禁用证书检查

Question

Java EE应用，其中存在使用SoapClient的对象 SOAP调用（部署在Wildfly 9）：

SOAPMessage reply = con.call(message, url); 

我收到以下消息：

引起通过：sun.security.validator.ValidatorException：PKIX路径构建失败：sun.security.provider.certpath.SunCertPathBuilderException：无法找到有效的证书路径到要求的目标

在sun.security.ssl.SSLSocketImpl.fatal（SSLSocketImpl.java:1949） 在org.apache.cxf.transport.http.URLConnectionHTTPConduit $ URLConnectionWrappedOutputStream.setupWrappedStream（URLConnectionHTTPConduit.java:183）

由于证书的问题，试图绕过错误：

TrustManager[] trustAllCerts = new TrustManager[]{ 
      new X509TrustManager() { 
       public X509Certificate[] getAcceptedIssuers() { 
        return null; 
       } 

       public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException { 
        return; 
       } 

       public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException { 
        return; 
       } 
      } 
    };  
    SSLContext sc = SSLContext.getInstance("SSL"); 
    sc.init(null, trustAllCerts, new SecureRandom()); 
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); 


    soapConnectionFactory = SOAPConnectionFactory.newInstance(); 

这didn't有什么影响

任何想法？

Answer 1

如果CXF是您的客户端框架，那么它不会使用默认的HTTP Socket工厂，而是它自己的。

因此，我建议你使用如CXF manual并描述了CXF配置工具的TLS parameters configuration

它归结为您的特定端点创建一个管道，并设置其参数，例如设置配置在HelloWorld的命名空间的端点：

<http:conduit name="{http://apache.org/hello_world}HelloWorld.http-conduit"> 
<http:tlsClientParameters> 
    <sec:trustManagers> 
    <sec:keyStore type="JKS" password="password" 
        file="my/file/dir/Truststore.jks"/> 
    </sec:trustManagers> 
</http:tlsClientParameters> 

请注意，您可以设置的，而不是一个密钥库的SSLSocketFactory（见上面第二个链接）：

Client TLS Parameters : sslSocketFactory > A SSLSocketFactory to use. All other bean properties are ignored if this is set.

如果你不希望使用XML/Spring配置，你可以求助于编程调用，通过taping into the CXF API：

How to configure the HTTPConduit for the SOAP Client?
First you need get the HTTPConduit from the Proxy object or Client, then you can set the HTTPClientPolicy, AuthorizationPolicy, ProxyAuthorizationPolicy, TLSClientParameters, and/or HttpBasicAuthSupplier.

import org.apache.cxf.endpoint.Client; 
import org.apache.cxf.frontend.ClientProxy; 
import org.apache.cxf.transport.http.HTTPConduit; 
import org.apache.cxf.transports.http.configuration.HTTPClientPolicy; 
... 

URL wsdl = getClass().getResource("wsdl/greeting.wsdl"); 
SOAPService service = new SOAPService(wsdl, serviceName); 
Greeter greeter = service.getPort(portName, Greeter.class); 

// Okay, are you sick of configuration files 
// This will show you how to configure the http conduit dynamically 
Client client = ClientProxy.getClient(greeter); 
HTTPConduit http = (HTTPConduit) client.getConduit(); 

HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); 

httpClientPolicy.setConnectionTimeout(36000); 
httpClientPolicy.setAllowChunking(false); 
httpClientPolicy.setReceiveTimeout(32000); 

http.setClient(httpClientPolicy); 

... 
    greeter.sayHi("Hello"); 

您还可以检查这个苏答案How to programmatically set the SSLContext of a JAX-WS client?对于CXF有解决方案和非CXF病例。

你可能想看看this solution特别是：

<http-conf:conduit name="*.http-conduit"> 
    <http-conf:tlsClientParameters useHttpsURLConnectionDefaultSslSocketFactory="true" /> 
<http-conf:conduit>