堆栈内存溢出
  简体   繁体   English

Spring Boot SSL TCPClient ~ StompBrokerRelayMessageHandler ~ ActiveMQ ~ Undertow

[英]Spring Boot SSL TCPClient ~ StompBrokerRelayMessageHandler ~ ActiveMQ ~ Undertow

 原文  2015-12-17 12:29:23       java/ spring-boot/ activemq/ stomp/ spring-websocket

问题描述

I'm attempting to build a websocket messaging app based on the Spring Websocket Demo running ActiveMQ as the STOMP message broker with Undertow .我正在尝试基于Spring Websocket Demo构建一个 websocket 消息传递应用程序,它运行ActiveMQ作为带有Undertow的 STOMP 消息代理。 The application runs fine on insecure connections.该应用程序在不安全的连接上运行良好。 However, I'm having difficulty configuring the STOMP Broker Relay to forward with SSL connections.但是,我在配置STOMP Broker Relay以使用 SSL 连接转发时遇到了困难。

As mentioned in the Spring WebSocket Docs...正如 Spring WebSocket 文档中所述...

The "STOMP broker relay" in the above configuration is a Spring MessageHandler that handles messages by forwarding them to an external message broker.上述配置中的“STOMP broker 中继”是一个 Spring MessageHandler,它通过将消息转发到外部消息 broker 来处理消息。 To do so it establishes TCP connections to the broker, forwards all messages to it, and then forwards all messages received from the broker to clients through their WebSocket sessions.为此,它与代理建立 TCP 连接,将所有消息转发给它,然后通过客户端的 WebSocket 会话将从代理接收到的所有消息转发给客户端。 Essentially it acts as a "relay" that forwards messages in both directions.本质上,它充当在两个方向上转发消息的“中继”。

Further, the docs state a dependency on reactor-net which I have...此外,文档说明了对我所拥有的reactor-net的依赖...

Please add a dependency on org.projectreactor:reactor-net for TCP connection management.请添加对 org.projectreactor:reactor-net 的依赖以进行 TCP 连接管理。

The issue is that my current implementation doesn't initialize the NettyTCPClient via SSL so the ActiveMQ connection fails with an SSLException.问题是我当前的实现没有通过 SSL 初始化NettyTCPClient ,因此 ActiveMQ 连接失败并出现 SSLException。

[r.i.n.i.n.t.NettyTcpClient:307] » CONNECTED: 
[id: 0xcfef39e9, /127.0.0.1:17779 => localhost/127.0.0.1:8442]
...
[o.a.a.b.TransportConnection.Transport:245] » 
Transport Connection to: tcp://127.0.0.1:17779 failed:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
...

As such I've attempted to research the Project Reactor Docs to set SSL options for the connection but I haven't been successful.因此,我试图研究Project Reactor Docs以设置连接的 SSL 选项,但我没有成功。

At this point I've found the StompBrokerRelayMessageHandler initializes the NettyTCPClient by default in Reactor2TcpClient yet, it doesn't appear to configurable.在这一点上,我发现StompBrokerRelayMessageHandler默认在Reactor2TcpClient 中初始化NettyTCPClient ,但它似乎不可配置。

Assistance would be greatly appreciated.将不胜感激。

SSCCE南昌

app.props app.props

spring.activemq.in-memory=true
spring.activemq.pooled=false
spring.activemq.broker-url=stomp+ssl://localhost:8442
server.port=8443
server.ssl.enabled=true
server.ssl.protocol=tls
server.ssl.key-alias=undertow
server.ssl.key-store=classpath:undertow.jks
server.ssl.key-store-password=xxx
server.ssl.trust-store=classpath:undertow_certs.jks
server.ssl.trust-store-password=xxx

WebSocketConfig网络套接字配置

//... 
@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {

    private static final Logger log = LoggerFactory.getLogger(WebSocketConfig.class);

    private final static String KEYSTORE = "/activemq.jks";
    private final static String KEYSTORE_PASS = "xxx";
    private final static String KEYSTORE_TYPE = "JKS";
    private final static String TRUSTSTORE = "/activemq_certs.jks";
    private final static String TRUSTSTORE_PASS = "xxx";

    private static String getBindLocation() {
        return "stomp+ssl://localhost:8442?transport.needClientAuth=false";
    }

    @Bean(initMethod = "start", destroyMethod = "stop")
    public SslBrokerService activeMQBroker() throws Exception {

        final SslBrokerService service = new SslBrokerService();
        service.setPersistent(false);

