有没有人有一个在 Spring Cloud Gateway/Spring WebFlux 中实现 x509 相互认证的简单例子? [英] Does anyone have a simple example of implementing x509 mutual authentication in Spring Cloud Gateway/Spring WebFlux?
问题描述
我正在尝试在 Spring Cloud Gateway 中实现相互身份验证(使用 x509 客户端证书进行身份验证),但在我的研究中,我一直无法弄清楚从哪里开始.
I am trying to implement mutual authentication (authentication with x509 client certificates) in Spring Cloud Gateway, but throughout my research, I haven't been able to figure out where to start.
据我所知,身份验证不是通过 Spring Cloud Gateway 本身处理的,而是应该通过 Spring WebFlux 完成的——如果这是一个不正确的假设,请纠正我.我找到了通过 Spring Security 实现认证身份验证的示例,但我没有找到任何使用 WebFlux 的示例.
From what I can see, authentication is not handled through Spring Cloud Gateway itself but instead should be done through Spring WebFlux -- please correct me if this is an incorrect assumption. I have found examples of implementing certification authentication through Spring Security, but I have not found any with WebFlux.
任何人都可以提供一些提示甚至一些代码示例来让我走上正确的道路吗?
Can anyone offer some tips or even some code examples to get me on the right track with this?
推荐答案
可以在src/main/resources/application.yml中进行配置,例如
You can configure it in src/main/resources/application.yml, e.g.
server:
# for testing or development without SSL certs (HTTP) use an "appropriate"
# non-secure port, e.g. 8080
# for HTTPS use an "appropriate" secure port, e.g. 8443
port: 8443
ssl:
# for HTTP set enabled to false, for HTTPS (with required client certs) set to true
enabled: true
# this is the spring cloud gateway _server_ cert
key-store: /etc/pki/tls/private/server.p12
key-store-password: servercertpassword
key-store-type: PKCS12
# this is the "bundle" of CA intermediate/root upon which the client cert has to
# match
trust-store: /etc/pki/ca-trust/extracted/java/cacerts
# this `client-auth` option is where you *require* mutual-TLS, it can alternatively
# be made optional
client-auth: need
trust-store-password: truststorepassword
trust-store-type: JCEKS
management:
# management port without SSL to allow monitoring/etc. without client certs
# e.g. /actuator/health
server:
port: 8080
ssl:
enabled: false
如果您有一组客户端证书、一个服务器证书和信任存储/CA 包,这是如何在 Spring Cloud Gateway 中配置它的示例.
If you have a set of client certs, a server cert, and trust-store / CA bundle, this is an example of how to configure it in Spring Cloud Gateway.
X509 PreAuthenticatedAuthenticationToken 将在您的应用程序中提供,用于通过双向 TLS 成功建立连接,其中包含客户端证书的主体/详细信息.
An X509 PreAuthenticatedAuthenticationToken will be available in your application for successful connections made via mutual TLS, containing the principal/details of the client cert.
这篇关于有没有人有一个在 Spring Cloud Gateway/Spring WebFlux 中实现 x509 相互认证的简单例子?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
