HttpClient sa SSL-om

1. Pregled

Ovaj će članak pokazati kako konfigurirajte Apache HttpClient 4 s SSL podrškom "Accept All". Cilj je jednostavan - konzumirajte HTTPS URL-ove koji nemaju valjane certifikate.

Ako želite dublje kopati i naučiti druge cool stvari koje možete učiniti s HttpClientom, krenite na glavni vodič za HttpClient.

2. The SSLPeerUnverifiedException

Bez konfiguriranja SSL-a sa HttpClient, sljedeći test - konzumiranje HTTPS URL-a - neće uspjeti:

javna klasa RestClientLiveManualTest {@Test (očekuje se = SSLPeerUnverifiedException.class) javna praznina kadaHttpsUrlIsConsumed_thenException () baca ClientProtocolException, IOException {CloseableHttpClienter httpClient = HC http: String urlOverHttps = "// localhost: 8082 / httpclient-simple"; HttpGet getMethod = novi HttpGet (urlOverHttps); HttpResponse odgovor = httpClient.execute (getMethod); assertThat (response.getStatusLine (). getStatusCode (), jednakTo (200)); }}

Točan kvar je:

javax.net. ..

The javax.net.ssl.SSLPeerUnverifiedException iznimka se događa kad se za URL ne može uspostaviti valjani lanac povjerenja.

3. Konfiguriranje SSL-a - Prihvati sve (HttpClient <4,3)

Konfigurirajmo sada HTTP klijenta da vjeruje svim lancima certifikata bez obzira na njihovu valjanost:

@Test javna konačna praznina givenAcceptingAllCertificates_whenHttpsUrlIsConsumed_thenOk () baca GeneralSecurityException {HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory (); CloseableHttpClient httpClient = (CloseableHttpClient) requestFactory.getHttpClient (); TrustStrategy accepttingTrustStrategy = (cert, authType) -> true; SSLSocketFactory sf = novi SSLSocketFactory (acceptTrustStrategy, ALLOW_ALL_HOSTNAME_VERIFIER); httpClient.getConnectionManager (). getSchemeRegistry (). register (nova shema ("https", 8443, sf)); ResponseEntity odgovor = novi RestTemplate (requestFactory). razmjena (urlOverHttps, HttpMethod.GET, null, String.class); assertThat (response.getStatusCode (). value (), jednakTo (200)); }

S novim TrustStrategy sada nadjačavanje standardnog postupka provjere certifikata (koji bi se trebao obratiti konfiguriranom upravitelju povjerenja) - test sada prolazi i klijent je u stanju koristiti HTTPS URL.

4. Konfiguriranje SSL-a - Prihvati sve (HttpClient 4.4 i noviji)

S novim HTTPClientom, sada imamo poboljšani, redizajnirani zadani SSL verifikator imena hosta. Također s uvođenjem SSLConnectionSocketFactory i RegistryBuilder, lako je izgraditi SSLSocketFactory. Dakle, gornji test možemo napisati kao:

@Test javna konačna praznina givenAcceptingAllCertificates_whenHttpsUrlIsConsumed_thenOk () baca GeneralSecurityException {TrustStrategy accepttingTrustStrategy = (cert, authType) -> true; SSLContext sslContext = SSLContexts.custom (). LoadTrustMaterial (null, acceptTrustStrategy) .build (); SSLConnectionSocketFactory sslsf = novi SSLConnectionSocketFactory (sslContext, NoopHostnameVerifier.INSTANCE); Registry socketFactoryRegistry = RegistryBuilder. create () .register ("https", sslsf) .register ("http", novi PlainConnectionSocketFactory ()) .build (); BasicHttpClientConnectionManager connectionManager = novi BasicHttpClientConnectionManager (socketFactoryRegistry); CloseableHttpClient httpClient = HttpClients.custom (). SetSSLSocketFactory (sslsf) .setConnectionManager (connectionManager) .build (); HttpComponentsClientHttpRequestFactory requestFactory = novo HttpComponentsClientHttpRequestFactory (httpClient); ResponseEntity odgovor = novi RestTemplate (requestFactory) .exchange (urlOverHttps, HttpMethod.GET, null, String.class); assertThat (response.getStatusCode (). value (), jednakTo (200)); }

