是否可以根据URL在同一Web应用程序上同时具有“单向"和“相互ssl" [英] IS it possible to have One way and mutual ssl for same web App same time depending on URLs

问题描述

在我的情况下，我几乎没有其他Web服务，其中很少需要执行相互的ssl，很少应该只有一种方式的ssl，这里是相同的Web应用程序.

I have a scenario where I have few rest web services, of which few need to enforce mutual ssl and few should just have one way ssl, here its same web application.

在基于tomcat/Spring的应用程序中有可能吗?

Is that possible in tomcat/Spring based application?

推荐答案

抱歉，回复晚了，是的，我这样做了，不确定是不是最好的方法，但是有点骇人听闻.

Sorry for replying late, yes I did this, not sure if the best way but kind of a hack.

步骤1:在tomcat中使用clientAuth = want设置SSL的一种方法.这将解决您的情况，在这种情况下，您希望所有Web服务都采用一种ssl方式来接受需要额外/相互身份验证的方式.

Step 1: Have one way SSL set with clientAuth=want in your tomcat. This will fix your scenario where you want to have one way ssl for all the webservices accept that one which needs extra/mutual authentication.

步骤2:现在需要相互ssl的Web服务.编写一个servlet过滤器，对于特定的Web服务url，检查传入的HTTP请求以获取证书.遍历请求中找到的证书，并将其与您的信任库中的证书进行匹配.如果找到匹配项，则继续进行请求流程；如果未找到SSL证书，则返回异常.

Step 2: Now for the web service which needs mutual ssl. Write a servlet filter and for that particular web service url check the incoming http request for certificates. loop through the certs found in the request and match it with the certs from your trust store. if you found the match let the request flow proceed, if not return an exception as SSL cert not found.

X509Certificate[] certificates = (X509Certificate[]) request
                    .getAttribute("javax.servlet.request.X509Certificate");

上面的代码将在您的请求中提供一系列证书.

The above code will give you array of cert in your request.

注意:请确保您的SSL配置正确，否则certificate变量保持为空.

Note: Make sure your SSL configuration is correct or else the certificates variable stays null.

这篇关于是否可以根据URL在同一Web应用程序上同时具有“单向"和“相互ssl"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！