java – Spring启动Spring Security单向SSL和双向SSL端点的应用程序

我有一个Web应用程序,它有5个REST API.所有API都是启用了SSL的HTTPS.
这是server.xml中的连接器标记:

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
                keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
                truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
                clientAuth="true" sslProtocol="TLSv1.2"/>

现在,我必须只使用onw-way SSL通过HTTP公开其中一个API.其他4个API只能通过具有双向SSL证书的HTTPS访问.

使用Spring启动和Spring 4安全性解决此问题的最佳方法是什么.

更新

我在这方面取得了一些进展.我已设置clientAuth =“want”并且无需在客户端提供证书即可访问所需的API.但我不确定在为其他API强制执行2-way并编写自定义过滤器来检查SSL握手的方法.有没有办法在Spring Security中执行此操作.

我有以下MultiHttpSecurityConfig类:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MultiHttpSecurityConfig {

  private static final Logger LOG = LoggerFactory
      .getLogger(MultiHttpSecurityConfig.class);


  @Configuration
  @Order(1)
  public static class SecureApiConfigurationAdapter extends
      WebSecurityConfigurerAdapter {

    @Autowired
    private HttpAuthEntryPoint httpAuthEntryPoint;

    @Autowired
    private X509UserDetSer x509UserUserDetSer;

    protected void configure(
        final HttpSecurity http)
        throws Exception {
      LOG.debug("/SSL2waysecureAPI/");
      http.csrf().disable()
          .antMatcher("/SSL2waysecureAPI/**")

          .x509()
          .subjectPrincipalRegex("CN=(.*?),")
          // .subjectPrincipalRegex(".*")
          .authenticationUserDetailsService(x509UserUserDetSer)
          .and().exceptionHandling()
          .authenticationEntryPoint(httpAuthEntryPoint)
          .and().sessionManagement()
          .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
  }

Tomcat中的新连接器标签如下所示:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
                keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
                truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
                clientAuth="want" sslProtocol="TLSv1.2"/>
最佳答案
所以,如果有人需要它 – 我就是这样做的

首先 – server.xml配置文件

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
            maxThreads="150" scheme="https" secure="true"
            keystoreFile="conf/jks/ketStore.jks" keystorePass="keystore" keystoreType="jks"
            truststoreFile="conf/jks/trustStore.jks" truststorePass="truststore" truststoreType="jks"
            clientAuth="want" sslProtocol="TLSv1.2"/>

然后是web.xml:

<filter>
    <filter-name>ServletFilter</filter-name>
    <filter-class>securechat.filter.ServletFilter</filter-class>
    <async-supported>true</async-supported>
</filter>

<filter-mapping>
    <filter-name>ServletFilter</filter-name>
    <url-pattern>/*</url-pattern>
 </filter-mapping>

之后,任何端点的任何请求都将挂钩到此过滤器.在它内部你可以手动检查任何request.something喜欢

@Component
public class ServletFilter implements Filter {

 public static final String X_CLACKS_OVERHEAD = "X-Clacks-Overhead";

    @Override
    public void doFilter(ServletRequest req, ServletResponse res,
                     FilterChain chain) throws IOException, ServletException {

    X509Certificate[] certificates = (X509Certificate[]) req
            .getAttribute("javax.servlet.request.X509Certificate");

    String servletPath = null;
    int port = -1;
    if (req instanceof HttpServletRequest) {
        servletPath = ((HttpServletRequest)req).getServletPath();
        port =  ((HttpServletRequest)req).getServerPort();

        System.out.println("getServletPath = " +  ((HttpServletRequest)req).getServletPath() );
        System.out.println(" ((HttpServletRequest)req).getServerPort() = " +   ((HttpServletRequest)req).getServerPort());

    //Just in memory of....
    HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader(X_CLACKS_OVERHEAD, "GNU Terry Pratchett");


    //Here you can do checking for port and destination.
    if(port == 8080 && !servletPath.equals("/notSecureDest/something")
         //log error - we try to enter secured enpoint bu non-secured port and url
         return; // we decline request
    }else if(port == ??? && ???? ) {
        //if all checkings age good - we do
        chain.doFilter(req, res);
    }

} 

希望有所帮助.

转载注明原文:java – Spring启动Spring Security单向SSL和双向SSL端点的应用程序 - 代码日志