所以我一直在尝试使用JAX-WS和SSL设置Java SOAP servlet。我让实际的服务运行在SSL上,但我需要它基于客户端证书进行身份验证,现在它接受所有针对它的连接。
下面是目前为止的代码:TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain,
String authType)
throws CertificateException {
System.out.println("yay1");
}
public void checkServerTrusted(X509Certificate[] chain,
String authType)
throws CertificateException {
System.out.println("yay2");
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException("Not supported yet.");
}
};
String uri = "http://127.0.0.1:8083/SoapContext/SoapPort";
Object implementor = new Main();
Endpoint endpoint = Endpoint.create(implementor);
SSLContext ssl = SSLContext.getInstance("TLS");
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore store = KeyStore.getInstance("JKS");
store.load(new FileInputStream("serverkeystore"),"123456".toCharArray());
keyFactory.init(store, "123456".toCharArray());
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(store);
ssl.init(keyFactory.getKeyManagers(),
new TrustManager[] { tm }, null);
HttpsConfigurator configurator = new HttpsConfigurator(ssl);
HttpsServer httpsServer = HttpsServer.create(new InetSocketAddress(8083), 8083);
httpsServer.setHttpsConfigurator(configurator);
HttpContext httpContext = httpsServer.createContext("/SoapContext/SoapPort");
httpsServer.start();
endpoint.publish(httpContext);
我用下面的PHP代码进行测试:
$soapClient = new SoapClient("https://localhost:8083/SoapContext/SoapPort?wsdl", array('local_cert' => "newcert.pem"));
$soapClient->add(array('i' => '1', 'j' => '2'));
不幸的是,当我包含local_cert:
时,它会出错。SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://localhost:8083/SoapContext/SoapPort?wsdl' : failed to load external entity "https://localhost:8083/SoapContext/SoapPort?wsdl"
如果我不包含local_cert,它确实连接成功,但它从不调用我的自定义TrustManager,所以它接受所有传入的连接。
我做错了什么?谢谢!
我知道不知道 PHP,但是你的TrustManager
在web服务中没有做任何身份验证。
因此,不应该因为客户端身份验证问题而拒绝连接。
您在客户端引用的new_cert.pem
是否包含私钥?
如果不是,那么这可能就是问题所在。
我建议你用wireshark检查一下通讯。
我怀疑您不会看到来自服务器的拒绝。
故障应该是本地的