是否应该始终在我的WebClient中显式加载keyStore以获得授权服务? [英] Should I always load keyStore explicitely in my WebClient for authorized services?
问题描述
我有一个Java密钥库,可以用来连接到受保护的https第三方服务.初始化Web客户端时,我在代码中明确使用了此密钥库:
I have a java keystore with which I can connect to a protected https third-party service. I use this keystore explicitely in my code when I initialize my web client:
// Solution #1
String password = "changeit";
KeyStore keyStore = KeyStore.getInstance(new File("src/main/resources/keystore.jks"), password.toCharArray());
SSLContext sslContext = new SSLContextBuilder()
.loadKeyMaterial(keyStore, password.toCharArray())
.build();
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext, (hostname, session) -> true);
HttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(socketFactory)
.build();
使用这种方法,一切正常.
With this approach, everything works fine.
但是我也知道可以指定系统变量javax.net.ssl.keyStore和javax.net.ssl.keyStorePassword.因此,我期望上面代码的替代解决方案也能起作用:
But I also know that there is a possibility to specify the system variables javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword. So I was expecting an alternative solution to the code above will also work:
// Solution #2
System.setProperty( "javax.net.ssl.keyStore", "src/main/resources/keystore.jks");
System.setProperty( "javax.net.ssl.keyStorePassword", "changeit");
HttpClient httpClient = HttpClients.createDefault();
我在其中创建默认的Web客户端,而不用我的密钥库显式构造SSLContext.我期望默认的Web客户端会以某种方式自动从javax.net.ssl.keyStore中获取密钥库.但似乎没有用,并且此解决方案对我不起作用.
where I create a default web client without constructing SSLContext with my keystore explicitly. I have expected that the default web client will take somehow the keystore automatically from javax.net.ssl.keyStore. But it seems it did not take and this solution did not work for me.
所以我想知道使用系统属性javax.net.ssl.keyStore的目的是什么?它如何有用?最佳做法是什么?
So I wonder what is the purpose of the use of system property javax.net.ssl.keyStore? How it can be useful? What is the best practice here?
推荐答案
Accordingly to the answer of @Bruno in How to acess jvm default KeyStore? there is no default KeyStore in java.
That means that if you run the app with
-Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.keyStore=/opt/app/certificates/keyStore.jks
这还需要像在您的代码中一样解析它们
this will also require to parse them in your code like
private static final String filePath = System.getProperty("javax.net.ssl.keyStore");
private static final String password = System.getProperty("javax.net.ssl.keyStorePassword");
,然后在HttpClient中显式使用(如Solution #1).
换句话说,如果您不手动解析它们并且不将它们用于您的HttpClient,则仅指定keyStore的属性是没有用的.这是我发布问题时试图理解的内容.
and then use explicitly in your HttpClient (like in Solution #1).
In other words, just specifying the properties for keyStore is useless if you will not parse them manually and not use them for your HttpClient. This is what I was trying to understand when I had posted my question.
与TrustStore之类的系统属性相比,这是一个重要区别
This is an important difference from system properties for TrustStore like
-Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/opt/app/certificates/cacert
指定这些属性不需要任何额外的代码.由于存在默认的TustStore,它将由JVM从属性中自动创建.然后httpClient将只使用默认的TrustStore,而无需开发人员的任何努力.
Specifying these properties does not require any extra code. As there is a default TustStore which will be created automatically by JVM from the properties. An then httpClient will just use that default TrustStore without any efforts from a developer.
这篇关于是否应该始终在我的WebClient中显式加载keyStore以获得授权服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
