Spring Security X509 - 403 禁止
[英]Spring Security X509 - 403 Forbidden
问题描述
I'm attempting to implement authentication of one single client to my spring boot rest API through X509 - client certification.
我正在尝试通过 X509 - 客户端认证对我的 Spring Boot Rest API 实现单个客户端的身份验证。 I've created a private key:我创建了一个私钥:
openssl genrsa -des3 -out client.key 1024
To create this key I've set some generic password like changeit , and this password was used in all subsequent file creations and requests.为了创建这个密钥,我设置了一些通用密码,比如changeit ,这个密码用于所有后续的文件创建和请求。
Next, I've created a certificate signing request:接下来,我创建了一个证书签名请求:
openssl req -new -key client.key -out client.csr
and set the common name localhost (other fields are irrelevant as far as I understand?)并设置通用名称localhost (据我所知,其他字段无关紧要?)
Next, created the certificate using the csr:接下来,使用 csr 创建证书:
openssl x509 -req -days 3650 -in client.csr -signkey client.key -out client.crt
Next, created the Java Truststore:接下来,创建 Java 信任库:
keytool -import -file client.crt -alias clientCA -keystore truststore.jks
And finally, created the keystore as a .p12 file:最后,将密钥库创建为 .p12 文件:
openssl pkcs12 -export -in client.crt -inkey client.key -certfile client.crt -name "clientcert" -out keystore.p12
On the Spring boot(2.0.2 version) side I've got the security configuration class:在 Spring boot(2.0.2 版本)方面,我有安全配置类:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.x509();
}
/*
* localhost is the CN of the client certificate
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("localhost")
.password("none")
.roles("USER");
}
}
and the application.properties file:和 application.properties 文件:
server.port=8443
logging.level.root=info
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=changeit
server.ssl.trust-store=classpath:truststore.jks
server.ssl.trust-store-password=changeit
server.ssl.client-auth=need
security.headers.hsts=NONE
Submitting a get request like提交一个获取请求,如
curl -vkE ./keystore.p12:changeit --cert-type P12 "https://localhost:8443/customers/test"
gives me a valid response (purposely changing or omitting the proper cert throw an SSL error), which is good.给了我一个有效的响应(故意更改或省略正确的证书会引发 SSL 错误),这很好。
NOW: If I try to submit a POST the same way with a request body, like现在:如果我尝试以与请求正文相同的方式提交 POST,例如
curl -kiE ./keystore.p12:changeit --cert-type P12 -X POST -H "Content-Type: application/json" --data @req-body.json "https://localhost:8443/customers"
I get the following response:我收到以下回复:
HTTP/1.1 403
Set-Cookie: JSESSIONID=106214250C497F20C5F1AA02E554B316; Path=/; Secure; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 16 Jul 2018 13:49:43 GMT
{"timestamp":"2018-07-16T13:49:43.335+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/customers"}%
I have no clue why this is happening (the 403) and am kindly asking for help.我不知道为什么会发生这种情况(403),我恳请帮助。
PS Submitting any http method other than GET (even the ones the controller does not support): throws the same 403 - Forbidden. PS 提交 GET 以外的任何 http 方法(即使是控制器不支持的方法):抛出相同的 403 - Forbidden。
PPS Calling a non-existent resource with a GET returns a nice proper 404 response. PPS 使用 GET 调用不存在的资源会返回正确的 404 响应。 So it has something to do with the HTTP method settings somewhere?那么它与某处的HTTP方法设置有关吗?
1 个解决方案
解决方案1
2 已采纳 2018-07-16 14:57:16
找出原因:我禁用了 csrf,现在它可以工作了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.