spring oauth2 资源服务器:禁用 ssl 验证
spring oauth2 resource server: disable ssl verification
我有一个 spring oauth2 服务,当该服务试图创建 bean jwtDecoderByIssuerUri 时失败了,因为:
...
Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of <issuer>
...
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "<issuer>": No subject alternative names present; nested exception is javax.net.ssl.SSLHandshakeException: No subject alternative names present
在我已经禁用 ssl 验证并执行以下操作后出现此错误:
public final class SSLUtil {
private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};
public static void turnOffSslChecking() throws NoSuchAlgorithmException, KeyManagementException {
// Install the all-trusting trust manager
final SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, UNQUESTIONING_TRUST_MANAGER, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
public static void turnOnSslChecking() throws KeyManagementException, NoSuchAlgorithmException {
// Return it to the initial state (discovered by reflection, now hardcoded)
SSLContext.getInstance("SSL").init(null, null, null);
}
private SSLUtil() {
throw new UnsupportedOperationException("Do not instantiate libraries.");
}
}
@Bean
JwtDecoder jwtDecoderByIssuerUri(final OAuth2ResourceServerProperties properties) throws KeyManagementException, NoSuchAlgorithmException {
turnOffSslChecking();
return JwtDecoders.fromIssuerLocation(properties.getJwt().getIssuerUri());
}
在我添加 turnOffSslChecking() 之前,错误是:
...
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
有没有办法避免所有这些 ssl 验证问题?
Oauth2 服务器要求 使用SSL/TLS。 (第 2.3.1 节随后引用了 Oauth 规范的第 1.6 TLS Version 节 -- https://www.rfc-editor.org/rfc/rfc6749)您最好解决原始问题而不是禁用 SSL。
您最初的问题是因为您需要将证书的 public 密钥安装到 TrustStore 中,而不是创建一个完全信任的 TrustManager。您没有指定,但我假设您使用的是具有默认 java TrustStore 的自签名证书。如果是这样,本文中的步骤应该可以解决问题。
https://medium.com/expedia-group-tech/how-to-import-public-certificates-into-javas-truststore-from-a-browser-a35e49a806dc
如果我的假设有误,请post提供更多信息。
我有一个 spring oauth2 服务,当该服务试图创建 bean jwtDecoderByIssuerUri 时失败了,因为:
...
Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of <issuer>
...
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "<issuer>": No subject alternative names present; nested exception is javax.net.ssl.SSLHandshakeException: No subject alternative names present
在我已经禁用 ssl 验证并执行以下操作后出现此错误:
public final class SSLUtil {
private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};
public static void turnOffSslChecking() throws NoSuchAlgorithmException, KeyManagementException {
// Install the all-trusting trust manager
final SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, UNQUESTIONING_TRUST_MANAGER, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
public static void turnOnSslChecking() throws KeyManagementException, NoSuchAlgorithmException {
// Return it to the initial state (discovered by reflection, now hardcoded)
SSLContext.getInstance("SSL").init(null, null, null);
}
private SSLUtil() {
throw new UnsupportedOperationException("Do not instantiate libraries.");
}
}
@Bean
JwtDecoder jwtDecoderByIssuerUri(final OAuth2ResourceServerProperties properties) throws KeyManagementException, NoSuchAlgorithmException {
turnOffSslChecking();
return JwtDecoders.fromIssuerLocation(properties.getJwt().getIssuerUri());
}
在我添加 turnOffSslChecking() 之前,错误是:
...
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
有没有办法避免所有这些 ssl 验证问题?
Oauth2 服务器要求 使用SSL/TLS。 (第 2.3.1 节随后引用了 Oauth 规范的第 1.6 TLS Version 节 -- https://www.rfc-editor.org/rfc/rfc6749)您最好解决原始问题而不是禁用 SSL。
您最初的问题是因为您需要将证书的 public 密钥安装到 TrustStore 中,而不是创建一个完全信任的 TrustManager。您没有指定,但我假设您使用的是具有默认 java TrustStore 的自签名证书。如果是这样,本文中的步骤应该可以解决问题。 https://medium.com/expedia-group-tech/how-to-import-public-certificates-into-javas-truststore-from-a-browser-a35e49a806dc
如果我的假设有误,请post提供更多信息。