android webview与客户端证书 [英] android webview with client certificate
问题描述
我尝试了几天来使用web视图与客户端证书嵌入在应用程序,但在我看来,android sdk没有提供任何方式来做到这一点,是有一个回调来拦截由服务器?有没有办法使用webview与客户端证书和https请求?
由于我对你的问题感兴趣,我检查了WebView和WebViewClient的文档,看起来您无法使用客户端证书验证webview会话,因为必需的方法(ClientCertRequestHandler)不是公共API。
使用Android WebView连接到具有客户端证书的安全服务器
在Android安全讨论中的搜索确认该呼叫确实不可用:
https://groups.google.com/forum/#!msg/android-security-discuss / 0hzTGaA9swQ / 10qc8UpGLH8J
即使
Android 4.0版本确实包括在浏览器中支持客户端证书身份验证。
(ref:https://code.google.com/p/android/issues/detail?id=8196 )
没有提到WebViews:(
虽然有一些新的API加载证书在钥匙串:
http://developer.android.com/reference/android/ security / KeyChain.html
http://nelenkov.blogspot .it / 2011/11 / using-ics-keychain-api.html
不清楚WebView是否会使用它们...我想你应该尝试KeyChain类,看看你是否可以正确验证(我没有简单的方法来测试这个,所以你是你自己的)。
>如果KeyChain不能使用WebViews,我想这一切都远远不是完美的解决方案:
解决方案1:
反正使用ClientCertRequestHandler(标记为隐藏,但显然仍然可用):
a href =https://code.google.com/p/android/issues/detail?id=53491> https://code.google.com/p/android/issues/detail?id=53491 a>
但是,即使假设你做了,Android Dev。小组可能会修改/移除方法,恕不另行通知,您的应用程式可能会在未来版本的SO上停止运作。
解决方案2:
如果你可以将你的目标限制为Android 4.0或更新版本,一个大胆的(不太可能...)解决方案是尝试从本地存储使用文件方案:
但我强烈怀疑webview将会像浏览器一样工作...
$ b $
使用HTTPClient或HttpURLConnection在后台处理每个https连接然后将数据传递给WebView:
http://chariotsolutions.com/blog/post/https-with-client-certificates-on/
您有同情。 / p>
I tried for days to use a web view with a client certificate embedded in the application, but it seems to me that the android sdk does not provide any way to do it, is there a callback to intercept the challenge sent by the server? is there a way to use webview with a client certificate and make https request?
Since I'm interested in your problem as well, I checked the documentation for WebView and WebViewClient, surfed around and indeed it looks that you can't authenticate a webview session using a client certificate, as the required method (ClientCertRequestHandler) is not a public API.
Using a Android WebView to connect to secure server with Client Certificate
A search in the Android Security Discussions confirms that the call is indeed not available:
https://groups.google.com/forum/#!msg/android-security-discuss/0hzTGaA9swQ/1Oqc8UpGLH8J
and even though
The Android 4.0 release does include support for client certificate authentication in the browser.
(ref: https://code.google.com/p/android/issues/detail?id=8196)
no mention about WebViews is made :(
Even though there are some new API to load certificates in a Keychain:
http://developer.android.com/reference/android/security/KeyChain.html http://nelenkov.blogspot.it/2011/11/using-ics-keychain-api.html
it is not clear whether the WebView is gonna use them... So I guess you should try the KeyChain class and see if you can correctly authenticate (I have no simple way to test this, so you are on your own).
If KeyChain doesn't work with WebViews, I guess it all boils down to a couple of far from perfect workarounds:
Solution 1:
use ClientCertRequestHandler anyway (It's marked as hidden, but apparently still usable):
https://code.google.com/p/android/issues/detail?id=53491
However even assuming that you make it, the Android Dev. Team might modify/remove the method without notice and your app might stop working on future releases of the SO.
Solution 2:
If you can limit your target to Android 4.0 or newer, a bold (and unlikely...) solution is to try to load the certificate in the webview from your local storage using a file scheme:
Load local HTML file into WebView
but i strongly doubt that the webview will behave as the browser does...
Solution 3: (which should work but requires a lot of effort)
Handle every https connection in background using HTTPClient or HttpURLConnection and then pass the data to the WebView:
http://chariotsolutions.com/blog/post/https-with-client-certificates-on/
You have my sympathy.
这篇关于android webview与客户端证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
