Coding Manapache httpclient与SSL
Contents
1. 概述
本文将展示如何使用“全部接受”SSL 支持来配置 Apache HttpClient 4。目标很简单——使用没有有效证书的 HTTPS URL。
如果您想更深入地挖掘并学习可以使用 HttpClient 做的其他很酷的事情 - 前往**主要的 HttpClient 介绍 **。
2. SSLPeerUnverifiedException
如果不使用HttpClient配置 SSL ,以下测试(使用 HTTPS URL)将失败:
public class RestClientLiveManualTest {
@Test(expected = SSLPeerUnverifiedException.class)
public void whenHttpsUrlIsConsumed_thenException()
throws ClientProtocolException, IOException {
CloseableHttpClient httpClient = HttpClients.createDefault();
String urlOverHttps
= "https://localhost:8082/httpclient-simple";
HttpGet getMethod = new HttpGet(urlOverHttps);
HttpResponse response = httpClient.execute(getMethod);
assertThat(response.getStatusLine().getStatusCode(), equalTo(200));
}
}
确切的失败是:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126)
...
每当无法为 URL 建立有效的信任链时,就会发生javax.net.ssl.SSLPeerUnverifiedException 异常。
3. 配置 SSL – 全部接受 (HttpClient < 4.3)
现在让我们将 HTTP 客户端配置为信任所有证书链,无论其有效性如何:
@Test
public final void givenAcceptingAllCertificates_whenHttpsUrlIsConsumed_thenOk()
throws GeneralSecurityException {
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
CloseableHttpClient httpClient = (CloseableHttpClient) requestFactory.getHttpClient();
TrustStrategy acceptingTrustStrategy = (cert, authType) -> true;
SSLSocketFactory sf = new SSLSocketFactory(acceptingTrustStrategy, ALLOW_ALL_HOSTNAME_VERIFIER);
httpClient.getConnectionManager().getSchemeRegistry().register(new Scheme("https", 8443, sf));
ResponseEntity<String> response = new RestTemplate(requestFactory).
exchange(urlOverHttps, HttpMethod.GET, null, String.class);
assertThat(response.getStatusCode().value(), equalTo(200));
}
随着新的TrustStrategy现在覆盖标准证书验证过程(应咨询已配置的信任管理器) - 测试现在通过并且客户端能够使用 HTTPS URL。
4.配置 SSL – Accept All (HttpClient 4.4 及以上)
使用新的 HTTPClient,现在我们有了一个增强的、重新设计的默认 SSL 主机名验证器。同样通过SSLConnectionSocketFactory和RegistryBuilder的引入,构建 SSLSocketFactory 变得很容易。所以我们可以编写上面的测试用例:
@Test
public final void givenAcceptingAllCertificates_whenHttpsUrlIsConsumed_thenOk()
throws GeneralSecurityException {
TrustStrategy acceptingTrustStrategy = (cert, authType) -> true;
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext,
NoopHostnameVerifier.INSTANCE);
Registry<ConnectionSocketFactory> socketFactoryRegistry =
RegistryBuilder.<ConnectionSocketFactory> create()
.register("https", sslsf)
.register("http", new PlainConnectionSocketFactory())
.build();
BasicHttpClientConnectionManager connectionManager =
new BasicHttpClientConnectionManager(socketFactoryRegistry);
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf)
.setConnectionManager(connectionManager).build();
HttpComponentsClientHttpRequestFactory requestFactory =
new HttpComponentsClientHttpRequestFactory(httpClient);
ResponseEntity<String> response = new RestTemplate(requestFactory)
.exchange(urlOverHttps, HttpMethod.GET, null, String.class);
assertThat(response.getStatusCode().value(), equalTo(200));
}
5. 带有 SSL 的 Spring RestTemplate (HttpClient < 4.3)
既然我们已经了解了如何配置具有 SSL 支持的原始HttpClient,让我们看一下更高级别的客户端 - Spring RestTemplate。
在未配置 SSL 的情况下,以下测试按预期失败:
@Test(expected = ResourceAccessException.class)
public void whenHttpsUrlIsConsumed_thenException() {
String urlOverHttps
= "https://localhost:8443/httpclient-simple/api/bars/1";
ResponseEntity<String> response
= new RestTemplate().exchange(urlOverHttps, HttpMethod.GET, null, String.class);
assertThat(response.getStatusCode().value(), equalTo(200));
}
所以让我们配置 SSL:
@Test
public void givenAcceptingAllCertificates_whenHttpsUrlIsConsumed_thenException()
throws GeneralSecurityException {
HttpComponentsClientHttpRequestFactory requestFactory
= new HttpComponentsClientHttpRequestFactory();
DefaultHttpClient httpClient
= (DefaultHttpClient) requestFactory.getHttpClient();
TrustStrategy acceptingTrustStrategy = (cert, authType) -> true
SSLSocketFactory sf = new SSLSocketFactory(
acceptingTrustStrategy, ALLOW_ALL_HOSTNAME_VERIFIER);
httpClient.getConnectionManager().getSchemeRegistry()
.register(new Scheme("https", 8443, sf));
String urlOverHttps
= "https://localhost:8443/httpclient-simple/api/bars/1";
ResponseEntity<String> response = new RestTemplate(requestFactory).
exchange(urlOverHttps, HttpMethod.GET, null, String.class);
assertThat(response.getStatusCode().value(), equalTo(200));
}
如您所见,这与我们为原始 HttpClient 配置 SSL 的方式非常相似——我们为请求工厂配置 SSL 支持,然后通过这个预配置工厂实例化模板。
6. 带有 SSL 的 Spring RestTemplate (HttpClient 4.4)
我们可以使用相同的方式来配置我们的RestTemplate:
@Test
public void givenAcceptingAllCertificatesUsing4_4_whenUsingRestTemplate_thenCorrect()
throws ClientProtocolException, IOException {
CloseableHttpClient httpClient
= HttpClients.custom()
.setSSLHostnameVerifier(new NoopHostnameVerifier())
.build();
HttpComponentsClientHttpRequestFactory requestFactory
= new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
ResponseEntity<String> response
= new RestTemplate(requestFactory).exchange(
urlOverHttps, HttpMethod.GET, null, String.class);
assertThat(response.getStatusCode().value(), equalTo(200));
}