在Jetty服务器中,如何获取需要客户端身份验证时使用的客户端证书? [英] In the Jetty server how can I obtain the client certificate used when client authentication is required?
问题描述
设置一个请求客户端身份验证的嵌入式Jetty服务器非常容易:只需要添加语句
SslContextFactory.setNeedClientAuth(true);配置服务器时,
到ssl上下文。在服务器的信任库中拥有其证书的任何客户端都将能够与服务器建立TLS连接。
It is very easy to set up an embedded Jetty server that requests client authentication: One just needs to add the statement SslContextFactory.setNeedClientAuth(true); to the ssl context when configuring the server. Any client that has its certificate in the server's truststore will be able to establish a TLS connection to the server.
但是我需要知道所有可能的可信客户端中的哪个客户端目前正在提出要求;换句话说,我需要知道此连接中使用的客户端证书,特别是在处理程序中。有谁知道如何访问这个证书或者是否可能?
However I need to know which client of all the possible trusted clients is currently making a request; in other words I need to know the client certificate used in this connection, in particular in the handler. Does anyone know how to access this certificate or if it is even possible?
推荐答案
证书被添加到请求对象(例如HttpServletRequest ),来自 HttpConfiguration Customizer 。
The certificates are added to the Request objects (such as HttpServletRequest), by a HttpConfiguration Customizer.
具体来说, SecureRequestCustomizer 。
您使用此代码的代码如下跟随(向下滚动)......
Your code to use this would be as follows (scroll down)...
Server server = new Server();
// === HTTP Configuration ===
HttpConfiguration http_config = new HttpConfiguration();
http_config.setSecureScheme("https");
http_config.setSecurePort(8443);
http_config.setOutputBufferSize(32768);
http_config.setRequestHeaderSize(8192);
http_config.setResponseHeaderSize(8192);
http_config.setSendServerVersion(true);
http_config.setSendDateHeader(false);
// === Add HTTP Connector ===
ServerConnector http = new ServerConnector(server,
new HttpConnectionFactory(http_config));
http.setPort(8080);
http.setIdleTimeout(30000);
server.addConnector(http);
// === Configure SSL KeyStore, TrustStore, and Ciphers ===
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("/path/to/keystore");
sslContextFactory.setKeyStorePassword("changeme");
sslContextFactory.setKeyManagerPassword("changeme");
sslContextFactory.setTrustStorePath("/path/to/truststore");
sslContextFactory.setTrustStorePassword("changeme");
sslContextFactory.setExcludeCipherSuites(
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
// === SSL HTTP Configuration ===
HttpConfiguration https_config = new HttpConfiguration(http_config);
https_config.addCustomizer(new SecureRequestCustomizer()); // <-- HERE
// == Add SSL Connector ===
ServerConnector sslConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory,"http/1.1"),
new HttpConnectionFactory(https_config));
sslConnector.setPort(8443);
server.addConnector(sslConnector);
使用此SecureRequestCustomizer,您可以从
With this SecureRequestCustomizer in place you can access various pieces about the SSL connection from the HttpServletRequest.getAttribute(String) calls using the following attribute names.
javax.servlet.request .X509Certificate
javax.servlet.request.X509Certificate
一个 java.security.cert.X509Certificate []
an array of java.security.cert.X509Certificate[]
javax.servlet.request.cipher_suite
javax.servlet.request.cipher_suite
字符串密码套件的名称。 (与从 <$ c)返回的内容相同$ c> javax.net.ssl.SSLSession.getCipherSuite() )
the String name of the cipher suite. (same as what is returned from javax.net.ssl.SSLSession.getCipherSuite())
javax.servlet.request.key_size
javax.servlet.request.key_size
正在使用的密钥长度的整数
Integer of the key length in use
javax.servlet.request.ssl_session_id
javax.servlet.request.ssl_session_id
字符串表示(已激活的SSL会话ID
String representation (hexified) of the active SSL Session ID
这篇关于在Jetty服务器中,如何获取需要客户端身份验证时使用的客户端证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
