Java 使用restTemplate时需要忽略证书
我正在尝试向以下地址发送请求。证书无效,我想忽略它。我根据对的研究编写了以下代码,但无法完成。我使用的是Java 1.7Java 使用restTemplate时需要忽略证书,java,spring-mvc,ssl,resttemplate,Java,Spring Mvc,Ssl,Resttemplate,我正在尝试向以下地址发送请求。证书无效,我想忽略它。我根据对的研究编写了以下代码,但无法完成。我使用的是Java 1.7 https://api.stubhubsandbox.com/search/catalog/events/v3 代码 private static final TrustManager[]unquestion\u TRUST\u MANAGER=new TrustManager[]{ 新X509TrustManager(){ public java.security.cer
https://api.stubhubsandbox.com/search/catalog/events/v3
代码
private static final TrustManager[]unquestion\u TRUST\u MANAGER=new TrustManager[]{
新X509TrustManager(){
public java.security.cert.X509Certificate[]getAcceptedIssuers(){
返回null;
}
public void checkClientTrusted(X509Certificate[]证书,字符串authType){}
public void checkServerTrusted(X509Certificate[]证书,字符串authType){}
公共无效checkClientTrusted(
java.security.cert.X509Certificate[]arg0,字符串arg1)
抛出证书异常{
//TODO自动生成的方法存根
}
公共无效检查服务器受信任(
java.security.cert.X509Certificate[]arg0,字符串arg1)
抛出证书异常{
//TODO自动生成的方法存根
}
}
};
公共静态void main(字符串[]args){
信任策略接受信任策略=
SSLContext SSLContext=org.apache.http.ssl.SSLContexts.custom()
.loadTrustMaterial(空,acceptingTrustStrategy)
.build();
SSLConnectionSocketFactory csf=新的SSLConnectionSocketFactory(sslContext);
CloseableHttpClient httpClient=HttpClients.custom()
.setSSLSocketFactory(csf)
.build();
HttpComponents客户端HttpRequestFactory请求工厂=
新的HttpComponents客户端HttpRequestFactory();
setHttpClient(httpClient);
RestTemplate RestTemplate=新的RestTemplate(requestFactory);
字符串url=”https://api.stubhubsandbox.com/search/catalog/events/v3";
RestTemplate rest=新建RestTemplate();
Map mvm=newhashmap();
mvm.put(“授权”、“持票人授权”);
Object Object=rest.postForObject(url,null,Object.class,mvm);
系统错误打印项次(“完成”);
}
不确定jdk6之后情况是否发生了变化,但上次我尝试这样做时,我们需要将SSL证书导入JAVA_HOME的密钥库,该密钥库用于运行使用受信任SSL的程序
首先,您需要将证书导出到文件中。在windows中,您可以使用任何浏览器将SSL证书保存到您的个人证书存储中,然后运行mmc、添加证书管理单元(文件/添加/删除管理单元)和将证书保存到磁盘
然后,您需要使用将证书导入到受信任域cacerts。但您需要将其导入到java_home在运行上述程序时使用的密钥库中
下面的命令将把证书文件“mycertificate.cer”添加到文件“cacerts.jks”中的密钥库中。别名为“webservice”:
通常,密钥库密码是“changeit”,没有引号。将其更改为生产使用您可能已经注意到,Spring的
RestTemplate
将所有与HTTP相关的内容委托给ClientHttpRequestFactory的底层实现。由于您使用的是基于HttpClient
的实现,这里有几个有用的SO链接,介绍如何为内部HttpClient
实现这一点:
显然,从版本4.4开始,这可以通过以下方式完成:
CloseableHttpClient httpClient = HttpClients.custom().setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build();
为了在几个spring项目中绕过SSL检查,我总是将我不久前编写(或找到)的SSLUtils类与spring的RestTemplate结合使用。使用下面提供的类,您只需在发送请求之前调用staticSSLUtil.turnofslchecking()
方法
import javax.net.ssl.*;
import java.security.*;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
public final class SSLUtil{
static {
//for localhost testing only
javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
new javax.net.ssl.HostnameVerifier(){
public boolean verify(String hostname,
javax.net.ssl.SSLSession sslSession) {
if (hostname.equals("localhost")) {
return true;
}
return false;
}
});
}
private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers(){
return null;
}
public void checkClientTrusted( X509Certificate[] certs, String authType ){}
public void checkServerTrusted( X509Certificate[] certs, String authType ){}
}
};
public static void turnOffSslChecking() throws NoSuchAlgorithmException, KeyManagementException {
// Install the all-trusting trust manager
final SSLContext sc = SSLContext.getInstance("SSL");
sc.init( null, UNQUESTIONING_TRUST_MANAGER, null );
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
public static void turnOnSslChecking() throws KeyManagementException, NoSuchAlgorithmException {
// Return it to the initial state (discovered by reflection, now hardcoded)
SSLContext.getInstance("SSL").init( null, null, null );
}
private SSLUtil(){
throw new UnsupportedOperationException( "Do not instantiate libraries.");
}
}
试试看。希望这能为您提供一个简单的解决方案。您可以使用以下代码:
@Bean
public RestTemplate restTemplate()
throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
.loadTrustMaterial(null, acceptingTrustStrategy)
.build();
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
CloseableHttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(csf)
.build();
HttpComponentsClientHttpRequestFactory requestFactory =
new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
RestTemplate restTemplate = new RestTemplate(requestFactory);
return restTemplate;
}
在java 7中,将lambda表达式替换为:
TrustStrategy acceptingTrustStrategy = new TrustStrategy() {
