toCharArray())
.build();
HttpClient client = HttpClients.custom()
.setSSLContext(sslContext)
.build();
return builder
.requestFactory(new HttpComponentsClientHttpRequestFactory(client))
.build();
}
}
Then you can use it just like you´re used to with the @Autowired annotation inside your Test.class. 然后你可以像使用Test.class中的@Autowired注释一样使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.