[英]“javax.servlet.request.X509Certificate” request attribute does not return CA certs
I have a requirement where a single web app, which has multiple web services, needs SSL configured. 我有一个要求,其中具有多个Web服务的单个Web应用程序需要配置SSL。 But only one web service should have mutual SSL and rest have to be on one-way SSL.
但是,只有一个Web服务应该具有相互SSL,其余的必须位于单向SSL上。
For this, I have used: 为此,我使用了:
<Connector SSLEnabled="true" acceptCount="100" clientAuth="want"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="somefolder\some-KeyStore.store" keystorePass="changeit"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="SSL"
truststoreFile="somefolder\some-trustStore.jks"
truststoreType="JKS" truststorePass="Changeit"/>
And in the code I use below code in a filter to a service URL: 在代码中,我在过滤器中使用以下代码对服务URL:
X509Certificate[] certificates = (X509Certificate[]) request
.getAttribute("javax.servlet.request.X509Certificate");
This checks if the service that needs mutual SSL gets a certificate that is valid. 这将检查需要相互SSL的服务是否获得了有效的证书。 So when that URL gets called, the servlet filter checks for cert.
因此,当调用该URL时,servlet筛选器将检查cert。
But the problem is that this works only for self-signed certs; 但是问题在于,这仅适用于自签名证书。 when I use CA signed certs, the above scriptlet returns null.
当我使用CA签名的证书时,上述脚本返回null。 (ie, no certs)
(即没有证书)
The cert algorithms are RSA and DSA types; cert算法为RSA和DSA类型。 is there any significance of this or the type of keyStores and trustStores.
这或keyStores和trustStores的类型是否有意义?
Please let me know if I am missing anything, or if I need to use any other code for CA signed certs. 如果我遗漏了任何东西,或者是否需要对CA签名证书使用其他任何代码,请告诉我。 I really need CA certs in the requests.
在请求中,我确实需要CA证书。
Thanks for the Input, 感谢您的输入,
But I figured it out. 但是我想通了。 I did not import the cert chain in the TrustStore initially, and I just had the CA cert there.
最初,我没有将证书链导入TrustStore中,而在那里仅拥有CA证书。 Once I configured the CA certs, keystore and trustStore properly, it fixed the issue.
一旦我正确配置了CA证书,密钥库和trustStore,它就解决了该问题。
It worked initially with self-signed certs because self signed certs don't have cert chains. 它最初与自签名证书一起使用,因为自签名证书没有证书链。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.