使用 Axis2 附加客户端证书?
是否可以轻松地将客户端证书附加到使用 wsdl2java 生成的 Axis2 存根?我需要根据每个请求动态更改客户端证书,因此仅将其存储在密钥库中不适用于我们的情况.
Is it possible to easily attach a client certificate to a Axis2 stub generated using wsdl2java? I need to change the client certificate dynamically on a per-request basis, so simply storing it in the keystore won't work for our case.
我找到了对非 SOAP 调用执行此操作的示例,但找不到与使用 Axis 客户端存根相关的任何内容.我想尝试破解 SOAP 调用的 XML 是一种选择,虽然很痛苦!呻吟!
I've found examples where this is being done for non-SOAP calls, but could not find anything related to using the Axis client stubs. Trying to hack the XML for the SOAP call is an option I guess, albiet a painful one! Groan!
推荐答案
如果要根据建立的连接更改使用的证书,则需要配置 SSLContext
来执行因此,如本答案所述:https://stackoverflow.com/a/3713147/372643
If you want to change which certificate is used depending on which connection is made, you'll need to configure an SSLContext
to do so, as described in this answer: https://stackoverflow.com/a/3713147/372643
据我所知,Axis 2 使用 Apache HttpClient 3.x,因此您需要按照它的方式配置 SSLContext
(如果需要,还需要配置 X509KeyManager
).最简单的方法可能是使用您的 SSLContext
配置 Apache HttpClient 的全局 https
协议处理程序,并使用配置为选择客户端证书的 X509KeyManager
进行设置您需要(通过 chooseClientAlias
).
As far as I know, Axis 2 uses Apache HttpClient 3.x, so you'll need to follow its way of configuring the SSLContext
(and X509KeyManager
if needed).
The easiest way might be to configure Apache HttpClient's global https
protocol handler with your SSLContext
, set up with an X509KeyManager
configured to choose the client certificate as you require (via chooseClientAlias
).
如果颁发者和连接的 Socket
(可能是远程地址)不足以决定选择哪个证书,您可能需要实现更复杂的逻辑,这几乎不可避免地需要仔细同步应用程序的其余部分.
If the issuers and the connected Socket
(probably the remote address) are not enough for deciding which certificate to choose, you may need to implement a more complex logic which will almost inevitably require careful synchronization with the rest of your application.
编辑:
一旦您构建了 SSLContext
和 X509KeyManager
,您需要将它们传递给 Apache HttpClient 3.x.为此,您可以构建自己的 SecureProtocolSocketFactory,它将从此 SSLContext
构建套接字(通过 SSLSocketFactory
,请参阅 SSLContext
方法).Apache HttpClient 3.x SSL 指南中有示例.避免使用 EasySSLProtocolSocketFactory
,因为它不会检查任何服务器证书(从而允许 MITM 攻击).您也可以尝试 这个实现.
Once you've built your SSLContext
and X509KeyManager
, you need to pass them to Apache HttpClient 3.x. For this, you can build your own SecureProtocolSocketFactory, which will build the socket from this SSLContext
(via an SSLSocketFactory
, see SSLContext
methods). There are examples in the Apache HttpClient 3.x SSL guide. Avoid EasySSLProtocolSocketFactory
, since it won't check any server cert (thereby allowing for MITM attacks). You could also try this implementation.
注意你只需要自定义你的X509KeyManager
,你可以用null<初始化你的
SSLContext
(通过init
)/code> 为其他参数保留默认值(特别是默认信任设置).
Note that you only really need to customize your X509KeyManager
, you can initialize your SSLContext
(via init
) with null
for the other parameters to keep the default values (in particular the default trust settings).
然后,使用以下方式为 Apache HttpClient 3.x 全局安装"此 SecureProtocolSocketFactory
:
Then, "install" this SecureProtocolSocketFactory
globally for Apache HttpClient 3.x using something like this:
Protocol.registerProtocol("https", new Protocol("https",
(ProtocolSocketFactory)secureProtocolSocketFactory, 443));
相关文章