@Override public boolean isTrusted(X509Certificate[] x509Certificates, String s)
throws CertificateException {
return true;
}
};
将SSLContext和X509TrustManager以及主机名验证程序实例添加到httpClientBuilders。
例如,它们可以是(以我的示例为例)
带有HttpComponents客户端HttpRequestFactory的HttpClientBuilder
具有OkHttp3ClientHttpRequestFactory的OkHttpClient.Builder
下面是apachehttpclient和OkHttpClient的示例代码。它用于演示,但您可以使用它
ApacheHttpClient
RestTemplate restTemplate = new RestTemplate(SSLClientFactory.getClientHttpRequestFactory(HttpClientType.HttpClient));
RestTemplate restTemplate = new RestTemplate(SSLClientFactory.getClientHttpRequestFactory(HttpClientType.OkHttpClient));
和OkHttpClient
RestTemplate restTemplate = new RestTemplate(SSLClientFactory.getClientHttpRequestFactory(HttpClientType.HttpClient));
RestTemplate restTemplate = new RestTemplate(SSLClientFactory.getClientHttpRequestFactory(HttpClientType.OkHttpClient));
SSLClientFactory是这里的自定义类
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.impl.client.HttpClientBuilder;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.http.client.OkHttp3ClientHttpRequestFactory;
import okhttp3.OkHttpClient;
public abstract class SSLClientFactory {
private static boolean allowUntrusted = false;
private static final long LOGIN_TIMEOUT_SEC = 10;
private static HttpClientBuilder closeableClientBuilder = null;
private static OkHttpClient.Builder okHttpClientBuilder = null;
public enum HttpClientType{
HttpClient,
OkHttpClient
}
public static synchronized ClientHttpRequestFactory getClientHttpRequestFactory(HttpClientType httpClientType){
ClientHttpRequestFactory requestFactory = null;
SSLContext sslContext = SSLClientFactory.getSSlContext();
if(null == sslContext){
return requestFactory;
}
switch (httpClientType) {
case HttpClient:
closeableClientBuilder = HttpClientBuilder.create();
//Add the SSLContext and trustmanager
closeableClientBuilder.setSSLContext(getSSlContext());
//add the hostname verifier
closeableClientBuilder.setSSLHostnameVerifier(gethostnameVerifier());
requestFactory = new HttpComponentsClientHttpRequestFactory(closeableClientBuilder.build());
break;
case OkHttpClient:
okHttpClientBuilder = new OkHttpClient().newBuilder().readTimeout(LOGIN_TIMEOUT_SEC, TimeUnit.SECONDS);
//Add the SSLContext and trustmanager
okHttpClientBuilder.sslSocketFactory(getSSlContext().getSocketFactory(), getTrustManager());
//add the hostname verifier
okHttpClientBuilder.hostnameVerifier( gethostnameVerifier());
requestFactory = new OkHttp3ClientHttpRequestFactory(okHttpClientBuilder.build());
break;
default:
break;
}
return requestFactory;
}
private static SSLContext getSSlContext(){
final TrustManager[] trustAllCerts = new TrustManager[]{getTrustManager()};
SSLContext sslContext = null;
try {
sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
} catch (NoSuchAlgorithmException | KeyManagementException e) {
e.printStackTrace();
}
return sslContext;
}
private static X509TrustManager getTrustManager(){
final X509TrustManager trustManager = new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() {
X509Certificate[] cArrr = new X509Certificate[0];
return cArrr;
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
// TODO Auto-generated method stub
}
};
return trustManager;
}
private static HostnameVerifier gethostnameVerifier(){
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
@Override
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
};
return hostnameVerifier;
}
}
如果您使用的是Apache httpClient 4.5,请执行以下操作:
public static void main(String... args) {
try (CloseableHttpClient httpclient = createAcceptSelfSignedCertificateClient()) {
HttpGet httpget = new HttpGet("https://example.com");
System.out.println("Executing request " + httpget.getRequestLine());
httpclient.execute(httpget);
System.out.println("----------------------------------------");
} catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException | IOException e) {
throw new RuntimeException(e);
}
}
private static CloseableHttpClient createAcceptSelfSignedCertificateClient()
throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException {
// use the TrustSelfSignedStrategy to allow Self Signed Certificates
SSLContext sslContext = SSLContextBuilder
.create()
.loadTrustMaterial(new TrustSelfSignedStrategy())
.build();
// we can optionally disable hostname verification.
