英文:
Camel jetty endpoint accepting client messages without certificate
问题
我正在尝试配置基于Jetty的Camel REST终端以进行证书认证。无论何时我发送一个不带客户端证书的请求到https终端,它仍然可以工作,即REST终端会返回一个有效的响应。
如何确保:
a) 只有具有有效证书的客户端可以发出请求
b) 对于未经授权的客户端或没有适当证书的客户端,引发500异常。
**主类**
CamelContext context = new DefaultCamelContext();
context.setStreamCaching(true);
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("src/main/resources/security/keystore.jks");
ksp.setPassword("password");
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("password");
SSLContextParameters scp = new SSLContextParameters();
scp.setKeyManagers(kmp);
JettyHttpComponent9 jettyComponent = context.getComponent("jetty", JettyHttpComponent9.class);
jettyComponent.setSslContextParameters(scp);
context.addRoutes(new HelloRoute());
context.start();
在Camel路由上:
@Override
public void configure() throws Exception {
onException(Exception.class)
.handled(true)
.setHeader(Exchange.HTTP_RESPONSE_CODE, constant(500))
.setBody(simple("${exception.message}\n"));
restConfiguration()
.component("jetty")
.host("0.0.0.0")
.port("6625")
.scheme("https")
.componentProperty("minThreads", "1")
.componentProperty("maxThreads", "16");
rest("/req/").consumes("application/json").produces("application/json")
.post().to("direct:helloRoute");
from("direct:helloRoute").convertBodyTo(String.class)
.choice()
.when().jsonpath("$.Header[?(@.MessageType == 'Hello')]", true)
.bean(HelloRoute.class, "helloRoute")
.otherwise()
.bean(HelloRoute.class, "otherwiseRoute")
.endChoice();
}
英文:
I am trying to configure camel jetty based rest endpoint for certificate. Whenever I send a request to https endpoint without the client certificate it still works i.e., there is a valid response from rest endpoint.
How do I make sure that
a) Only clients with valid certificates can make request
b) Raise exception 500 for unauthorized clients or without proper certificates.
Main Class
CamelContext context = new DefaultCamelContext();
context.setStreamCaching(true);
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("src/main/resources/security/keystore.jks");
ksp.setPassword("password");
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("password");
SSLContextParameters scp = new SSLContextParameters();
scp.setKeyManagers(kmp);
JettyHttpComponent9 jettyComponent = context.getComponent("jetty", JettyHttpComponent9.class);
jettyComponent.setSslContextParameters(scp);
context.addRoutes(new HelloRoute());
context.start();
On the camel route
@Override
public void configure() throws Exception {
onException(Exception.class)
.handled(true)
.setHeader(Exchange.HTTP_RESPONSE_CODE, constant(500))
.setBody(simple("${exception.message}\n"));
restConfiguration()
.component("jetty")
.host("0.0.0.0")
.port("6625")
.scheme("https")
.componentProperty("minThreads", "1")
.componentProperty("maxThreads", "16");
rest("/req/").consumes("application/json").produces("application/json")
.post().to("direct:helloRoute");
from("direct:helloRoute").convertBodyTo(String.class)
.choice()
.when().jsonpath("$.Header[?(@.MessageType == 'Hello')]",true)
.bean(HelloRoute.class, "helloRoute")
.otherwise()
.bean(HelloRoute.class,"otherwiseRoute")
.endChoice();
}
答案1
得分: 1
你的 javax.net.ssl.SSLParameters 需要调用 .setNeedClientAuth(true)。
参考:https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html#setNeedClientAuth-boolean-
身份验证是在TLS层级上进行的。
如果你的客户端在认证失败时,将无法返回HTTP状态代码,因为认证是在HTTP层级的请求或响应出现之前就已经发生在TLS层级。TLS层将终止连接。
英文:
Your javax.net.ssl.SSLParameters needs to have .setNeedClientAuth(true).
The authentication occurs at the TLS level.
There will be no way to return an HTTP status code if your clients fail to authenticate, as that authentication occurs well ahead of the HTTP layer even being present for request or response. The TLS layer will terminate the connection.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论