使用Axis2附加客户端证书?
[英]Attach client certificates with Axis2?
问题描述
Is it possible to easily attach a client certificate to a Axis2 stub generated using wsdl2java? 
是否可以轻松地将客户端证书附加到使用wsdl2java生成的Axis2存根? I need to change the client certificate dynamically on a per-request basis, so simply storing it in the keystore won't work for our case. 我需要在每个请求的基础上动态更改客户端证书,因此只需将其存储在密钥库中就不适用于我们的情况。
I've found examples where this is being done for non-SOAP calls, but could not find anything related to using the Axis client stubs. 我已经找到了为非SOAP调用执行此操作的示例,但找不到与使用Axis客户端存根相关的任何内容。 Trying to hack the XML for the SOAP call is an option I guess, albiet a painful one! 试图破解XML for SOAP调用是一个选项,我猜,albiet是一个痛苦的选择! Groan! 呻吟!
1 个解决方案
解决方案1
6 2011-12-26 22:50:55
If you want to change which certificate is used depending on which connection is made, you'll need to configure an SSLContext to do so, as described in this answer: https://stackoverflow.com/a/3713147/372643 如果要根据所建立的连接更改使用哪个证书,则需要配置SSLContext以执行此操作,如本答案中所述: https : //stackoverflow.com/a/3713147/372643
As far as I know, Axis 2 uses Apache HttpClient 3.x, so you'll need to follow its way of configuring the SSLContext (and X509KeyManager if needed). 据我所知,Axis 2使用Apache HttpClient 3.x,因此您需要按照其配置SSLContext (如果需要,还有X509KeyManager )的方式。 The easiest way might be to configure Apache HttpClient's global https protocol handler with your SSLContext , set up with an X509KeyManager configured to choose the client certificate as you require (via chooseClientAlias ). 最简单的方法可能是使用SSLContext配置Apache HttpClient的全局https协议处理程序,使用X509KeyManager设置,配置为根据需要选择客户端证书(通过chooseClientAlias )。
If the issuers and the connected Socket (probably the remote address) are not enough for deciding which certificate to choose, you may need to implement a more complex logic which will almost inevitably require careful synchronization with the rest of your application. 如果发行者和连接的Socket (可能是远程地址)不足以决定选择哪个证书,您可能需要实现更复杂的逻辑,这几乎不可避免地需要与应用程序的其余部分仔细同步。
EDIT : 编辑 :
Once you've built your SSLContext and X509KeyManager , you need to pass them to Apache HttpClient 3.x. 一旦构建了SSLContext和X509KeyManager ,就需要将它们传递给Apache HttpClient 3.x. For this, you can build your own SecureProtocolSocketFactory , which will build the socket from this SSLContext (via an SSLSocketFactory , see SSLContext methods). 为此,您可以构建自己的SecureProtocolSocketFactory ,它将从此SSLContext构建套接字(通过SSLSocketFactory ,请参阅SSLContext方法)。 There are examples in the Apache HttpClient 3.x SSL guide . Apache HttpClient 3.x SSL指南中有一些示例。 Avoid EasySSLProtocolSocketFactory , since it won't check any server cert (thereby allowing for MITM attacks). 避免EasySSLProtocolSocketFactory ,因为它不会检查任何服务器证书(从而允许MITM攻击)。 You could also try this implementation . 您也可以尝试这种实现 。
Note that you only really need to customize your X509KeyManager , you can initialize your SSLContext (via init ) with null for the other parameters to keep the default values (in particular the default trust settings). 请注意,您只需要自定义X509KeyManager ,您可以使用null为其他参数初始化SSLContext (通过init )以保留默认值(特别是默认信任设置)。
Then, "install" this SecureProtocolSocketFactory globally for Apache HttpClient 3.x using something like this: 然后,使用以下内容为Apache HttpClient 3.x全局“安装”此SecureProtocolSocketFactory :
Protocol.registerProtocol("https", new Protocol("https",
(ProtocolSocketFactory)secureProtocolSocketFactory, 443));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.