带有客户端证书的SSL Java SOAP服务 - Java SOAP service over SSL with client certificates

Java SOAP service over SSL with client certificates

本文关键字：Java SOAP 服务 SSL 客户端证书 | 更新日期: 2023-09-27

所以我一直在尝试使用JAX-WS和SSL设置Java SOAP servlet。我让实际的服务运行在SSL上，但我需要它基于客户端证书进行身份验证，现在它接受所有针对它的连接。

下面是目前为止的代码:

TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain,
                String authType)
                throws CertificateException {
    System.out.println("yay1");
}

public void checkServerTrusted(X509Certificate[] chain,
                String authType)
                throws CertificateException {
    System.out.println("yay2");
}
public X509Certificate[] getAcceptedIssuers() {
    throw new UnsupportedOperationException("Not supported yet.");
}
};

String uri = "http://127.0.0.1:8083/SoapContext/SoapPort";
Object implementor = new Main();
Endpoint endpoint = Endpoint.create(implementor);
SSLContext ssl = SSLContext.getInstance("TLS");
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore store = KeyStore.getInstance("JKS");
store.load(new FileInputStream("serverkeystore"),"123456".toCharArray());
keyFactory.init(store, "123456".toCharArray());

TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(store);

ssl.init(keyFactory.getKeyManagers(),
new TrustManager[] { tm }, null);
HttpsConfigurator configurator = new HttpsConfigurator(ssl);
HttpsServer httpsServer = HttpsServer.create(new InetSocketAddress(8083), 8083);
httpsServer.setHttpsConfigurator(configurator);
HttpContext httpContext = httpsServer.createContext("/SoapContext/SoapPort");
httpsServer.start();
endpoint.publish(httpContext);

我用下面的PHP代码进行测试:

$soapClient = new SoapClient("https://localhost:8083/SoapContext/SoapPort?wsdl", array('local_cert' => "newcert.pem"));
$soapClient->add(array('i' => '1', 'j' => '2'));

不幸的是，当我包含local_cert:

时，它会出错。

SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://localhost:8083/SoapContext/SoapPort?wsdl' : failed to load external entity "https://localhost:8083/SoapContext/SoapPort?wsdl"

如果我不包含local_cert，它确实连接成功，但它从不调用我的自定义TrustManager，所以它接受所有传入的连接。

我做错了什么?谢谢!

我知道不知道 PHP，但是你的TrustManager在web服务中没有做任何身份验证。
因此，不应该因为客户端身份验证问题而拒绝连接。

您在客户端引用的new_cert.pem是否包含私钥?
如果不是，那么这可能就是问题所在。

我建议你用wireshark检查一下通讯。
我怀疑您不会看到来自服务器的拒绝。

故障应该是本地的