【问题标题】:Spring cloud gateway resource server: No subject alternative names presentSpring Cloud Gateway 资源服务器:不存在主题替代名称
【发布时间】:2021-12-08 19:18:28
【问题描述】:

我们的spring cloud gateway配置为资源服务器,用于keycloak和访问控制中的令牌验证,我们的keycloak实例在https上运行(用于ldap连接),当我尝试使用令牌向网关发送请求时,我得到错误: `引起:javax.net.ssl.SSLHandshakeException:没有主题替代名称。

在开发 keycloak 身份验证期间,我有哪些选项可以禁用证书和主题备用名称检查?感谢您的任何建议。

【问题讨论】:

  • 看起来您的 Spring Boot 应用程序正在尝试验证 keycloak ssl 证书中的主机名并失败。您可以尝试在 @Configuration 类中使用 HttpsURLConnection.setDefaultHostnameVerifier(new rg.apache.http.conn.ssl.NoopHostnameVerifier()); 之类的内容禁用主机名验证。
  • @httPants 它对我不起作用 :( 我尝试 HostnameVerifier allHostsValid = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; HttpsURLConnection.setDefaultHostnameVerifier( allHostsValid); 但无论如何都会出错

标签: java spring spring-cloud


【解决方案1】:

好的,我忘记了这个问题,但我现在有简单的解决方案。看起来只是一个开发解决方案。

@Configuration
@Slf4j
@ConditionalOnProperty("spring.security.oauth2.resourceserver.jwt.jwk-set-uri")
public class SslResolverConfig {

  @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
  private String issuerUri;

  @Bean
  public ReactiveJwtDecoder reactiveJwtDecoder() {
    log.debug("ISSUE uri {}", issuerUri);
    var jvmBlockingResolver = createHttpClient();
    var connector = new ReactorClientHttpConnector(jvmBlockingResolver);
    var webClient = WebClient
        .builder()
        .clientConnector(connector)
        .build();
    return NimbusReactiveJwtDecoder
        .withJwkSetUri(issuerUri)
        .webClient(webClient)
        .build();
  }

  @SneakyThrows
  public HttpClient createHttpClient() {
    TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
      public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return null;
      }

      public void checkClientTrusted(X509Certificate[] certs, String authType) {
      }

      public void checkServerTrusted(X509Certificate[] certs, String authType) {
      }
    }
    };

    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

    SslContext sslContext = SslContextBuilder
        .forClient()
        .trustManager(InsecureTrustManagerFactory.INSTANCE)
        .build();
    return HttpClient.create()
        .secure(t -> t.sslContext(sslContext))
        .wiretap("LoggingFilter", LogLevel.INFO, AdvancedByteBufFormat.TEXTUAL);
  }
}

【讨论】:

    猜你喜欢
    • 2020-08-14
    • 1970-01-01
    • 2019-12-23
    • 2014-04-25
    • 2014-04-02
    • 2023-04-11
    • 1970-01-01
    • 2019-05-09
    • 1970-01-01
    相关资源
    最近更新 更多