带有客户端证书的android webview [英] android webview with client certificate
问题描述
我尝试了几天来使用嵌入在应用程序中的客户端证书的 web 视图,但在我看来,android sdk 没有提供任何方法来做到这一点,是否有回调来拦截由应用程序发送的挑战服务器?有没有办法将 webview 与客户端证书一起使用并发出 https 请求?
I tried for days to use a web view with a client certificate embedded in the application, but it seems to me that the android sdk does not provide any way to do it, is there a callback to intercept the challenge sent by the server? is there a way to use webview with a client certificate and make https request?
推荐答案
因为我也对你的问题感兴趣,所以我查看了 WebView 和 WebViewClient 的文档,四处浏览,确实看起来你无法验证使用客户端证书的 webview 会话,因为所需的方法 (ClientCertRequestHandler) 不是公共 API.
Since I'm interested in your problem as well, I checked the documentation for WebView and WebViewClient, surfed around and indeed it looks that you can't authenticate a webview session using a client certificate, as the required method (ClientCertRequestHandler) is not a public API.
使用 Android WebView使用客户端证书连接到安全服务器
在 Android 安全讨论中搜索确认该呼叫确实不可用:
A search in the Android Security Discussions confirms that the call is indeed not available:
https://groups.google.com/论坛/#!msg/android-security-discuss/0hzTGaA9swQ/1Oqc8UpGLH8J
尽管
Android 4.0 版本确实支持浏览器中的客户端证书身份验证.
The Android 4.0 release does include support for client certificate authentication in the browser.
(参考:https://code.google.com/p/android/issues/detail?id=8196)
没有提到 WebViews :(
no mention about WebViews is made :(
即使有一些新的 API 可以在钥匙串中加载证书:
Even though there are some new API to load certificates in a Keychain:
http://developer.android.com/reference/android/security/钥匙串.htmlhttp://nelenkov.blogspot.it/2011/11/using-ics-keychain-api.html
不清楚 WebView 是否会使用它们......所以我想你应该尝试 KeyChain 类,看看你是否可以正确地进行身份验证(我没有简单的方法来测试这个,所以你自己做).
it is not clear whether the WebView is gonna use them... So I guess you should try the KeyChain class and see if you can correctly authenticate (I have no simple way to test this, so you are on your own).
如果 KeyChain 不适用于 WebViews,我想这归结为几个远非完美的解决方法:
If KeyChain doesn't work with WebViews, I guess it all boils down to a couple of far from perfect workarounds:
解决方案 1:
无论如何都要使用 ClientCertRequestHandler(它被标记为隐藏,但显然仍然可用):
use ClientCertRequestHandler anyway (It's marked as hidden, but apparently still usable):
https://code.google.com/p/android/问题/详细信息?id=53491
然而,即使假设你成功了,Android 开发者.团队可能会在没有通知的情况下修改/删除该方法,并且您的应用可能会停止处理未来版本的 SO.
However even assuming that you make it, the Android Dev. Team might modify/remove the method without notice and your app might stop working on future releases of the SO.
解决方案 2:
如果您可以将目标限制为 Android 4.0 或更高版本,一个大胆(不太可能...)的解决方案是尝试使用文件方案从本地存储加载 webview 中的证书:
If you can limit your target to Android 4.0 or newer, a bold (and unlikely...) solution is to try to load the certificate in the webview from your local storage using a file scheme:
但我强烈怀疑 webview 会像浏览器那样运行...
but i strongly doubt that the webview will behave as the browser does...
解决方案 3:(应该可行,但需要付出很多努力)
Solution 3: (which should work but requires a lot of effort)
使用 HTTPClient 或 HttpURLConnection 在后台处理每个 https 连接,然后将数据传递给 WebView:
Handle every https connection in background using HTTPClient or HttpURLConnection and then pass the data to the WebView:
http://chariotsolutions.com/blog/post/https-with-client-certificates-on/
你有我的同情.
这篇关于带有客户端证书的android webview的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
