本文主要简单讲述 CXF 配置 HTTPS 及所需 Keystore 的两种方式:XML 和代码配置,不会着重于介绍 CXF 本身。
完整代码:github待上传1. HTTPS HTTPS 可以简单理解为 HTTP+TLS/SSL 是一种保证网络请求安全的应用层协议
本文主要介绍双向验证的实现方式,下一篇文章介绍单项验证的实现
HTTPS双向认证(Mutual TLS authentication) https://help.aliyun.com/docum...从所需条件上说双向验证需要Server端和Client端都有公钥与私钥
2. XML 配置 CXF 支持HTTPS 2.1 Keystore
keystore是一种存放公钥与私钥的加密文件,其中JKS格式为Java自带工具(keytool)生成,双向验证需要以下keystore
- Server keystore: 包含服务器本身的私钥,以及所信任的Client端的公钥(CA证书注入得到)
- Client keystore: 包含client端本身的私钥,以及所信任的Server端的公钥
# 目录:resources/https_mutual_TLS_auth/keystore
# 服务器部分
# 生成服务端私钥,注意jdk11默认生成PKCS12的内部格式,需要用storetype指定jks格式,且JKS格式可以指定keystore的密码和内部key的密码,PKCS12的这两个密码默认相等
keytool -genkeypair -alias myservicekey -keystore serviceKeystore.jks -storetype jks -dname "cn=localhost" -keypass keypass -storepass storepass
# 将服务器私钥导出为证书(公钥)
keytool -export -rfc -keystore serviceKeystore.jks -alias myservicekey -file MyService.cer -storepass storepass# 生成client的私钥
keytool -genkeypair -alias myclientkey -keystore clientKeystore.jks -storetype jks -keypass keypass -storepass storepass
# 导出证书
keytool -export -rfc -keystore clientKeystore.jks -alias myclientkey -file MyClient.cer -storepass storepass# 注入:将服务器的证书作为信任的公钥导入client的keystore
keytool -import -noprompt -trustcacerts -file MyService.cer -alias myservicekey -keystore clientKeystore.jks -storetype jks -storepass storepass
# 同理 client的公钥导入服务器的keystore
keytool -import -noprompt -trustcacerts -file MyClient.cer -alias myclientkey -keystore serviceKeystore.jks -storetype jks -storepass storepass
2.1.2 内部构成
# clientKeystore
keytool -list -keystore clientKeystore.jks -storepass storepass
密钥库类型: JKS
密钥库提供方: SUN您的密钥库包含 2 个条目myclientkey, 2022年3月31日, PrivateKeyEntry,
证书指纹 (SHA-256): F5:86:67:3E:4A:D8:3C:82:37:63:D6:00:D6:FF:F0:96:1E:43:08:E1:E6:81:02:3E:1F:9C:3E:E5:7A:24:DA:AF
myservicekey, 2022年3月31日, trustedCertEntry,
证书指纹 (SHA-256): B0:EE:DD:89:EC:93:B2:B0:2C:4F:E5:97:27:D2:3D:46:CD:FF:BC:B6:CD:19:04:6D:20:1C:63:E1:C3:1A:2C:41# serviceKeystore
keytool -list -keystore serviceKeystore.jks -storepass storepass
密钥库类型: JKS
密钥库提供方: SUN您的密钥库包含 2 个条目myclientkey, 2022年3月31日, trustedCertEntry,
证书指纹 (SHA-256): F5:86:67:3E:4A:D8:3C:82:37:63:D6:00:D6:FF:F0:96:1E:43:08:E1:E6:81:02:3E:1F:9C:3E:E5:7A:24:DA:AF
myservicekey, 2022年3月31日, PrivateKeyEntry,
证书指纹 (SHA-256): B0:EE:DD:89:EC:93:B2:B0:2C:4F:E5:97:27:D2:3D:46:CD:FF:BC:B6:CD:19:04:6D:20:1C:63:E1:C3:1A:2C:41Warning:
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore serviceKeystore.jks -destkeystore serviceKeystore.jks -deststoretype pkcs12" 迁移到行业标准格式 PKCS12。
2.2 配置文件
【CXF代码配置实现HTTPS】与之后的代码配置部分相对应
# resources/https_mutual_TLS_auth/ServerConfig.xml
# resources/https_mutual_TLS_auth/SecureClient.xml
2.3 使用
2.3.1 POM 注意:plugin是为了保证keystore不会被编译,否则内部加密二进制会错掉
11
11
3.5.1
org.springframework
spring-beans
4.3.30.RELEASE
org.springframework
spring-core
4.3.30.RELEASE
org.springframework
spring-context
4.3.30.RELEASE
com.sun.xml.ws
jaxws-rt
2.2.3
stax-ex
org.jvnet.staxex
mimepull
org.jvnet
wstx-asl
org.codehaus.woodstox
org.jvnet.jax-ws-commons.spring
jaxws-spring
1.8
junit
junit
4.13.2
test
org.apache.cxf
cxf-rt-frontend-jaxws
${cxfVersion}
