Spring云网关通客户端证书信息
Spring Cloud Gateway Pass Client Certificate Information
我正在尝试将客户端证书信息从 Spring 云网关转发到它背后的微服务。我修改了 Netty 配置,它成功地从客户端请求客户端证书,但我没有看到它将它转发到它背后的微服务。在 Apache 中,我们过去常常使用 +ExportCertData,它用客户端证书 DN、有效期等填充了少数 headers。Spring Cloud Gateway 是否具有这样的开箱即用功能?
我发现这两个问题看起来很相似,但都没有非常明确的答案。 spring cloud gateway forward client certificate and Does anyone have a simple example of implementing x509 mutual authentication in Spring Cloud Gateway/Spring WebFlux?
玩了一段时间后,在 Netty HttpClient 上更改某些内容似乎并不正确,因为据我所知,它不知道请求来自何处。但是我发现过滤器链具有我需要的所有信息,所以我放入了一个自定义 GlobalFilter,它将证书信息添加到 header,就像 Apache 所做的那样。
public class ClientSSLToHeaderFilter implements GlobalFilter, Ordered {
@Override
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
ServerHttpRequest req = exchange.getRequest();
SslInfo info = req.getSslInfo();
if(info != null) {
X509Certificate[] certs = info.getPeerCertificates();
if(certs != null && certs.length > 0) {
ServerHttpRequest request = exchange.getRequest().mutate()
.headers(httpHeaders -> {
try {
certs[0].checkValidity();
String encodedCert = new String(Base64.getEncoder().encode(certs[0].getEncoded()));
httpHeaders.add("SSL_CLIENT_CERT", encodedCert);
httpHeaders.add("SSL_CLIENT_VERIFY", "success");
} catch(CertificateEncodingException | CertificateExpiredException
| CertificateNotYetValidException e) {
// TODO Auto-generated catch block
log.log(Level.ERROR, e, e);
}
}).build();
return chain.filter(exchange.mutate().request(request).build());
}
}
return chain.filter(exchange);
}
@Override
public int getOrder() {
return -1;
}
}
我正在尝试将客户端证书信息从 Spring 云网关转发到它背后的微服务。我修改了 Netty 配置,它成功地从客户端请求客户端证书,但我没有看到它将它转发到它背后的微服务。在 Apache 中,我们过去常常使用 +ExportCertData,它用客户端证书 DN、有效期等填充了少数 headers。Spring Cloud Gateway 是否具有这样的开箱即用功能?
我发现这两个问题看起来很相似,但都没有非常明确的答案。 spring cloud gateway forward client certificate and Does anyone have a simple example of implementing x509 mutual authentication in Spring Cloud Gateway/Spring WebFlux?
玩了一段时间后,在 Netty HttpClient 上更改某些内容似乎并不正确,因为据我所知,它不知道请求来自何处。但是我发现过滤器链具有我需要的所有信息,所以我放入了一个自定义 GlobalFilter,它将证书信息添加到 header,就像 Apache 所做的那样。
public class ClientSSLToHeaderFilter implements GlobalFilter, Ordered {
@Override
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
ServerHttpRequest req = exchange.getRequest();
SslInfo info = req.getSslInfo();
if(info != null) {
X509Certificate[] certs = info.getPeerCertificates();
if(certs != null && certs.length > 0) {
ServerHttpRequest request = exchange.getRequest().mutate()
.headers(httpHeaders -> {
try {
certs[0].checkValidity();
String encodedCert = new String(Base64.getEncoder().encode(certs[0].getEncoded()));
httpHeaders.add("SSL_CLIENT_CERT", encodedCert);
httpHeaders.add("SSL_CLIENT_VERIFY", "success");
} catch(CertificateEncodingException | CertificateExpiredException
| CertificateNotYetValidException e) {
// TODO Auto-generated catch block
log.log(Level.ERROR, e, e);
}
}).build();
return chain.filter(exchange.mutate().request(request).build());
}
}
return chain.filter(exchange);
}
@Override
public int getOrder() {
return -1;
}
}