我有一个Web应用程序,它有5个REST API.所有API都是启用了SSL的HTTPS.
这是server.xml中的连接器标记:
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
clientAuth="true" sslProtocol="TLSv1.2"/>
现在,我必须只使用onw-way SSL通过HTTP公开其中一个API.其他4个API只能通过具有双向SSL证书的HTTPS访问.
使用Spring启动和Spring 4安全性解决此问题的最佳方法是什么.
更新
我在这方面取得了一些进展.我已设置clientAuth =“want”并且无需在客户端提供证书即可访问所需的API.但我不确定在为其他API强制执行2-way并编写自定义过滤器来检查SSL握手的方法.有没有办法在Spring Security中执行此操作.
我有以下MultiHttpSecurityConfig类:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MultiHttpSecurityConfig {
private static final Logger LOG = LoggerFactory
.getLogger(MultiHttpSecurityConfig.class);
@Configuration
@Order(1)
public static class SecureApiConfigurationAdapter extends
WebSecurityConfigurerAdapter {
@Autowired
private HttpAuthEntryPoint httpAuthEntryPoint;
@Autowired
private X509UserDetSer x509UserUserDetSer;
protected void configure(
final HttpSecurity http)
throws Exception {
LOG.debug("/SSL2waysecureAPI/");
http.csrf().disable()
.antMatcher("/SSL2waysecureAPI/**")
.x509()
.subjectPrincipalRegex("CN=(.*?),")
// .subjectPrincipalRegex(".*")
.authenticationUserDetailsService(x509UserUserDetSer)
.and().exceptionHandling()
.authenticationEntryPoint(httpAuthEntryPoint)
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
Tomcat中的新连接器标签如下所示:
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
clientAuth="want" sslProtocol="TLSv1.2"/>
解决方法:
所以,如果有人需要它 – 我就是这样做的
首先 – server.xml配置文件
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
clientAuth="want" sslProtocol="TLSv1.2"/>
然后是web.xml:
ServletFilter
securechat.filter.ServletFilter
true
ServletFilter
/*
之后,任何端点的任何请求都将挂钩到此过滤器.在它内部你可以手动检查任何request.something喜欢
@Component
public class ServletFilter implements Filter {
public static final String X_CLACKS_OVERHEAD = "X-Clacks-Overhead";
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
X509Certificate[] certificates = (X509Certificate[]) req
.getAttribute("javax.servlet.request.X509Certificate");
String servletPath = null;
int port = -1;
if (req instanceof HttpServletRequest) {
servletPath = ((HttpServletRequest)req).getServletPath();
port = ((HttpServletRequest)req).getServerPort();
System.out.println("getServletPath = " + ((HttpServletRequest)req).getServletPath() );
System.out.println(" ((HttpServletRequest)req).getServerPort() = " + ((HttpServletRequest)req).getServerPort());
//Just in memory of....
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader(X_CLACKS_OVERHEAD, "GNU Terry Pratchett");
//Here you can do checking for port and destination.
if(port == 8080 && !servletPath.equals("/notSecureDest/something")
//log error - we try to enter secured enpoint bu non-secured port and url
return; // we decline request
}else if(port == ??? && ???? ) {
//if all checkings age good - we do
chain.doFilter(req, res);
}
}
希望有所帮助.
标签:java,spring,ssl,spring-security,spring-boot-2
来源: https://codeday.me/bug/20190702/1354468.html