org.apache.cxf
cxf-rt-transports-http
${cxfVersion}
org.apache.cxf
cxf-rt-databinding-aegis
${cxfVersion}
org.apache.cxf
cxf-rt-transports-http-jetty
${cxfVersion}
saaj-impl
com.sun.xml.messaging.saaj
org.apache.maven.plugins
maven-resources-plugin
2.6
jks
2.3.2 模拟业务
// User类随便写个就行
@WebService
public interface HaloServer {String sayHi(@WebParam(name="text")String text);
String sayHiToUser(User user);
}@WebService(endpointInterface = "com.pal.server.HaloServer",serviceName = "HaloServer")
public class HaloServerImpl implements HaloServer {@Override
public String sayHi(String text) {
return "Hi " + text;
}@Override
public String sayHiToUser(User user) {
return "Halo "+user.getName();
}
}
2.3.3 正式使用
/**
* 双向验证测试
*/
public class HttpsMutualTLSAuthTest {int port = 9001;
HaloServer endpoint = new HaloServerImpl();
@Test
public void xmlConfigTest()
{
// 防止出现双象验证协议版本不一致
System.setProperty("https.protocols", "TLSv1.2,TLSv1.1,SSLv3");
// XML配置版本// 创建配置工厂Bean
JaxWsServerFactoryBean serverFactoryBean = new JaxWsServerFactoryBean();
// 创建读取配置文件的bus
URL serverConfigFile = HttpsDemo.class.getResource("/https_mutual_TLS_auth/ServerConfig.xml");
Bus serverConfigBus = new SpringBusFactory().createBus(serverConfigFile.toString());
// 设置参数及配置
serverFactoryBean.setBus(serverConfigBus);
serverFactoryBean.setServiceClass(HaloServer.class);
serverFactoryBean.setAddress("https://localhost:"+port+"/halo");
serverFactoryBean.setServiceBean(endpoint);
// 启动Server
Server server = serverFactoryBean.create();
//Client
URL clientConfigFile = HttpsDemo.class.getResource("/https_mutual_TLS_auth/SecureClient.xml");
Bus clientConfigBus = new SpringBusFactory().createBus(clientConfigFile.toString());
JaxWsProxyFactoryBean clientFactoryBean = new JaxWsProxyFactoryBean();
clientFactoryBean.setBus(clientConfigBus);
clientFactoryBean.setServiceClass(HaloServer.class);
clientFactoryBean.setAddress("https://localhost:"+port+"/halo");
HaloServer client = (HaloServer) clientFactoryBean.create();
// 调用
System.out.println(client.sayHi("world"));
User user = new User("Tim", 202);
System.out.println(client.sayHiToUser(user));
// 关闭
server.stop();
System.out.println("Server stop");
}}
3. 代码配置方式 注:前边的keystore文件和业务模拟类都通用
3.1 实现代码
/**
* 双向验证测试
*/
public class HttpsMutualTLSAuthTest {int port = 9001;
HaloServer endpoint = new HaloServerImpl();
@Test
public void test() throws GeneralSecurityException, IOException {// 防止出现双象验证协议版本不一致
System.setProperty("https.protocols", "TLSv1.2,TLSv1.1,SSLv3");
// 创建配置工厂Bean
JaxWsServerFactoryBean serverFactoryBean = new JaxWsServerFactoryBean();
// 创建配置的bus
Bus serverConfigBus = new SpringBusFactory().createBus();
serverConfigBus.setExtension(getServerEngineFactory(),JettyHTTPServerEngineFactory.class);
// 设置参数及配置
serverFactoryBean.setBus(serverConfigBus);
serverFactoryBean.setServiceClass(HaloServer.class);
serverFactoryBean.setAddress("https://localhost:"+port+"/halo");
serverFactoryBean.setServiceBean(endpoint);
// 启动Server
Server server = serverFactoryBean.create();
//Client
URL clientConfigFile = HttpsDemo.class.getResource("/https_mutual_TLS_auth/SecureClient.xml");
