Java 应用程序服务器的自定义 SSL TrustManager
我正在尝试为 B2B 的 Web 服务设置 SSL 连接,并且需要在服务器上进行客户端身份验证。由于服务器托管的 URL 也可以从普通用户通过浏览器访问,因此并非所有与主机的连接都需要进行客户端身份验证。只有特定的 URL 需要客户端身份验证来验证调用者的 X509 证书。我们使用的是 JBoss 5.x,它基于 Tomcat 5.x,因此我有一个连接器配置,如下所示:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}" sslProtocol = "TLS"
scheme="https" secure="true" enableLookups="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/.myKeyStore"
keystorePass="password1" />
如您所见,我配置了一个密钥库,以便我们可以提供签名证书,并且我将 clientAuth=false 作为特定的需要 client-auth 的 URL 将在 web.xml 中进行配置,如下所示:
<security-constraint>
<web-resource-collection>
<web-resource-name>clientAuthResources</web-resource-name>
<url-pattern>/clientauth/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>authOnly</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myRealm</realm-name>
</login-config>
<security-role>
<role-name>authOnly</role-name>
</security-role>
通过自定义 JAAS 登录模块,如果在上面的连接器配置中我还指定了具有客户端证书的信任库,我实际上可以使其正常工作。这就是我的问题所在。考虑到我们应用程序的设置以及我们的扩展方式,每个 jboss 应用程序服务器设置都支持特定的用户划分,我不希望在文件系统上的所有位置配置信任库。我们需要从数据库中动态加载代码中的受信任证书。自定义 JAAS 登录模块在 Web 级别执行此操作,并且还分配角色,但是如果没有连接器信任库,登录模块永远不会被调用,在涉及 HTTP 获取之前,连接会在 SSL 级别终止。
经过对网络的大量研究,我确定我需要在 SSLContext/SSLSocketFactory 中配置自定义 X509TrustManager 来解决此问题。该自定义信任管理器还将验证存储在我们数据库中的客户端证书。我已经创建了这个自定义信任管理器,但是我似乎无法连接它。有谁知道在 jboss 或 tomcat 5.x 中配置它的方法吗?我注意到在 Tomcat 7 中,连接器 trustManagerClassName 上可以使用以下配置,但这对我来说不是一个选项。我认为这是可能的,非常感谢任何帮助。
I'm trying to setup SSL connections for a web service that is B2B and need to do client authentication on the server. Since the server hosts URLs that are also accessible from regular users through browser, not all connections to the host need to do client-auth. Only specific URLs require client-auth to validate the callers X509 certificate. We are using JBoss 5.x, which is based on Tomcat 5.x so I have a connector configuration like so:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}" sslProtocol = "TLS"
scheme="https" secure="true" enableLookups="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/.myKeyStore"
keystorePass="password1" />
As you can see I have a keystore configured so we can provide our Signed Cert and I have clientAuth=false as the specific URLs needing client-auth will be configured in web.xml like so:
<security-constraint>
<web-resource-collection>
<web-resource-name>clientAuthResources</web-resource-name>
<url-pattern>/clientauth/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>authOnly</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myRealm</realm-name>
</login-config>
<security-role>
<role-name>authOnly</role-name>
</security-role>
Through a custom JAAS Login module I can actually get this to work IF in the connector config above I also specific a truststore that has the client certs. That is where my issue is. Given the setup of our application and how we scale, each jboss application server setup supports a specific segentation of our users and I do not want truststores configured all over the place on the file system. We need to load the trusted certificates dynamically in code from our database. The custom JAAS login moduble does this at web level, and it also assignes roles, however without the connector truststore the login module never gets called, connection is terminated at SSL level before HTTP getes involved.
After much research on the web I've determined I need a custom X509TrustManager configured in the SSLContext/SSLSocketFactory to get around this. This custom trust manager would also validate client certs off the ones stored in our database. I have created this custom trust manager, however I cannot seem to hook it up. Does anyone know a way to configure this in jboss or tomcat 5.x? I noticed in Tomcat 7 the following config is available on a connector, trustManagerClassName, however that is not an option for me. I assume its possible, any help is greatly appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以编写自己的 org.apache.tomcat.util.net.jsse.JSSEImplementation 并在连接器的 SSLImplementation 属性中传递其完整类名。
请参阅此处的示例:
You can write your own
org.apache.tomcat.util.net.jsse.JSSEImplementationand pass its full class name in theSSLImplementationattribute of your connector.See examples here: