为 Web 服务启用 SSL "Mutual Authentication" 并为 GUI 启用 "One Way Authentication"?
Enable SSL "Mutual Authentication" for WebServices and "One Way Authentication" for the GUI?
我需要为 Web 服务 (SOAP) 应用 SSL "Mutual Authentication",为网页应用 "One Way Authentication",以避免浏览器中有证书。供参考,GUI 和 SOAP Web 服务位于同一个 war 模块中。
我在 Tomcat 容器级别使用了 SSL 相互身份验证:
<Connector port="8443" protocol="HTTP/1.1" connectionTimeout="20000"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="D:\certificates\demo-keystore"
keystorePass="xxxxxxxx"
truststoreFile="D:\certificates\demo-truststore"
truststorePass="xxxxxxxx"/>
- clientAuth="true" 表示在接受连接之前,客户端应提供有效的证书链(来自浏览器和 Web 服务消费者)。我知道可以通过使用 clientAuth="false" 将 SSL 连接器配置为不需要来自客户端的证书链,然后使用 WSS4J 拦截器在消息级别应用 WS-Security,但我想知道是否有是另一种解决方案。
提前致谢。
您可以使用具有不同属性的 APR connector 进行许多 SSL 设置并配置 SSLVerifyClient
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
SSLVerifyClient 的 available options 是
Ask client for certificate. The default is "none", meaning the client will not have the opportunity to submit a certificate. Other acceptable values include "optional", "require" and "optionalNoCA".
如果将其配置为可选,则 GUI 无法显示证书(因为不是强制性的)。为确保客户端证书已随 WebService 提供,请检查 HttpServletRequest
中是否存在 javax.servlet.request.X509Certificate
基于 Tomcat documentation 关于 clientAuth 属性:
Set to true if you want the SSL stack to require a valid certificate
chain from the client before accepting a connection. Set to want if
you want the SSL stack to request a client Certificate, but not fail
if one isn't presented. A false value (which is the default) will not
require a certificate chain unless the client requests a resource
protected by a security constraint that uses CLIENT-CERT
authentication.
我将 clientAuth 设置为 "false" 并在 WEB-INF/web.xml 中配置了 CLIENT-CERT 身份验证。这将需要具有 url 模式 /ws/*:
的 Web 服务的客户端证书
<security-constraint>
<web-resource-collection>
<web-resource-name>CXFServlet</web-resource-name>
<url-pattern>/ws/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
我需要为 Web 服务 (SOAP) 应用 SSL "Mutual Authentication",为网页应用 "One Way Authentication",以避免浏览器中有证书。供参考,GUI 和 SOAP Web 服务位于同一个 war 模块中。
我在 Tomcat 容器级别使用了 SSL 相互身份验证:
<Connector port="8443" protocol="HTTP/1.1" connectionTimeout="20000"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="D:\certificates\demo-keystore"
keystorePass="xxxxxxxx"
truststoreFile="D:\certificates\demo-truststore"
truststorePass="xxxxxxxx"/>
- clientAuth="true" 表示在接受连接之前,客户端应提供有效的证书链(来自浏览器和 Web 服务消费者)。我知道可以通过使用 clientAuth="false" 将 SSL 连接器配置为不需要来自客户端的证书链,然后使用 WSS4J 拦截器在消息级别应用 WS-Security,但我想知道是否有是另一种解决方案。
提前致谢。
您可以使用具有不同属性的 APR connector 进行许多 SSL 设置并配置 SSLVerifyClient
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
SSLVerifyClient 的 available options 是
Ask client for certificate. The default is "none", meaning the client will not have the opportunity to submit a certificate. Other acceptable values include "optional", "require" and "optionalNoCA".
如果将其配置为可选,则 GUI 无法显示证书(因为不是强制性的)。为确保客户端证书已随 WebService 提供,请检查 HttpServletRequest
javax.servlet.request.X509Certificate
基于 Tomcat documentation 关于 clientAuth 属性:
Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.
我将 clientAuth 设置为 "false" 并在 WEB-INF/web.xml 中配置了 CLIENT-CERT 身份验证。这将需要具有 url 模式 /ws/*:
的 Web 服务的客户端证书<security-constraint>
<web-resource-collection>
<web-resource-name>CXFServlet</web-resource-name>
<url-pattern>/ws/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>