Я пытаюсь настроить приложение Spring для использования взаимной аутентификации.
Я настроил свой сертификат в приложении Spring:
С этим параметром безопасности:
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.x509()
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(userDetailsService());
}
@Bean
public UserDetailsService userDetailsService() {
return (username -> {
if (username.equals("username-client") || username.equals("username-client2")) {
return new User(username, "", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
}else{
return null;
}
});
}
}
С простым контроллером:
import java.security.Principal;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HomeRestController {
@GetMapping("/")
public String home(Principal principal){
return String.format("Hello");
}
}
это yml:
spring:
application:
name: secure-server
server:
port: 8443
ssl:
key-store: /etc/server-keystore.jks
key-store-password: secret
key-alias: secure-server
trust-store: /etc/server-truststore.jks
trust-store-password: secret
enabled: true
client-auth: need
logging:
level:
org.springframework.security: DEBUG
При покупке я получаю следующую ошибку:
Когда я пытаюсь перейти кhttps://localhost:8443
2018-10-25 17:25:34.220 DEBUG 8860 --- [nio-8443-exec-6] o.s.s.w.a.p.x.X509AuthenticationFilter : X.509 client authentication certificate:[
[
Version: V3
Subject: CN=codependent-client, OU=myorg, O=myorg, L=mycity, ST=mystate, C=es
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 16871416692840737602014239328252912721458550090979156337011143257056646452551249631895821516334762534048221445662425716111432470877441744896209907086608784210146253323874408565659537038138903736607029903259007673951311231811608464187671704420471773940741241523592341808754355478529119481669021762569152735937307440275083175360385142866759900800600589924553230042869466446753785433917212962240529056429081042998921678373393881064847319544359504222709510330376749843784594682847291877064589822434330080699459855895496066493625566608199435908617705184265376199917971485891001605213539525221590349424318350595490231187303
public exponent: 65537
Validity: [From: Thu Oct 25 13:02:13 COT 2018,
To: Wed Jan 23 13:02:13 COT 2019]
Issuer: CN=codependent-client, OU=myorg, O=myorg, L=mycity, ST=mystate, C=es
SerialNumber: [ 62c25a23]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 CF 56 FF 8F C3 67 56 1F 42 32 73 78 28 FD 64 ..V...gV.B2sx(.d
0010: 80 CB 53 AF ..S.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 4E C0 DB 83 8B 2C E0 9F 7D D9 81 9E 2D 3A 7E 37 N....,......-:.7
0010: D3 77 41 E9 55 38 77 7D F8 AD 16 C6 E8 D9 EF 93 .wA.U8w.........
0020: F1 36 EB B6 FF 64 FD 68 58 16 78 DF B1 3C 7E 01 .6...d.hX.x..<..
0030: A2 B3 98 EB AD 8B 8D A5 EE 5A 48 71 08 29 B8 81 .........ZHq.)..
0040: EF 47 2D 7D 3F AA 8C B9 61 EA C4 D2 96 86 70 8C .G-.?...a.....p.
0050: CB 51 F2 57 1A 1D 16 3B 65 8D 20 1E 03 0E 7B C5 .Q.W...;e. .....
0060: E8 2D 69 59 7F A0 19 9C 54 CF 2B AF 52 AE E9 C0 .-iY....T.+.R...
0070: 1A F5 FE DF 71 34 F2 D3 F6 45 85 68 D8 74 D4 64 ....q4...E.h.t.d
0080: BD 57 23 D5 53 9E 3B 83 6C 4F A0 A4 72 0C F1 A7 .W#.S.;.lO..r...
0090: 0E CE A9 7B 51 BD 2D 3C 07 D8 2B B6 6B 72 7B AC ....Q.-<..+.kr..
00A0: 01 E1 5F 4E 47 B7 5C C4 CE EF 4B AE 35 D3 89 8B .._NG.\...K.5...
00B0: 79 33 A5 90 AE D2 E0 3B FC E8 22 7D BC 43 2B 00 y3.....;.."..C+.
00C0: D1 84 EE 4F 87 95 3C 81 F1 4F BC AB F6 05 B4 89 ...O..<..O......
00D0: 54 FF 31 A5 81 8C 20 5D 1A 4F 57 7B 26 29 09 53 T.1... ].OW.&).S
00E0: 4E 16 C3 4D 36 12 DC 07 83 76 7B D7 21 94 B9 60 N..M6....v..!..`
00F0: C5 8B E2 2F 27 2D BC 7A 02 3D 53 19 B8 AD 16 03 .../'-.z.=S.....
