驼峰式喷射器终端接受无证书客户端消息

huangapple go评论79阅读模式
英文:

Camel jetty endpoint accepting client messages without certificate

问题

我正在尝试配置基于Jetty的Camel REST终端以进行证书认证无论何时我发送一个不带客户端证书的请求到https终端它仍然可以工作即REST终端会返回一个有效的响应
如何确保
a) 只有具有有效证书的客户端可以发出请求
b) 对于未经授权的客户端或没有适当证书的客户端引发500异常

**主类**

CamelContext context = new DefaultCamelContext();
context.setStreamCaching(true);

KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("src/main/resources/security/keystore.jks");
ksp.setPassword("password");

KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("password");

SSLContextParameters scp = new SSLContextParameters();
scp.setKeyManagers(kmp);

JettyHttpComponent9 jettyComponent = context.getComponent("jetty", JettyHttpComponent9.class);
jettyComponent.setSslContextParameters(scp);

context.addRoutes(new HelloRoute());
context.start();

在Camel路由上

@Override
public void configure() throws Exception {

    onException(Exception.class)
        .handled(true)
        .setHeader(Exchange.HTTP_RESPONSE_CODE, constant(500))
        .setBody(simple("${exception.message}\n"));

    restConfiguration()
        .component("jetty")
        .host("0.0.0.0")
        .port("6625")
        .scheme("https")
        .componentProperty("minThreads", "1")
        .componentProperty("maxThreads", "16");

    rest("/req/").consumes("application/json").produces("application/json")
        .post().to("direct:helloRoute");

    from("direct:helloRoute").convertBodyTo(String.class) 
        .choice()
            .when().jsonpath("$.Header[?(@.MessageType == 'Hello')]", true)
                .bean(HelloRoute.class, "helloRoute")
            .otherwise()
                .bean(HelloRoute.class, "otherwiseRoute")
        .endChoice();	
}
英文:

I am trying to configure camel jetty based rest endpoint for certificate. Whenever I send a request to https endpoint without the client certificate it still works i.e., there is a valid response from rest endpoint.
How do I make sure that
a) Only clients with valid certificates can make request
b) Raise exception 500 for unauthorized clients or without proper certificates.

Main Class

    CamelContext context = new DefaultCamelContext();
context.setStreamCaching(true);
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("src/main/resources/security/keystore.jks");
ksp.setPassword("password");
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("password");
SSLContextParameters scp = new SSLContextParameters();
scp.setKeyManagers(kmp);
JettyHttpComponent9 jettyComponent = context.getComponent("jetty", JettyHttpComponent9.class);
jettyComponent.setSslContextParameters(scp);
context.addRoutes(new HelloRoute());
context.start();

On the camel route

@Override
public void configure() throws Exception {
onException(Exception.class)
.handled(true)
.setHeader(Exchange.HTTP_RESPONSE_CODE, constant(500))
.setBody(simple("${exception.message}\n"));
restConfiguration()
.component("jetty")
.host("0.0.0.0")
.port("6625")
.scheme("https")
.componentProperty("minThreads", "1")
.componentProperty("maxThreads", "16");
rest("/req/").consumes("application/json").produces("application/json")
.post().to("direct:helloRoute");
from("direct:helloRoute").convertBodyTo(String.class) 
.choice()
.when().jsonpath("$.Header[?(@.MessageType == 'Hello')]",true)
.bean(HelloRoute.class, "helloRoute")
.otherwise()
.bean(HelloRoute.class,"otherwiseRoute")
.endChoice();	
}

答案1

得分: 1

你的 javax.net.ssl.SSLParameters 需要调用 .setNeedClientAuth(true)

参考:https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html#setNeedClientAuth-boolean-

身份验证是在TLS层级上进行的。

如果你的客户端在认证失败时,将无法返回HTTP状态代码,因为认证是在HTTP层级的请求或响应出现之前就已经发生在TLS层级。TLS层将终止连接。

英文:

Your javax.net.ssl.SSLParameters needs to have .setNeedClientAuth(true).

See: https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html#setNeedClientAuth-boolean-

The authentication occurs at the TLS level.

There will be no way to return an HTTP status code if your clients fail to authenticate, as that authentication occurs well ahead of the HTTP layer even being present for request or response. The TLS layer will terminate the connection.

huangapple
  • 本文由 发表于 2020年10月27日 04:50:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/64544779.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定