使用Axis2附加客户端证书? [英] Attach client certificates with Axis2?
问题描述
是否可以轻松地将客户端证书附加到使用wsdl2java生成的Axis2存根?我需要在每个请求的基础上动态更改客户端证书,因此只需将其存储在密钥库中就不适用于我们的情况。
Is it possible to easily attach a client certificate to a Axis2 stub generated using wsdl2java? I need to change the client certificate dynamically on a per-request basis, so simply storing it in the keystore won't work for our case.
我找到了非SOAP调用的示例,但找不到与使用Axis客户端存根相关的任何内容。尝试破解XML for SOAP调用是一个选项,我猜,albiet是一个痛苦的选择!呻吟!
I've found examples where this is being done for non-SOAP calls, but could not find anything related to using the Axis client stubs. Trying to hack the XML for the SOAP call is an option I guess, albiet a painful one! Groan!
推荐答案
如果要根据建立的连接更改使用的证书,则需要配置 SSLContext 这样做,如本答案中所述: https:// stackoverflow。 com / a / 3713147/372643
If you want to change which certificate is used depending on which connection is made, you'll need to configure an SSLContext to do so, as described in this answer: https://stackoverflow.com/a/3713147/372643
据我所知,Axis 2使用的是Apache HttpClient 3.x,所以你需要遵循它的方式如果需要,配置 SSLContext (和 X509KeyManager )。
最简单的方法可能是使用 SSLContext 配置Apache HttpClient的全局 https 协议处理程序,设置为 X509KeyManager 配置为根据需要选择客户端证书(通过 chooseClientAlias )。
As far as I know, Axis 2 uses Apache HttpClient 3.x, so you'll need to follow its way of configuring the SSLContext (and X509KeyManager if needed).
The easiest way might be to configure Apache HttpClient's global https protocol handler with your SSLContext, set up with an X509KeyManager configured to choose the client certificate as you require (via chooseClientAlias).
如果发行人和连接的套接字(可能是远程地址)不足以决定选择哪个证书,您可能需要实施更多复杂的逻辑几乎不可避免地需要与你的应用程序的其余部分仔细同步。
If the issuers and the connected Socket (probably the remote address) are not enough for deciding which certificate to choose, you may need to implement a more complex logic which will almost inevitably require careful synchronization with the rest of your application.
编辑:
一旦你构建了 SSLContext 和 X509KeyManager ,你需要将它们传递给Apache HttpClient 3 。X。为此,您可以构建自己的 SecureProtocolSocketFactory ,将从此 SSLContext 构建套接字(通过 SSLSocketFactory ,参见 SSLContext 方法)。 Apache HttpClient 3.x SSL指南中有一些示例。避免 EasySSLProtocolSocketFactory ,因为它不会检查任何服务器证书(从而允许MITM攻击)。您也可以尝试此实现。
Once you've built your SSLContext and X509KeyManager, you need to pass them to Apache HttpClient 3.x. For this, you can build your own SecureProtocolSocketFactory, which will build the socket from this SSLContext (via an SSLSocketFactory, see SSLContext methods). There are examples in the Apache HttpClient 3.x SSL guide. Avoid EasySSLProtocolSocketFactory, since it won't check any server cert (thereby allowing for MITM attacks). You could also try this implementation.
请注意,您只需要自定义 X509KeyManager ,您可以使用 null SSLContext (通过 init ) c $ c>其他参数保持默认值(特别是默认信任设置)。
Note that you only really need to customize your X509KeyManager, you can initialize your SSLContext (via init) with null for the other parameters to keep the default values (in particular the default trust settings).
然后,使用以下内容为Apache HttpClient 3.x全局安装此 SecureProtocolSocketFactory :
Then, "install" this SecureProtocolSocketFactory globally for Apache HttpClient 3.x using something like this:
Protocol.registerProtocol("https", new Protocol("https",
(ProtocolSocketFactory)secureProtocolSocketFactory, 443));
这篇关于使用Axis2附加客户端证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