        KeyManager[] km = SecurityManager.getKeyManager();
        TrustManager[] tm = SecurityManager.getTrustManager();

        service.addSslConnector(getBindLocation(), km, tm, null);
        final ActiveMQTopic topic = new ActiveMQTopic("jms.topic.test");
        service.setDestinations(new ActiveMQDestination[]{topic});

        return service;
    }


    @Override
    public void configureMessageBroker(MessageBrokerRegistry config) {
        config.enableStompBrokerRelay("/topic").setRelayHost("localhost").setRelayPort(8442);
        config.setApplicationDestinationPrefixes("/app");
    }

    @Override
    public void registerStompEndpoints(StompEndpointRegistry registry) {
        registry.addEndpoint("/welcome").withSockJS();
        registry.addEndpoint("/test").withSockJS();
    }

   private static class SecurityManager { 
   //elided...
   }

}

SOLVED Per Rossens Advice.根据罗森斯的建议解决。 Here's the implementation details for anyone interested.这是任何感兴趣的人的实现细节。

WebSocketConfig网络套接字配置

@Configuration
public class WebSocketConfig extends DelegatingWebSocketMessageBrokerConfiguration {
    ...
    @Bean
    public AbstractBrokerMessageHandler stompBrokerRelayMessageHandler() {
      StompBrokerRelayMessageHandler handler = (StompBrokerRelayMessageHandler) super.stompBrokerRelayMessageHandler();
      ConfigurationReader reader = new StompClientDispatcherConfigReader();
      Environment environment = new Environment(reader).assignErrorJournal();
      TcpOperations<byte[]> client = new Reactor2TcpClient<>(new StompTcpClientSpecFactory(environment,"localhost", 8443));
      handler.setTcpClient(client);
      return handler;
    }
}

StompTCPClientSpecFactory StompTCPClientSpecFactory

private static class StompTcpClientSpecFactory
        implements NetStreams.TcpClientFactory<Message<byte[]>, Message<byte[]>> {

    private static final Logger log = LoggerFactory.getLogger(StompTcpClientSpecFactory.class);

    private final String host;
    private final int port;
    private final String KEYSTORE = "src/main/resources/tcpclient.jks";
    private final String KEYSTORE_PASS = "xxx";
    private final String KEYSTORE_TYPE = "JKS";
    private final String TRUSTSTORE = "/src/main/resources/tcpclient_certs.jks";
    private final String TRUSTSTORE_PASS = "xxx";
    private final String TRUSTSTORE_TYPE = "JKS";
    private final Environment environment;

    private final SecurityManager tcpManager = new SecurityManager
            .SSLBuilder(KEYSTORE, KEYSTORE_PASS)
            .keyStoreType(KEYSTORE_TYPE)
            .trustStore(TRUSTSTORE, TRUSTSTORE_PASS)
            .trustStoreType(TRUSTSTORE_TYPE)
            .build();

    public StompTcpClientSpecFactory(Environment environment, String host, int port) {
        this.environment = environment;
        this.host = host;
        this.port = port;
    }

    @Override
    public Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> apply(
            Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> tcpClientSpec) {

        return tcpClientSpec
                .ssl(new SslOptions()
                        .sslProtocol("TLS")
                        .keystoreFile(tcpManager.getKeyStore())
                        .keystorePasswd(tcpManager.getKeyStorePass())
                        .trustManagers(tcpManager::getTrustManager)
                        .trustManagerPasswd(tcpManager.getTrustStorePass()))
                .codec(new Reactor2StompCodec(new StompEncoder(), new StompDecoder()))
                .env(this.environment)
                .dispatcher(this.environment.getCachedDispatchers("StompClient").get())
                .connect(this.host, this.port);
    }
}

4 个解决方案

解决方案1
 6 已采纳  2015-12-17 15:02:42

The StompBrokerRelayMessageHandler has a tcpClient property you can set. StompBrokerRelayMessageHandler具有您可以设置的tcpClient属性。 However it looks like we don't expose that through the WebSocketMessageBrokerConfigurer setup. 但是看起来我们不会通过WebSocketMessageBrokerConfigurer设置公开它。

You can remove @EnableWebSocketMessageBroker and extend DelegatingWebSocketMessageBrokerConfiguration instead. 您可以删除@EnableWebSocketMessageBroker并扩展DelegatingWebSocketMessageBrokerConfiguration It's effectively the same but you're now extending directly from the configuration class that provides all the beans. 它实际上是相同的,但您现在直接从提供所有bean的配置类扩展。

This allows you to then override the stompBrokerRelayMessageHandler() bean and set its TcpClient property directly. 这允许您覆盖stompBrokerRelayMessageHandler() bean并直接设置其TcpClient属性。 Just make sure the overriding method is marked with @Bean . 只需确保覆盖方法标有@Bean