]
2018-10-25 17:25:34.221 DEBUG 8860 --- [nio-8443-exec-6] .w.a.p.x.SubjectDnX509PrincipalExtractor : Subject DN is 'CN=codependent-client, OU=myorg, O=myorg, L=mycity, ST=mystate, C=es'
2018-10-25 17:25:34.227 DEBUG 8860 --- [nio-8443-exec-6] .w.a.p.x.SubjectDnX509PrincipalExtractor : Extracted Principal name is 'codependent-client'
2018-10-25 17:25:34.228 DEBUG 8860 --- [nio-8443-exec-6] o.s.s.w.a.p.x.X509AuthenticationFilter : X.509 client authentication certificate:[
[
Version: V3
Subject: CN=codependent-client, OU=myorg, O=myorg, L=mycity, ST=mystate, C=es
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 16871416692840737602014239328252912721458550090979156337011143257056646452551249631895821516334762534048221445662425716111432470877441744896209907086608784210146253323874408565659537038138903736607029903259007673951311231811608464187671704420471773940741241523592341808754355478529119481669021762569152735937307440275083175360385142866759900800600589924553230042869466446753785433917212962240529056429081042998921678373393881064847319544359504222709510330376749843784594682847291877064589822434330080699459855895496066493625566608199435908617705184265376199917971485891001605213539525221590349424318350595490231187303
public exponent: 65537
Validity: [From: Thu Oct 25 13:02:13 COT 2018,
To: Wed Jan 23 13:02:13 COT 2019]
Issuer: CN=codependent-client, OU=myorg, O=myorg, L=mycity, ST=mystate, C=es
SerialNumber: [ 62c25a23]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 CF 56 FF 8F C3 67 56 1F 42 32 73 78 28 FD 64 ..V...gV.B2sx(.d
0010: 80 CB 53 AF ..S.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 4E C0 DB 83 8B 2C E0 9F 7D D9 81 9E 2D 3A 7E 37 N....,......-:.7
0010: D3 77 41 E9 55 38 77 7D F8 AD 16 C6 E8 D9 EF 93 .wA.U8w.........
0020: F1 36 EB B6 FF 64 FD 68 58 16 78 DF B1 3C 7E 01 .6...d.hX.x..<..
0030: A2 B3 98 EB AD 8B 8D A5 EE 5A 48 71 08 29 B8 81 .........ZHq.)..
0040: EF 47 2D 7D 3F AA 8C B9 61 EA C4 D2 96 86 70 8C .G-.?...a.....p.
0050: CB 51 F2 57 1A 1D 16 3B 65 8D 20 1E 03 0E 7B C5 .Q.W...;e. .....
0060: E8 2D 69 59 7F A0 19 9C 54 CF 2B AF 52 AE E9 C0 .-iY....T.+.R...
0070: 1A F5 FE DF 71 34 F2 D3 F6 45 85 68 D8 74 D4 64 ....q4...E.h.t.d
0080: BD 57 23 D5 53 9E 3B 83 6C 4F A0 A4 72 0C F1 A7 .W#.S.;.lO..r...
0090: 0E CE A9 7B 51 BD 2D 3C 07 D8 2B B6 6B 72 7B AC ....Q.-<..+.kr..
00A0: 01 E1 5F 4E 47 B7 5C C4 CE EF 4B AE 35 D3 89 8B .._NG.\...K.5...
00B0: 79 33 A5 90 AE D2 E0 3B FC E8 22 7D BC 43 2B 00 y3.....;.."..C+.
00C0: D1 84 EE 4F 87 95 3C 81 F1 4F BC AB F6 05 B4 89 ...O..<..O......
00D0: 54 FF 31 A5 81 8C 20 5D 1A 4F 57 7B 26 29 09 53 T.1... ].OW.&).S
00E0: 4E 16 C3 4D 36 12 DC 07 83 76 7B D7 21 94 B9 60 N..M6....v..!..`
00F0: C5 8B E2 2F 27 2D BC 7A 02 3D 53 19 B8 AD 16 03 .../'-.z.=S.....
]
2018-10-25 17:25:34.238 DEBUG 8860 --- [nio-8443-exec-6] o.s.s.w.a.p.x.X509AuthenticationFilter : preAuthenticatedPrincipal = codependent-client, trying to authenticate
2018-10-25 17:25:34.240 DEBUG 8860 --- [nio-8443-exec-6] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider
2018-10-25 17:25:34.240 DEBUG 8860 --- [nio-8443-exec-6] p.PreAuthenticatedAuthenticationProvider : PreAuthenticated authentication request: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@15d907a9: Principal: codependent-client; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities
2018-10-25 17:25:34.241 DEBUG 8860 --- [nio-8443-exec-6] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2018-10-25 17:25:34.241 DEBUG 8860 --- [nio-8443-exec-6] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-10-25 17:25:34.243 ERROR 8860 --- [nio-8443-exec-6] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
java.lang.NullPointerException: null
at org.springframework.security.authentication.AccountStatusUserDetailsChecker.check(AccountStatusUserDetailsChecker.java:32) ~[spring-security-core-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider.authenticate(PreAuthenticatedAuthenticationProvider.java:105) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) ~[spring-security-core-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:184) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:118) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) ~[spring-security-web-4.2.1.RELEASE.jar!/:4.2.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.6.RELEASE.jar!/:4.3.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:474) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:783) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1434) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [na:1.8.0_171]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [na:1.8.0_171]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.11.jar!/:8.5.11]
at java.lang.Thread.run(Unknown Source) [na:1.8.0_171]
Я импортировал сертификат в браузер.И я весной пытался с клиентом, используя мой склад ключей и trustore.И в обоих случаях у меня нулевой указатель.
В чем проблема?