簡(jiǎn)介
本文將展示如何使用“全部接受”SSL支持配置Apache HttpClient 4。目標(biāo)很簡(jiǎn)單 - 使用沒有有效證書的HTTPS URL。
SSLPeerUnverifiedException
如果不使用HttpClient配置SSL ,以下測(cè)試(使用HTTPS URL)將失敗:
public class RestClientLiveManualTest {
@Test(expected = SSLPeerUnverifiedException.class)
public void test()
throws ClientProtocolException, IOException {
CloseableHttpClient httpClient = HttpClients.createDefault();
String urlOverHttps
="https://localhost:8082/httpclient-simple)";
HttpGet getMethod = new HttpGet(urlOverHttps);
HttpResponse response = httpClient.execute(getMethod);
assertThat(response.getStatusLine().getStatusCode(), equalTo(200));
}
}
異常報(bào)錯(cuò)為:
JAVAx.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) ...
該
javax.net.ssl.SSLPeerUnverifiedException,該報(bào)錯(cuò)產(chǎn)生原因,當(dāng)無(wú)法有效為URL建立信任鏈的時(shí)候。
配置通用的SSL(HttpClient <4.3)
現(xiàn)在讓我們將HTTPClient配置為信任所有證書,無(wú)論其有效性如何:
@Test
public final void test()
throws GeneralSecurityException {
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
CloseableHttpClient httpClient = (CloseableHttpClient) requestFactory.getHttpClient();
TrustStrategy acceptingTrustStrategy = (cert, authType) -> true;
SSLSocketFactory sf = new SSLSocketFactory(acceptingTrustStrategy, ALLOW_ALL_HOSTNAME_VERIFIER);
httpClient.getConnectionManager().getSchemeRegistry().register(new Scheme("https", 8443, sf));
ResponseEntity<String> response = new RestTemplate(requestFactory).
exchange(urlOverHttps, HttpMethod.GET, null, String.class);
assertThat(response.getStatusCode().value(), equalTo(200));
}
隨著acceptingTrustStrategy 配置了 true的測(cè)試通過,client能夠消費(fèi)的HTTPS URL。
配置通用的SSL(HttpClient 4.4及更高版本)
使用新的HTTPClient,現(xiàn)在我們有了一個(gè)增強(qiáng)的,重新設(shè)計(jì)的默認(rèn)SSL主機(jī)名驗(yàn)證程序。此外,通過引入
SSLConnectionSocketFactory和RegistryBuilder,可以輕松構(gòu)建SSLSocketFactory。所以我們可以編寫上面的測(cè)試用例,如:
@Test
public final void test()
throws GeneralSecurityException {
TrustStrategy acceptingTrustStrategy = (cert, authType) -> true;
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext,
NoopHostnameVerifier.INSTANCE);
Registry<ConnectionSocketFactory> socketFactoryRegistry =
RegistryBuilder.<ConnectionSocketFactory> create()
.register("https", sslsf)
.register("http", new PlainConnectionSocketFactory())
.build();
BasicHttpClientConnectionManager connectionManager =
new BasicHttpClientConnectionManager(socketFactoryRegistry);
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf)
.setConnectionManager(connectionManager).build();
HttpComponentsClientHttpRequestFactory requestFactory =
new HttpComponentsClientHttpRequestFactory(httpClient);
ResponseEntity<String> response = new RestTemplate(requestFactory)
.exchange(urlOverHttps, HttpMethod.GET, null, String.class);
assertThat(response.getStatusCode().value(), equalTo(200));
}
使用SSL 的Spring RestTemplate(HttpClient <4.3)
現(xiàn)在我們已經(jīng)了解了如何配置具有SSL支持的原始HttpClient,讓我們來(lái)看看更高級(jí)別的方式-Spring RestTemplate。
如果未配置SSL,則以下測(cè)試將按預(yù)期會(huì)拋異常:
@Test(expected = ResourceAccessException.class)
public void test() {
String urlOverHttps
= "https://localhost:8443/httpclient-simple/api/bars/1";
ResponseEntity<String> response
= new RestTemplate().exchange(urlOverHttps, HttpMethod.GET, null, String.class);
assertThat(response.getStatusCode().value(), equalTo(200));
}
那么讓我們配置SSL:
@Test
public void test()
throws GeneralSecurityException {
HttpComponentsClientHttpRequestFactory requestFactory
= new HttpComponentsClientHttpRequestFactory();
DefaultHttpClient httpClient
= (DefaultHttpClient) requestFactory.getHttpClient();
TrustStrategy acceptingTrustStrategy = (cert, authType) -> true
SSLSocketFactory sf = new SSLSocketFactory(
acceptingTrustStrategy, ALLOW_ALL_HOSTNAME_VERIFIER);
httpClient.getConnectionManager().getSchemeRegistry()
.register(new Scheme("https", 8443, sf));
String urlOverHttps ="https://localhost:8443/httpclient-simple/api/bars/1";
ResponseEntity<String> response = new RestTemplate(requestFactory).
exchange(urlOverHttps, HttpMethod.GET, null, String.class);
assertThat(response.getStatusCode().value(), equalTo(200));
}
這與我們?yōu)樵糎ttpClient配置SSL的方式非常相似 - 我們使用SSL支持配置請(qǐng)求工廠,然后我們實(shí)例化通過此預(yù)配置工廠的模板。
帶有SSL 的Spring RestTemplate(HttpClient 4.4)
我們可以使用相同的方式配置我們的RestTemplate:
@Test
public void test()
throws ClientProtocolException, IOException {
CloseableHttpClient httpClient
= HttpClients.custom()
.setSSLHostnameVerifier(new NoopHostnameVerifier())
.build();
HttpComponentsClientHttpRequestFactory requestFactory
= new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
ResponseEntity<String> response
= new RestTemplate(requestFactory).exchange(
urlOverHttps, HttpMethod.GET, null, String.class);
assertThat(response.getStatusCode().value(), equalTo(200));
}
總結(jié)
本教程討論了如何為Apache HttpClient配置SSL,以便它能夠使用任何HTTPS URL,而不管證書是什么。還說(shuō)明了Spring RestTemplate的相同配置。
然而,一個(gè)重要的事情是,這種策略完全忽略了證書檢查 - 這使得它不安全,只能在有意義的地方使用。