解决方案2
 4  2016-08-10 18:11:24

I needed to secure a STOMP broker relay to RabbitMQ using Spring Messaging 4.2.5 with Java 8 and found that the question's follow-up code had become outdated. 我需要使用带有Java 8的Spring Messaging 4.2.5来保护STOMP代理中继到RabbitMQ,并发现问题的后续代码已经过时了。

When launching my application, I provide truststore environment properties to trust an internal self-signed certificate authority. 启动我的应用程序时,我提供信任库环境属性以信任内部自签名证书颁发机构。 java -Djavax.net.ssl.trustStore=/etc/pki/java/server.jks -Djavax.net.ssl.trustStorePassword=xxxxx -jar build/libs/server.war

Per Rossen's answer, I changed 根据罗斯森的回答,我改变了 

@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {

to 

@Configuration
public class WebSocketConfig extends DelegatingWebSocketMessageBrokerConfiguration {

Then, in that WebSocketConfig , I provided my own AbstractBrokerMessageHandler bean: 然后,在那个WebSocketConfig ,我提供了自己的AbstractBrokerMessageHandler bean: 

@Bean
public AbstractBrokerMessageHandler stompBrokerRelayMessageHandler() {
    AbstractBrokerMessageHandler handler = super.stompBrokerRelayMessageHandler();
    if (handler instanceof StompBrokerRelayMessageHandler) {
        ((StompBrokerRelayMessageHandler) handler).setTcpClient(new Reactor2TcpClient<>(
                new StompTcpFactory("127.0.0.1", 61614, true)
        ));
    }
    return handler;
}

The instanceof conditional was to simplify use of a NoOpBrokerMessageHandler in unit tests. 条件的实例是在单元测试中简化NoOpBrokerMessageHandler使用。

And finally, the following is the implementation of the StompTcpFactory used above: 最后,以下是上面使用的StompTcpFactory的实现: 

public class StompTcpFactory implements NetStreams.TcpClientFactory<Message<byte[]>, Message<byte[]>> {

    private final Environment environment = new Environment(new SynchronousDispatcherConfigReader());
    private final String host;
    private final int port;
    private final boolean ssl;

    public StompTcpFactory(String host, int port, boolean ssl) {
        this.host = host;
        this.port = port;
        this.ssl = ssl;
    }

    @Override
    public Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> apply(Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> tcpClientSpec) {
        return tcpClientSpec
                .env(environment)
                .codec(new Reactor2StompCodec(new StompEncoder(), new StompDecoder()))
                .ssl(ssl ? new SslOptions() : null)
                .connect(host, port);
    }

    private static class SynchronousDispatcherConfigReader implements ConfigurationReader {
        @Override
        public ReactorConfiguration read() {
            return new ReactorConfiguration(Collections.emptyList(), "sync", new Properties());
        }
    }

}

解决方案3
 3  2018-02-07 09:45:51

@amoebob answer is great but threads aren't close properly. @amoebob答案很棒,但线程没有正确关闭。 Each time a connexion from client is open, a new thread is open and never closed. 每次打开来自客户端的连接时,新线程都会打开并且永不关闭。 I discover this issue in production and spend few days to resolve it. 我在生产中发现了这个问题,花了几天时间来解决它。 So I suggest you to change StompTcpFactory to improve threads reuse : 所以我建议你改变StompTcpFactory来改进线程重用: 

import io.netty.channel.EventLoopGroup;
import org.springframework.messaging.Message;
import org.springframework.messaging.simp.stomp.Reactor2StompCodec;
import org.springframework.messaging.simp.stomp.StompDecoder;
import org.springframework.messaging.simp.stomp.StompEncoder;
import org.springframework.messaging.tcp.reactor.Reactor2TcpClient;
import reactor.Environment;
import reactor.core.config.ReactorConfiguration;
import reactor.io.net.NetStreams;
import reactor.io.net.Spec;
import reactor.io.net.config.SslOptions;
import reactor.io.net.impl.netty.NettyClientSocketOptions;

public class StompTcpFactory implements NetStreams.TcpClientFactory<Message<byte[]>, Message<byte[]>> {

  private final Environment environment;
  private final EventLoopGroup eventLoopGroup;
  private final String host;
  private final int port;
  private final boolean ssl;

  public StompTcpFactory(String host, int port, boolean ssl) {
    this.host = host;
    this.port = port;
    this.ssl = ssl;
    this.environment = new Environment(() -> new ReactorConfiguration(emptyList(), "sync", new Properties()));
    this.eventLoopGroup = Reactor2TcpClient.initEventLoopGroup();
  }

