单向验证:
第一步:生成密钥:
在单向验证中,首先需要生成一个密钥。以下是生成密钥的命令:
keytool -genkey -alias mykey -keyalg RSA -keystore d:/key/testkey keytool -export -file d:/key/testkey.crt -alias mykey -keystore d:/key/testkey
由于是在本地进行测试,请修改本地的hosts文件,路径为C:\Windows\System32\drivers\etc\hosts,添加以下内容:
# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 127.0.0.1 www.xiaochangwei.com
这样就可以通过域名进行访问。
第二步:配置Tomcat
在Tomcat的配置文件中,找到并启用HTTPS连接器。以下是基本的配置:
请注意,这段代码默认是注释掉的,需要手动取消注释。根据需要可以修改默认的端口,默认端口为8443。
在非Windows环境下,可能会遇到找不到密钥或密钥强度不足的问题,导致Tomcat无法正常启动或页面无法访问。解决方法如下:
- 为密钥文件添加后缀,以便非Windows环境识别。
- 增加密钥的复杂度。
完整配置如下:
第三步:发布项目
项目已经成功发布,且端口可用。测试端口情况:
从测试结果看,端口可以正常访问,证明部署成功。
参考资料:https://www./link/813c26fc0c3bf64573a10eafb3f8e5ee
双向验证
在双向验证中,需要生成服务器和客户端的证书,并进行相互信任配置。以下是相关的命令:
为服务器生成证书 keytool -genkey -v -alias server -keyalg RSA -keystore d:\key2\server.keystore -validity 36500为客户端生成证书 keytool -genkey -v -alias client -keyalg RSA -storetype PKCS12 -keystore d:\key2\client.key.p12
导入客户端证书让服务器信任客户端证书
先把客户端证书导出为cer文件格式 keytool -export -alias client -keystore d:\key2\client.key.p12 -storetype PKCS12 -storepass 123456 -rfc -file d:\key2\client.key.cer
将客户端cer导入到服务器证书库 keytool -import -v -file d:\key2\client.key.cer -keystore d:\key2\server.keystore
查看安装结果 keytool -list -keystore d:\key2\server.keystore
让客户端信任服务器证书
把服务器证书导出为cer文件 keytool -keystore d:\key2\server.keystore -export -alias server -file d:\key2\server.cer
在客户端安装服务器证书 选择受信任的根证书颁发机构
配置Tomcat
HTTP接口的调用本质上是通过地址建立连接,获取返回信息或发送请求数据,完成业务逻辑后关闭连接。可以使用原生态的接口调用方式或采用RESTful风格进行调用。如果需要调用多个HTTP接口,建议使用RESTful进行统一管理,使代码更加清晰。
在调用HTTPS接口时,如果对方项目使用双向验证,则需要提供证书和密码等信息。以下是绕过HTTPS验证的参考代码:
import java.io.IOException; import java.net.Socket; import java.net.UnknownHostException; import java.security.KeyManagementException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.UnrecoverableKeyException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import org.apache.http.HttpVersion; import org.apache.http.client.HttpClient; import org.apache.http.conn.ClientConnectionManager; import org.apache.http.conn.scheme.PlainSocketFactory; import org.apache.http.conn.scheme.Scheme; import org.apache.http.conn.scheme.SchemeRegistry; import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager; import org.apache.http.params.BasicHttpParams; import org.apache.http.params.HttpConnectionParams; import org.apache.http.params.HttpParams; import org.apache.http.params.HttpProtocolParams; import org.apache.http.protocol.HTTP;
public class HttpsClient { static public HttpClient newHttpsClient() { try { KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null, null); SSLSocketFactory sf = new MySSLSocketFactory(trustStore); sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); HttpParams params = new BasicHttpParams(); HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1); HttpProtocolParams.setContentCharset(params, HTTP.UTF_8); HttpConnectionParams.setConnectionTimeout(params, 10000); HttpConnectionParams.setSoTimeout(params, 10000); SchemeRegistry registry = new SchemeRegistry(); registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80)); registry.register(new Scheme("https", sf, 443)); ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry); return new DefaultHttpClient(ccm, params); } catch (Exception e) { return new DefaultHttpClient(); } }
private static class MySSLSocketFactory extends SSLSocketFactory { SSLContext sslContext = SSLContext.getInstance("TLS"); public MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { super(truststore); TrustManager tm = new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public X509Certificate[] getAcceptedIssuers() { return null; } }; sslContext.init(null, new TrustManager[] { tm }, null); } @Override public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException { return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose); } @Override public Socket createSocket() throws IOException { return sslContext.getSocketFactory().createSocket(); } }}
