我们目前在Sping Boot 应用程序中实现了相互身份验证,需要在Azure中部署它。Azure的负载平衡器在请求头字段“X-ARR-ClientCert”中重定向客户端证书(Base64编码),Spring无法在那里找到它。=>身份验证失败
Microsoft文档展示了如何在.NET应用程序中处理此问题:https://learn.microsoft.com/en-gb/azure/app-service-web/app-service-web-configure-tls-mutual-auth
我试着从OncePerRequestFilter的头中提取证书,并将其设置为请求如下:
public class AzureCertificateFilter extends OncePerRequestFilter {private static final Logger LOG = LoggerFactory.getLogger(AzureCertifacteFilter.class);private static final String AZURE_CLIENT_CERTIFICATE_HEADER = "X-ARR-ClientCert";private static final String JAVAX_SERVLET_REQUEST_X509_CERTIFICATE = "javax.servlet.request.X509Certificate";private static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----\n";private static final String END_CERT = "\n-----END CERTIFICATE-----";@Overrideprotected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {X509Certificate x509Certificate = extractClientCertificate(httpServletRequest);// azure redirects the certificate in a header fieldif (x509Certificate == null && StringUtils.isNotBlank(httpServletRequest.getHeader(AZURE_CLIENT_CERTIFICATE_HEADER))) {String x509CertHeader = BEGIN_CERT + httpServletRequest.getHeader(AZURE_CLIENT_CERTIFICATE_HEADER) + END_CERT;try (ByteArrayInputStream certificateStream = new ByteArrayInputStream(x509CertHeader.getBytes())) {X509Certificate certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(certificateStream);httpServletRequest.setAttribute(JAVAX_SERVLET_REQUEST_X509_CERTIFICATE, certificate);} catch (CertificateException e) {LOG.error("X.509 certificate could not be created out of the header field {}. Exception: {}", AZURE_CLIENT_CERTIFICATE_HEADER, e.getMessage());}}filterChain.doFilter(httpServletRequest, httpServletResponse);}private X509Certificate extractClientCertificate(HttpServletRequest request) {X509Certificate[] certs = (X509Certificate[]) request.getAttribute(JAVAX_SERVLET_REQUEST_X509_CERTIFICATE);if (certs != null && certs.length > 0) {LOG.debug("X.509 client authentication certificate:" + certs[0]);return certs[0];}LOG.debug("No client certificate found in request.");return null;}}
字符串
但这在Spring filter链中会失败,但有以下例外:
sun.security.x509.X509CertImpl cannot be cast to [Ljava.security.cert.X509Certificate; /oaa/v1/spaces
型
配置如下所示:
@Overridepublic void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("**/docs/restapi/**").permitAll().anyRequest().authenticated().and().httpBasic().disable().addFilterBefore(new AzureCertificateFilter(), X509AuthenticationFilter.class).x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)").userDetailsService(userDetailsService());}
型
1条答案
按热度按时间bqjvbblv1#
我应该更仔细地阅读例外:
字符串
我必须设置一个像这样的证书数组:
型