5. Proljeće RestTemplate s SSL-om (HttpClient <4,3)

Sad kad smo vidjeli kako konfigurirati raw HttpClient s SSL podrškom, pogledajmo klijenta više razine - Spring RestTemplate.

Bez konfiguriranog SSL-a, sljedeći test ne uspijeva prema očekivanjima:

@Test (očekuje se = ResourceAccessException.class) javna praznina kadaHttpsUrlIsConsumed_thenException () {String urlOverHttps = "// localhost: 8443 / httpclient-simple / api / bars / 1"; ResponseEntity odgovor = novi RestTemplate (). Razmjena (urlOverHttps, HttpMethod.GET, null, String.class); assertThat (response.getStatusCode (). value (), jednakTo (200)); }

Pa konfigurirajmo SSL:

@Test public void givenAcceptingAllCertificates_whenHttpsUrlIsConsumed_thenException () baca GeneralSecurityException {HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory (); DefaultHttpClient httpClient = (DefaultHttpClient) requestFactory.getHttpClient (); TrustStrategy acceptTrustStrategy = (cert, authType) -> true SSLSocketFactory sf = new SSLSocketFactory (accepttingTrustStrategy, ALLOW_ALL_HOSTNAME_VERIFIER); httpClient.getConnectionManager (). getSchemeRegistry () .register (nova shema ("https", 8443, sf)); String urlOverHttps = "// localhost: 8443 / httpclient-simple / api / bars / 1"; ResponseEntity odgovor = novi RestTemplate (requestFactory). razmjena (urlOverHttps, HttpMethod.GET, null, String.class); assertThat (response.getStatusCode (). value (), jednakTo (200)); }

Kao što vidite, ovo je vrlo sličan načinu na koji smo konfigurirali SSL za sirovi HttpClient - konfiguriramo tvornicu zahtjeva s SSL podrškom, a zatim instanciramo predložak koji prosljeđuje ovu unaprijed konfiguriranu tvornicu.

6. Proljeće RestTemplate s SSL-om (HttpClient 4.4)

I mi možemo koristiti isti način za konfiguriranje našeg RestTemplate:

@Test public void givenAcceptingAllCertificatesUsing4_4_whenUsingRestTemplate_thenCorrect () baca ClientProtocolException, IOException {CloseableHttpClient httpClient = HttpClients.custom () .setSSLHostnameVerifier (new) HttpComponentsClientHttpRequestFactory requestFactory = novo HttpComponentsClientHttpRequestFactory (); requestFactory.setHttpClient (httpClient); ResponseEntity odgovor = novi RestTemplate (requestFactory) .exchange (urlOverHttps, HttpMethod.GET, null, String.class); assertThat (response.getStatusCode (). value (), jednakTo (200)); }

7. Zaključak

U ovom su vodiču raspravljali o tome kako konfigurirati SSL za Apache HttpClient tako da može konzumirati bilo koji HTTPS URL, bez obzira na certifikat. Ista konfiguracija za Proljeće RestTemplate je također ilustrirano.

Međutim, važno je razumjeti to ova strategija u potpunosti ignorira provjeru certifikata - što ga čini nesigurnim i koristi se samo tamo gdje to ima smisla.

Implementacija ovih primjera može se naći u projektu GitHub - ovo je projekt zasnovan na Eclipseu, pa bi ga trebalo lako uvesti i pokrenuti kakav jest.


Popularni Postovi

Najnoviji postovi

Copyright hr.streamalism.org 2024
$config[zx-auto] not found$config[zx-overlay] not found