受此启发,在使用RESTful风格进行HTTP接口调用时,可以通过修改初始化的HttpClient来实现。以下是RESTful风格的HTTP接口调用示例代码,注意需要引入RestTemplate(在spring-web.jar中):
package com.xxx.rpc.restclient.utils;import java.io.IOException; import java.net.Socket; import java.net.UnknownHostException; import java.security.KeyManagementException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.UnrecoverableKeyException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.text.SimpleDateFormat; import java.util.Date; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import org.apache.http.client.HttpClient; import org.apache.http.conn.ClientConnectionManager; import org.apache.http.conn.scheme.PlainSocketFactory; import org.apache.http.conn.scheme.Scheme; import org.apache.http.conn.scheme.SchemeRegistry; import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.HttpEntity; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; import org.springframework.util.StringUtils; import org.springframework.web.client.RestTemplate;
@SuppressWarnings("deprecation") public class HttpClientUtils { private static Logger logger = LoggerFactory.getLogger(HttpClientUtils.class);
private static String HTTP_PROTOCOL = "https://"; public static ResponseEntityExecute(FrontInfo frontInfo) { HttpClient httpClient = null; try { KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null, null); SSLSocketFactory sf = new MySSLSocketFactory(trustStore); sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); SchemeRegistry registry = new SchemeRegistry(); registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), Integer.valueOf(frontInfo.getPort()))); registry.register(new Scheme("https", sf, Integer.valueOf(frontInfo.getPort()))); ClientConnectionManager ccm = new ThreadSafeClientConnManager(registry); httpClient = new DefaultHttpClient(ccm); } catch (Exception e) { logger.info("httpclient创建错误."); } HttpComponentsClientHttpRequestFactory httpComponentsClientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(httpClient); httpComponentsClientHttpRequestFactory.setConnectTimeout(120 * 1000); httpComponentsClientHttpRequestFactory.setReadTimeout(120 * 1000); RestTemplate rt = new RestTemplate(httpComponentsClientHttpRequestFactory); String url = HttpClientUtils.generateUrl(frontInfo); HttpEntity requestEntity = HttpClientUtils.generateHttpEntity(frontInfo); try { System.out.println("httpMethod = " + frontInfo.getHttpMethod()); System.out.println("url = " + url); System.out.println("requestEntity = " + requestEntity); ResponseEntity responseEntity = rt.exchange(url, frontInfo.getHttpMethod(), requestEntity, String.class); logger.debug("responseEntity = [{}].", responseEntity); System.out.println("responseEntity = " + responseEntity); return responseEntity; } catch (Exception e) { System.out.println("info: " + e.getMessage()); logger.debug("error info: = [{}].", e.getMessage()); return generateRespWhenException(e); } } }
由于这是商业项目的代码,这里仅展示部分代码。通过这个示例可以完全掌握RESTful相关技术。需要解释的是:
frontInfo是一个通用的参数对象,用于确保接口调用方式统一,包含各接口需要的参数名等,如IP、端口、URL、方法、用户名等。generateUrl方法根据通用参数对象及条件生成具体的URL,如https://www./link/b7c341015338340fc8cc5c21e0473579。generateHttpEntity方法根据具体业务需求增加一些通用的头信息。exchange方法执行具体的请求,返回ResponseEntity,然后根据具体业务返回,进行解析。- 调用后解析返回信息大致如下,解析其中的body:
JSONObject object = JSONObject.parseObject(response.getBody().toString()); JSONObject userJson = JSONObject.parseObject(object.getString("user")); String uuid = userJson.getString("id");至此,RESTful使用方式介绍完毕。
ava.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.HttpVersion;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.HttpConnectionParams;
import org.apache.http.params.HttpParams;
import org.apache.http.params.HttpProtocolParams;
import org.apache.http.protocol.HTTP;