Java 弹簧靴&x2B;Spring Security应用程序的单向SSL和双向SSL端点
我有一个web应用程序,它有5个RESTAPI。所有API都是启用SSL的HTTPS。 这是server.xml中的连接器标记:Java 弹簧靴&x2B;Spring Security应用程序的单向SSL和双向SSL端点,java,spring,ssl,spring-security,spring-boot,Java,Spring,Ssl,Spring Security,Spring Boot,我有一个web应用程序,它有5个RESTAPI。所有API都是启用SSL的HTTPS。 这是server.xml中的连接器标记: 现在我只需要制作一个API,通过HTTPs和onw-waySSL公开。其他4个API应该只能通过具有双向SSL证书的HTTPS访问 使用Spring boot和Spring 4安全性解决此问题的最佳方法是什么 更新 我在这方面取得了一些进展。我已经设置了clientAuth=“want”,并且能够访问所需的API,而无需在客户端出示证书。但我不确定如何对其他API
现在我只需要制作一个API,通过HTTPs和onw-waySSL公开。其他4个API应该只能通过具有双向SSL证书的HTTPS访问
使用Spring boot和Spring 4安全性解决此问题的最佳方法是什么
更新
我在这方面取得了一些进展。我已经设置了clientAuth=“want”
,并且能够访问所需的API,而无需在客户端出示证书。但我不确定如何对其他API强制使用双向,并编写一个自定义过滤器来检查SSL握手。在SpringSecurity中是否有这样做的方法
我有以下MultiHttpSecurityConfig
类:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MultiHttpSecurityConfig {
private static final Logger LOG = LoggerFactory
.getLogger(MultiHttpSecurityConfig.class);
@Configuration
@Order(1)
public static class SecureApiConfigurationAdapter extends
WebSecurityConfigurerAdapter {
@Autowired
private HttpAuthEntryPoint httpAuthEntryPoint;
@Autowired
private X509UserDetSer x509UserUserDetSer;
protected void configure(
final HttpSecurity http)
throws Exception {
LOG.debug("/SSL2waysecureAPI/");
http.csrf().disable()
.antMatcher("/SSL2waysecureAPI/**")
.x509()
.subjectPrincipalRegex("CN=(.*?),")
// .subjectPrincipalRegex(".*")
.authenticationUserDetailsService(x509UserUserDetSer)
.and().exceptionHandling()
.authenticationEntryPoint(httpAuthEntryPoint)
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
Tomcat中的新连接器标签如下所示:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
clientAuth="want" sslProtocol="TLSv1.2"/>
因此,如果有人需要它,我会这样做 首先-server.xml配置文件
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
clientAuth="want" sslProtocol="TLSv1.2"/>
希望这会有所帮助。我认为这只是-在连接器中需要客户端身份验证应该确保那些需要http的端点也需要客户端身份验证。一个简单的方法是让前端服务器(Apache、Nginx、Haproxy等)为您处理客户端身份验证。您的Tomcat将是无SSL的,并且您的前端服务器将在需要时处理SSL。当我尝试调用/SSL2waysecureAPI/**而不指定客户端证书时,会调用我的控制器。我认为应该检查是否使用过滤器或其他东西来阻止访问安全URL,而不使用客户端证书?可能问题是,您没有配置角色限制,并且您的请求使用匿名用户/角色?Manu,您成功了吗?
<filter>
<filter-name>ServletFilter</filter-name>
<filter-class>securechat.filter.ServletFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>ServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
@Component
public class ServletFilter implements Filter {
public static final String X_CLACKS_OVERHEAD = "X-Clacks-Overhead";
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
X509Certificate[] certificates = (X509Certificate[]) req
.getAttribute("javax.servlet.request.X509Certificate");
String servletPath = null;
int port = -1;
if (req instanceof HttpServletRequest) {
servletPath = ((HttpServletRequest)req).getServletPath();
port = ((HttpServletRequest)req).getServerPort();
System.out.println("getServletPath = " + ((HttpServletRequest)req).getServletPath() );
System.out.println(" ((HttpServletRequest)req).getServerPort() = " + ((HttpServletRequest)req).getServerPort());
//Just in memory of....
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader(X_CLACKS_OVERHEAD, "GNU Terry Pratchett");
//Here you can do checking for port and destination.
if(port == 8080 && !servletPath.equals("/notSecureDest/something")
//log error - we try to enter secured enpoint bu non-secured port and url
return; // we decline request
}else if(port == ??? && ???? ) {
//if all checkings age good - we do
chain.doFilter(req, res);
}
}