// if you don't want to further weaken the security, you don't have to include this.
HostnameVerifier allowAllHosts = new NoopHostnameVerifier();
// create an SSL Socket Factory to use the SSLContext with the trust self signed certificate strategy
// and allow all hosts verifier.
SSLConnectionSocketFactory connectionFactory = new SSLConnectionSocketFactory(sslContext, allowAllHosts);
// finally create the HttpClient using HttpClient factory methods and assign the ssl socket factory
return HttpClients
.custom()
.setSSLSocketFactory(connectionFactory)
.build();
}
此代码绕过证书验证,您可以通过接受所有主机和证书以不安全的方式进行连接。这段代码适用于我s@Sebastián Ezquerro发布的解决方案非常实用。我用RestTemplate和FaignClient测试了这一点,它们的工作方式非常出色。非常感谢所有的贡献者。如果您想了解外国客户机解决方案,请参阅:
@Bean
public BasicAuthRequestInterceptor basicAuthRequestInterceptor() {
BasicAuthRequestInterceptor auth = new BasicAuthRequestInterceptor(username, password);
RequestTemplate template = new RequestTemplate();
template.header(HttpHeaders.ACCEPT, "application/json");
template.header(HttpHeaders.CONTENT_TYPE, "application/json");
auth.apply(template);
// disable SSL self signed certificate check
try {
SSLUtil.turnOffSslChecking();
} catch (NoSuchAlgorithmException e) {
log.error("Error disabling SSL check", e);
} catch (KeyManagementException e) {
log.error("Error disabling SSL check", e);
}
return auth;
}
谢谢您的回答,我知道可能需要下载证书,但我只是想知道是否可以首先忽略该证书。我错过了在您的代码中将unquestion\u TRUST\u MANAGER
设置为SSLContext
。@MichalFoksa如何设置?另外,我有jdk 1.7,但我的部分代码是1.8,不确定如何修复它。您正在强制RestTemplate
实例在RestTemplate RestTemplate=new RestTemplate(requestFactory)接受自签名证书代码>。但是您有restemplate rest=newrestemplate();rest.postForObject(url,null,Object.class,mvm)代码>。这意味着实际的REST调用使用不接受自签名证书的RestTemplate
实例。如果您改用restemplate.postForObject
,您的电话就会接通。谢谢您的回答,难道不能使用restemplate吗?我已经尝试了您的第二个要点的建议解决方案,但无法使其在JDK 1.7RestTemplate上工作。RESTTemplate只是一个包装器
@Bean
public BasicAuthRequestInterceptor basicAuthRequestInterceptor() {
BasicAuthRequestInterceptor auth = new BasicAuthRequestInterceptor(username, password);
RequestTemplate template = new RequestTemplate();
template.header(HttpHeaders.ACCEPT, "application/json");
template.header(HttpHeaders.CONTENT_TYPE, "application/json");
auth.apply(template);
// disable SSL self signed certificate check
try {
SSLUtil.turnOffSslChecking();
} catch (NoSuchAlgorithmException e) {
log.error("Error disabling SSL check", e);
} catch (KeyManagementException e) {
log.error("Error disabling SSL check", e);
}
return auth;
}