  @Override
  public Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> apply(Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> tcpClientSpec) {
    return tcpClientSpec
            .env(environment)
            .options(new NettyClientSocketOptions().eventLoopGroup(eventLoopGroup))
            .codec(new Reactor2StompCodec(new StompEncoder(), new StompDecoder()))
            .ssl(ssl ? new SslOptions() : null)
            .connect(host, port);
  }

}

解决方案4
 0  2021-07-07 09:52:52

For everyone looking for updated solution I managed to solve the issue in cleaner way.对于寻找更新解决方案的每个人,我设法以更简洁的方式解决了这个问题。 Simply create and use own TCP client with SSL:只需通过 SSL 创建和使用自己的 TCP 客户端:

import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Configuration;
import org.springframework.messaging.simp.config.MessageBrokerRegistry;
import org.springframework.messaging.simp.stomp.StompReactorNettyCodec;
import org.springframework.messaging.tcp.reactor.ReactorNettyTcpClient;
import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBroker;
import org.springframework.web.socket.config.annotation.StompEndpointRegistry;
import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer;

@Configuration
@EnableWebSocketMessageBroker
@RequiredArgsConstructor
class WebsocketConfiguration implements WebSocketMessageBrokerConfigurer {

  private final WebsocketProperties properties;

  @Override
  public void registerStompEndpoints(StompEndpointRegistry registry) {
    registry.addEndpoint("/ws").setAllowedOrigins("*");
    registry.addEndpoint("/ws").withSockJS();
  }

  @Override
  public void configureMessageBroker(MessageBrokerRegistry registry) {

    ReactorNettyTcpClient<byte[]> tcpClient = new ReactorNettyTcpClient<>(configurer -> configurer
            .host(properties.getRelayHost())
            .port(properties.getRelayPort())
            .secure(), new StompReactorNettyCodec());

    registry.enableStompBrokerRelay("/queue", "/topic")
            .setAutoStartup(true)
            .setSystemLogin(properties.getClientLogin())
            .setSystemPasscode(properties.getClientPasscode())
            .setClientLogin(properties.getClientLogin())
            .setClientPasscode(properties.getClientPasscode())
            .setTcpClient(tcpClient);

    registry.setApplicationDestinationPrefixes("/app");
    }
}

In my case (slightly different) I created two implementations of ReactorNettyTcpClient as a Beans and depending on the environment I pick one with / without SSL.在我的情况下(略有不同),我创建了ReactorNettyTcpClient作为 Bean 的两个实现,并根据环境选择了一个带/不带 SSL 的实现。

Dependencies:依赖项:

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.4.4</version>
        <relativePath/>
    </parent>
    .
    .
    .
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-websocket</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-activemq</artifactId>
    </dependency>
    <dependency>
        <groupId>org.apache.activemq</groupId>
        <artifactId>activemq-stomp</artifactId>
        <version>5.16.2</version>
    </dependency>
    <dependency>
        <groupId>io.projectreactor.netty</groupId>
        <artifactId>reactor-netty</artifactId>
        <version>1.0.8</version>
    </dependency>

I hope anybody who's currently trying to resolve this issue find it useful.我希望目前正在尝试解决此问题的任何人都会发现它很有用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 spring boot - undertow https会话不会过期或停止ssl握手 - spring boot - undertow https session not expire or stop ssl handshake 在Spring Boot中配置Undertow RequestEncodingHandler - Configuring Undertow RequestEncodingHandler in Spring Boot 使用Spring Boot进行ActiveMQ配置 - ActiveMQ configuration with Spring Boot Undertow与Spring Boot应用程序一起使用时的问题 - Issue when Undertow used with spring boot app 在 spring boot 嵌入式 undertow 上将 http 重定向到 https - Redirect http to https on spring boot embedded undertow 在Spring Boot中为Undertow启用HTTP 2.0 - Enable HTTP 2.0 for Undertow in Spring Boot Undertow和Tomcat的Spring Boot .war上下文路径 - Spring Boot .war context path for Undertow and Tomcat 使用Spring Boot设置Camel和Activemq - Camel and Activemq setup with Spring Boot Spring 引导的 ActiveMQ 依赖关系问题 - Problem with ActiveMQ dependencies with Spring Boot 在build.gradle中提供了runtime spring-boot-starter-undertow,但是:bootRun仍然使用Tomcat而不是undertow - providedRuntime `spring-boot-starter-undertow` in `build.gradle` but `:bootRun` still using Tomcat instead of undertow
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM