我想在讲REST的Grails中设置基于证书的登录身份验证。
根据Burt Beckwith的文档,我使用Spring Security插件(spring-security-core:2.0-RC3)设置X509身份验证:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'de.app.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'de.app.UserRole'
grails.plugin.springsecurity.authority.className = 'de.app.Role'
grails.plugin.springsecurity.useX509 = true
grails.plugin.springsecurity.portMapper.httpsPort = "8443"
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/': ['permitAll'],
'/index': ['permitAll'],
'/index.gsp': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll'],
'/**/favicon.ico': ['permitAll']
]
证书文件的生成和Tomcat配置似乎有些棘手,但已经在另一个答案中指出了这一点。我这样做了,并且使用当前的标准,我必须配置Tomcat 7,首先也是最重要的是keystoreFile,keystorePass和clientAuth。我无法直接访问server.xml。因此,我必须找到另一个地方。与此相关的Tomcat插件配置看起来仅限于参数keystorePath和keystorePassword。我通过将其添加到BuildConfig来进行尝试:
grails.tomcat.keystorePath = "${basedir}/grails-app/conf/server.jks"
grails.tomcat.keystorePassword = "password"
不知道这两行是否足够。我发现此解决方案设置了更多的连接器参数,但显然不再触发该事件,因此代码无效。
我发现了三种使用证书进行请求的方法,即Firefox,cURL和wget。没有任何工作!在我的Grails应用程序中全部登录后,我发现Spring Security中显然没有证书到达:
web.FilterChainProxy /vehicle at position 3 of 9 in additional filter chain; firing Filter: 'X509AuthenticationFilter'
x509.X509AuthenticationFilter Checking secure context token: null
x509.X509AuthenticationFilter No client certificate found in request.
x509.X509AuthenticationFilter No pre-authenticated principal found in request
卷曲请求:
curl -v -H "Content-Type: application/xml" --cert ./username.p12 -k -i https://localhost:8443/de.app/vehicle
及其替代方案:
wget —v --header='Content-Type: application/xml' --certificate='./username.p12' --no-check-certificate -S https://localhost:8443/de.app/vehicle
(我想解决的Mac OS X Mavericks的curl中有一个bug。)响应始终是403(禁止):
* Adding handle: conn: 0x7f840280fe00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f840280fe00) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8443 (#0)
* Trying ::1...
* Connected to localhost (::1) port 8443 (#0)
* TLS 1.0 connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate: Web Server
> GET /de.app/vehicle HTTP/1.1
> User-Agent: curl/7.30.0
> Host: localhost:8443
> Accept: */*
> Content-Type: application/xml
>
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
我究竟做错了什么?证书尚未发送或未从请求中正确获取证书。我相信后者。有什么猜测可以让我更深入地了解吗?
您需要告诉Tomcat,您想对SSL使用客户端身份验证。连同已经添加到BuildConfig的密钥库配置一起,添加以下内容:
grails.tomcat.clientAuth = "want"
或者
grails.tomcat.clientAuth = "true"
如果不存在证书,则第一个不会自动使身份验证失败,而该true
值会自动失败。
另外,如果您打算对客户端使用自签名证书,则需要创建一个受信任的密钥库,并将Tomcat配置为也使用它。
grails.tomcat.truststorePath = "${grailsSettings.baseDir}/conf/ssl/server/truststore.jks"
grails.tomcat.truststorePassword = "changeit"
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句