禁用證書檢查

Question

Java EE應用，其中存在使用SoapClient的對象 SOAP調用（部署在Wildfly 9）：

SOAPMessage reply = con.call(message, url); 

我收到以下消息：

引起通過：sun.security.validator.ValidatorException：PKIX路徑構建失敗：sun.security.provider.certpath.SunCertPathBuilderException：無法找到有效的證書路徑到要求的目標

在sun.security.ssl.SSLSocketImpl.fatal（SSLSocketImpl.java:1949） 在org.apache.cxf.transport.http.URLConnectionHTTPConduit $ URLConnectionWrappedOutputStream.setupWrappedStream（URLConnectionHTTPConduit.java:183）

由於證書的問題，試圖繞過錯誤：

TrustManager[] trustAllCerts = new TrustManager[]{ 
      new X509TrustManager() { 
       public X509Certificate[] getAcceptedIssuers() { 
        return null; 
       } 

       public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException { 
        return; 
       } 

       public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException { 
        return; 
       } 
      } 
    };  
    SSLContext sc = SSLContext.getInstance("SSL"); 
    sc.init(null, trustAllCerts, new SecureRandom()); 
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); 


    soapConnectionFactory = SOAPConnectionFactory.newInstance(); 

這didn't有什麼影響

任何想法？

Answer 1

如果CXF是您的客戶端框架，那麼它不會使用默認的HTTP Socket工廠，而是它自己的。

因此，我建議你使用如CXF manual並描述了CXF配置工具的TLS parameters configuration

它歸結爲您的特定端點創建一個管道，並設置其參數，例如設置配置在HelloWorld的命名空間的端點：

<http:conduit name="{http://apache.org/hello_world}HelloWorld.http-conduit"> 
<http:tlsClientParameters> 
    <sec:trustManagers> 
    <sec:keyStore type="JKS" password="password" 
        file="my/file/dir/Truststore.jks"/> 
    </sec:trustManagers> 
</http:tlsClientParameters> 

請注意，您可以設置的，而不是一個密鑰庫的SSLSocketFactory（見上面第二個鏈接）：

Client TLS Parameters : sslSocketFactory > A SSLSocketFactory to use. All other bean properties are ignored if this is set.

如果你不希望使用XML/Spring配置，你可以求助於編程調用，通過taping into the CXF API：

How to configure the HTTPConduit for the SOAP Client?
First you need get the HTTPConduit from the Proxy object or Client, then you can set the HTTPClientPolicy, AuthorizationPolicy, ProxyAuthorizationPolicy, TLSClientParameters, and/or HttpBasicAuthSupplier.

import org.apache.cxf.endpoint.Client; 
import org.apache.cxf.frontend.ClientProxy; 
import org.apache.cxf.transport.http.HTTPConduit; 
import org.apache.cxf.transports.http.configuration.HTTPClientPolicy; 
... 

URL wsdl = getClass().getResource("wsdl/greeting.wsdl"); 
SOAPService service = new SOAPService(wsdl, serviceName); 
Greeter greeter = service.getPort(portName, Greeter.class); 

// Okay, are you sick of configuration files 
// This will show you how to configure the http conduit dynamically 
Client client = ClientProxy.getClient(greeter); 
HTTPConduit http = (HTTPConduit) client.getConduit(); 

HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); 

httpClientPolicy.setConnectionTimeout(36000); 
httpClientPolicy.setAllowChunking(false); 
httpClientPolicy.setReceiveTimeout(32000); 

http.setClient(httpClientPolicy); 

... 
    greeter.sayHi("Hello"); 

您還可以檢查這個蘇答案How to programmatically set the SSLContext of a JAX-WS client?對於CXF有解決方案和非CXF病例。

你可能想看看this solution特別是：

<http-conf:conduit name="*.http-conduit"> 
    <http-conf:tlsClientParameters useHttpsURLConnectionDefaultSslSocketFactory="true" /> 
<http-conf:conduit>