rest轻松https电话,如何接受所有证书
我试图通过以下方式使用jboss rest来调用REST服务
public ETTestCasePackage getPackageById(String packageId) throws PackageNotFound { ClientRequest req = new ClientRequest("https://facebook/api"); req.header("Authorization", "Basic " + EztrackerConstants.base64AuthenticationValue); req.pathParameter("id", packageId); ETTestCasePackage etPackage = null; try { logger.info("invoking "+req.getUri()); //ProxyFactory.create ClientResponse res = req.get(ETTestCasePackage.class); etPackage = res.getEntity(); } catch (Exception e) { logger.debug("Not able to retrieve details for testcase package having id = " + packageId, e); throw new PackageNotFound("Package with id " + packageId + " not found", e); } return etPackage; } 但上面的代码显然抛出了“peer not authenticated”;
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437) at
我可以将相应的证书添加到我的本地java安全jks来解决这个问题。 但我可能会运行这么多机器,所以不能对所有机器都这样做。 所以我想通过覆盖http检查让我的http客户端接受所有请求。
但为了rest容易httprequest,我无法找到办法做到这一点。 是否会有人帮助我轻松完成这项rest。
谢谢你提前,syam。
我试过这段代码调用实际代码忽略但仍然没有覆盖默认设置。 任何想法让它为这个rest容易的客户工作。
private void test(){ TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType) { } public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType) { } } }; // Install the all-trusting trust manager try { SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } catch (Exception e) { } } static { //for localhost testing only javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier( new javax.net.ssl.HostnameVerifier(){ public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) { return true; } }); } }
使用已签名的证书作为计划A.作为计划B,在针对您不能控制的另一个系统的暂存版本时,可以使用以下解决方案。
对于Resteasy 3,您需要为客户端实例提供您自己的所有信任的Httpclient。 当然你不应该在生产中使用它,所以一定不要硬化它。
通常(使用jax-rs 2.0)你会像这样初始化一个客户端:
javax.ws.rs.client.Client client = javax.ws.rs.client.ClientBuilder.newClient();
对于所有信任客户端,请将其替换如下:
Client client = null; if (config.trustAllCertificates) { log.warn("Trusting all certificates. Do not use in production mode!"); ApacheHttpClient4Engine engine = new ApacheHttpClient4Engine(createAllTrustingClient()); client = new ResteasyClientBuilder().httpEngine(engine).build(); } else { client = ClientBuilder.newClient(); }
createAllTrustingClient()看起来像这样:
private DefaultHttpClient createAllTrustingClient() throws GeneralSecurityException { SchemeRegistry registry = new SchemeRegistry(); registry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory())); TrustStrategy trustStrategy = new TrustStrategy() { public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException { return true; } }; SSLSocketFactory factory = new SSLSocketFactory(trustStrategy, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER ); registry.register(new Scheme("https", 443, factory)); ThreadSafeClientConnManager mgr = new ThreadSafeClientConnManager(registry); mgr.setMaxTotal(1000); mgr.setDefaultMaxPerRoute(1000); DefaultHttpClient client = new DefaultHttpClient(mgr, new DefaultHttpClient().getParams()); return client; }
如果您在查找类的包名时遇到问题,以下是相关的导入:
import org.apache.http.conn.scheme.PlainSocketFactory; import org.apache.http.conn.scheme.Scheme; import org.apache.http.conn.scheme.SchemeRegistry; import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.conn.ssl.TrustStrategy; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager; import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine;
以供参考:
最简单的方法是在要部署服务的每台计算机上获取具有正确DN并由公共CA签名的正确证书。 这是官僚主义和令人讨厌的,可能花费真金白银,但它绝对是最简单的 。
否则,您必须将客户端配置为具有不实际validation的validation程序。 这是危险的,因为任何人 (包括随机黑客,有组织的罪犯和狡猾的政府机构)都可以制作自签名证书,而且没有切实可行的方法来发现他们已经这样做了。 除了通过并向每个客户分发将要使用的整个服务器证书列表(允许validation者使用俱乐部门卫技术进行检查:“如果你不在列表中,你就不会进入“)。
validation器在技术上将成为X509TrustManager某种实例。
要加入Arnelism的答案:如果你使用的是httpclient-4.2.6.jar (它是resteasy-jaxrs-3.0.10.Final.jar的依赖resteasy-jaxrs-3.0.10.Final.jar ),你会发现ThreadSafeClientConnManager是@Deprecated 。 您可以将其修改为BasicClientConnectionManager或PoolingClientConnectionManager :
private static DefaultHttpClient createAllTrustingClient() throws GeneralSecurityException { SchemeRegistry registry = new SchemeRegistry(); registry.register( new Scheme("http", 80, PlainSocketFactory.getSocketFactory()) ); TrustStrategy trustStrategy = new TrustStrategy() { @Override public boolean isTrusted(java.security.cert.X509Certificate[] arg0, String arg1) throws java.security.cert.CertificateException { return true; } }; SSLSocketFactory factory = new SSLSocketFactory( trustStrategy, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER ); registry.register(new Scheme("https", 443, factory)); BasicClientConnectionManager mgr = new BasicClientConnectionManager(registry); DefaultHttpClient client = new DefaultHttpClient(mgr, new DefaultHttpClient().getParams()); return client; }
有必要破解ApacheHttpClient4Executor,下面的代码可以使用HTTPS并提供ClientRequest:
UriBuilder uri = UriBuilder.fromUri(request.endpoint() + request.path()); System.out.println(request.endpoint() + request.path()); class ApacheHttpClient4Executor2 extends ApacheHttpClient4Executor { } ApacheHttpClient4Executor2 executor = new ApacheHttpClient4Executor2(); Scheme http = new Scheme("http", 80, PlainSocketFactory.getSocketFactory()); TrustStrategy trustStrategy = new TrustStrategy() { @Override public boolean isTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { return true; } }; SSLSocketFactory factory = null; try { factory = new SSLSocketFactory(trustStrategy, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); } catch (KeyManagementException | UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e1) { e1.printStackTrace(); } Scheme https = new Scheme("https", 443, factory); executor.getHttpClient().getConnectionManager().getSchemeRegistry().register(http); executor.getHttpClient().getConnectionManager().getSchemeRegistry().register(https); ClientRequest client = new ClientRequest(uri, executor, providerFactory);