Bus clientConfigBus = new SpringBusFactory().createBus();
JaxWsProxyFactoryBean clientFactoryBean = new JaxWsProxyFactoryBean();
clientFactoryBean.setBus(clientConfigBus);
clientFactoryBean.setServiceClass(HaloServer.class);
clientFactoryBean.setAddress("https://localhost:"+port+"/halo");
HaloServer client = (HaloServer) clientFactoryBean.create();
clientConfigBus.setExtension(getClientHttpConduit(client),HTTPConduit.class);
// 调用
System.out.println(client.sayHi("world"));
User user = new User("Tim", 202);
System.out.println(client.sayHiToUser(user));
// 关闭
server.stop();
System.out.println("Server stop");
}/**
* 获取Server端的EngineFactory用来装进Bus然后设置到JaxWsServerFactoryBean
* @return JettyHTTPServerEngineFactory 对应 ServerConfig.xml 中的标签
* @throws GeneralSecurityException
* @throws IOException
*/
public JettyHTTPServerEngineFactory getServerEngineFactory() throws GeneralSecurityException, IOException {// 对应 XML 中
TLSServerParameters tlsSp = new TLSServerParameters();
ClientAuthentication clientAuthentication = new ClientAuthentication();
clientAuthentication.setRequired(true);
clientAuthentication.setWant(true);
tlsSp.setClientAuthentication(clientAuthentication);
URL serverResourceUrl = HttpsMutualTLSAuthTest.class.getResource("/https_mutual_TLS_auth/keystore/serviceKeystore.jks");
FileInputStream inputStream = new FileInputStream(serverResourceUrl.getPath());
//
KeyStore serverKeystore = KeyStore.getInstance("JKS");
serverKeystore.load(inputStream,"storepass".toCharArray());
// 对应及其中内容
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(serverKeystore,"keypass".toCharArray());
tlsSp.setKeyManagers(kmf.getKeyManagers());
// 对应
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(serverKeystore);
tlsSp.setTrustManagers(tmf.getTrustManagers());
// 注意这里的 jettyHTTPServerEngine 生成方式有很多,详情看源码
JettyHTTPServerEngineFactory jettyHTTPServerEngineFactory = new JettyHTTPServerEngineFactory();
jettyHTTPServerEngineFactory.setTLSServerParametersForPort(port,tlsSp);
return jettyHTTPServerEngineFactory;
}/**
* 获取客户端的HTTPConduit用来装进Bus然后设置到JaxWsProxyFactoryBean
*
* @param haloServer 服务对象的代理对象
* @return HTTPConduit 对应 SecureClient.xml 中的标签
* @throws GeneralSecurityException
* @throws IOException
*/
public HTTPConduit getClientHttpConduit(HaloServer haloServer) throws GeneralSecurityException, IOException {//
TLSClientParameters tlsCp = new TLSClientParameters();
tlsCp.setDisableCNCheck(false);
URL clientResourceUrl = HttpsMutualTLSAuthTest.class.getResource("/https_mutual_TLS_auth/keystore/clientKeystore.jks");
FileInputStream inputStream = new FileInputStream(clientResourceUrl.getPath());
//
KeyStore clientKeystore = KeyStore.getInstance("JKS");
clientKeystore.load(inputStream,"storepass".toCharArray());
//
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(clientKeystore,"keypass".toCharArray());
tlsCp.setKeyManagers(kmf.getKeyManagers());
//
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(clientKeystore);
tlsCp.setTrustManagers(tmf.getTrustManagers());
HTTPConduit conduit = (HTTPConduit)ClientProxy.getClient(haloServer).getConduit();
conduit.setTlsClientParameters(tlsCp);
return conduit;
}
}