是否应该始终在我的WebClient中显式加载keyStore以获得授权服务? [英] Should I always load keyStore explicitely in my WebClient for authorized services?
问题描述
我有一个Java密钥库,可以用来连接到受保护的https第三方服务.初始化Web客户端时,我在代码中明确使用了此密钥库:
I have a java keystore with which I can connect to a protected https third-party service. I use this keystore explicitely in my code when I initialize my web client:
// Solution #1
String password = "changeit";
KeyStore keyStore = KeyStore.getInstance(new File("src/main/resources/keystore.jks"), password.toCharArray());
SSLContext sslContext = new SSLContextBuilder()
.loadKeyMaterial(keyStore, password.toCharArray())
.build();
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext, (hostname, session) -> true);
HttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(socketFactory)
.build();
使用这种方法,一切正常.
With this approach, everything works fine.
但是我也知道可以指定系统变量javax.net.ssl.keyStore
和javax.net.ssl.keyStorePassword
.因此,我期望上面代码的替代解决方案也能起作用:
But I also know that there is a possibility to specify the system variables javax.net.ssl.keyStore
and javax.net.ssl.keyStorePassword
. So I was expecting an alternative solution to the code above will also work:
// Solution #2
System.setProperty( "javax.net.ssl.keyStore", "src/main/resources/keystore.jks");
System.setProperty( "javax.net.ssl.keyStorePassword", "changeit");
HttpClient httpClient = HttpClients.createDefault();
我在其中创建默认的Web客户端,而不用我的密钥库显式构造SSLContext.我期望默认的Web客户端会以某种方式自动从javax.net.ssl.keyStore
中获取密钥库.但似乎没有用,并且此解决方案对我不起作用.
where I create a default web client without constructing SSLContext with my keystore explicitly. I have expected that the default web client will take somehow the keystore automatically from javax.net.ssl.keyStore
. But it seems it did not take and this solution did not work for me.
所以我想知道使用系统属性javax.net.ssl.keyStore
的目的是什么?它如何有用?最佳做法是什么?
So I wonder what is the purpose of the use of system property javax.net.ssl.keyStore
? How it can be useful? What is the best practice here?
推荐答案
Accordingly to the answer of @Bruno in How to acess jvm default KeyStore? there is no default KeyStore
in java.
That means that if you run the app with
-Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.keyStore=/opt/app/certificates/keyStore.jks
这还需要像在您的代码中一样解析它们
this will also require to parse them in your code like
private static final String filePath = System.getProperty("javax.net.ssl.keyStore");
private static final String password = System.getProperty("javax.net.ssl.keyStorePassword");
,然后在HttpClient
中显式使用(如Solution #1
).
换句话说,如果您不手动解析它们并且不将它们用于您的HttpClient
,则仅指定keyStore
的属性是没有用的.这是我发布问题时试图理解的内容.
and then use explicitly in your HttpClient
(like in Solution #1
).
In other words, just specifying the properties for keyStore
is useless if you will not parse them manually and not use them for your HttpClient
. This is what I was trying to understand when I had posted my question.
与TrustStore
之类的系统属性相比,这是一个重要区别
This is an important difference from system properties for TrustStore
like
-Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/opt/app/certificates/cacert
指定这些属性不需要任何额外的代码.由于存在默认的TustStore
,它将由JVM
从属性中自动创建.然后httpClient
将只使用默认的TrustStore
,而无需开发人员的任何努力.
Specifying these properties does not require any extra code. As there is a default TustStore
which will be created automatically by JVM
from the properties. An then httpClient
will just use that default TrustStore
without any efforts from a developer.
这篇关于是否应该始终在我的WebClient中显式加载keyStore以获得授权服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!