在Java中使用HTTPS和REST [英] Using HTTPS with REST in Java

问题描述

我有一个用Grizzly制作的REST服务器，它使用HTTPS并与Firefox完美配合。这是代码：

I have a REST server made in Grizzly that uses HTTPS and works wonderfully with Firefox. Here's the code:

//Build a new Servlet Adapter.
ServletAdapter adapter=new ServletAdapter();
adapter.addInitParameter("com.sun.jersey.config.property.packages", "My.services");
adapter.addInitParameter(ResourceConfig.PROPERTY_CONTAINER_REQUEST_FILTERS, SecurityFilter.class.getName());
adapter.setContextPath("/");
adapter.setServletInstance(new ServletContainer());

//Configure SSL (See instructions at the top of this file on how these files are generated.)
SSLConfig ssl=new SSLConfig();
String keystoreFile=Main.class.getResource("resources/keystore_server.jks").toURI().getPath();
System.out.printf("Using keystore at: %s.",keystoreFile);
ssl.setKeyStoreFile(keystoreFile);
ssl.setKeyStorePass("asdfgh");

//Build the web server.
GrizzlyWebServer webServer=new GrizzlyWebServer(getPort(9999),".",true);

//Add the servlet.
webServer.addGrizzlyAdapter(adapter, new String[]{"/"});

//Set SSL
webServer.setSSLConfig(ssl);

//Start it up.
System.out.println(String.format("Jersey app started with WADL available at "
  + "%sapplication.wadl\n",
        "https://localhost:9999/"));
webServer.start();

现在，我尝试用Java来实现它：

Now, I try to reach it in Java:

SSLContext ctx=null;
try {
    ctx = SSLContext.getInstance("SSL");
} catch (NoSuchAlgorithmException e1) {
    e1.printStackTrace();
}
ClientConfig config=new DefaultClientConfig();
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(null,ctx));
WebResource service=Client.create(new DefaultClientConfig()).resource("https://localhost:9999/");

//Attempt to view the user's page.
try{
    service
        .path("user/"+username)
        .get(String.class);
}

获取：

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:128)
 at com.sun.jersey.api.client.Client.handle(Client.java:453)
 at com.sun.jersey.api.client.WebResource.handle(WebResource.java:557)
 at com.sun.jersey.api.client.WebResource.get(WebResource.java:179)

来自我发现的示例在网络上，似乎我需要设置一个Truststore然后设置某种TrustManager。这看起来像我的简单小项目的许多代码和设置工作。有没有更容易的方式来说..我相信这个证书并指向.cert文件？

From examples that I've found on the web, it seems like I would need to setup a Truststore then setup some sort of TrustManager. This seems like a lot of code and setup work for my simple little project. Is there an easier way to just say..I trust this cert and point to a .cert file?

推荐答案

当你说有没有更简单的方法来...信任这个证书，这正是你通过将证书添加到Java信任库来做的事情。这非常非常容易，而且您的客户端应用程序中无需任何操作即可识别或使用该信任存储。

When you say "is there an easier way to... trust this cert", that's exactly what you're doing by adding the cert to your Java trust store. And this is very, very easy to do, and there's nothing you need to do within your client app to get that trust store recognized or utilized.

在客户端计算机上，找到您的cacerts文件的位置（这是您的默认Java信任库，默认情况下位于< java-home> / lib / security / certs / cacerts。

On your client machine, find where your cacerts file is (that's your default Java trust store, and is, by default, located at <java-home>/lib/security/certs/cacerts.

然后，键入以下内容：

keytool -import -alias <Name for the cert> -file <the .cer file> -keystore <path to cacerts>

这会将证书导入您的信任存储区，在此之后，您的客户端应用程序将能够毫无问题地连接到您的Grizzly HTTPS服务器。

That will import the cert into your trust store, and after this, your client app will be able to connect to your Grizzly HTTPS server without issue.

如果您不想将证书导入默认信任库 - 也就是说，你只是希望它可用于这个客户端应用程序，而不是你在该机器上的JVM上运行的任何其他内容 - 然后你可以为你的应用程序创建一个新的信任库。而不是传递keytoo l现有的默认cacerts文件的路径，将keytool传递给新信任库文件的路径：

If you don't want to import the cert into your default trust store -- i.e., you just want it to be available to this one client app, but not to anything else you run on your JVM on that machine -- then you can create a new trust store just for your app. Instead of passing keytool the path to the existing, default cacerts file, pass keytool the path to your new trust store file:

keytool -import -alias <Name for the cert> -file <the .cer file> -keystore <path to new trust store>

您将被要求设置并验证信任库文件的新密码。然后，当您启动客户端应用程序时，使用以下参数启动它：

You'll be asked to set and verify a new password for the trust store file. Then, when you start your client app, start it with the following parameters:

java -Djavax.net.ssl.trustStore=<path to new trust store> -Djavax.net.ssl.trustStorePassword=<trust store password>

很容易俗气，真的。

这篇关于在Java中使用HTTPS和REST的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！