blindsslfactory在生产环境中不起作用

cunj1qz1  于 2021-06-30  发布在  Java
关注(0)|答案(2)|浏览(297)

我有一个奇怪的问题,我无法摆脱,因为天,所以我放弃了,并决定咨询有知识的stackoverflow成员。
我使用哪个java版本?
亚马逊coretto 1.8.0ē
我想要实现什么?
在我的应用程序中,用户必须使用安全的ldap连接进行身份验证。从ldap目录进行身份验证后,用户将被重定向到his主页。但是,我希望在通过安全端口连接到ldap服务器的过程中绕过证书检查。
到目前为止我做了什么?什么有效?
在其他文章中,我发现我需要使用blindsslfactory类来绕过证书检查,并在ldap查询期间将该类注入属性,我将其添加到了我的项目中,如果我从eclipse运行该项目,则一切工作都非常正常,证书检查被绕过,用户登录。注意:在我的java信任库中,我没有任何签名的证书。
什么不起作用?
如果我用我创建的安装程序编译项目,并将其作为应用程序运行(不是从eclipse,而是从它自己的安装程序),我会得到以下错误。注意:我调试以下行并打印true,因为我在项目运行之前设置了它:-dcom.sun.jndi.ldap.object.disableendpointidentification:

javax.naming.CommunicationException: simple bind failed: 10.148.129.11:636
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) ~[na:1.8.0_275]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2897) ~[na:1.8.0_275]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347) ~[na:1.8.0_275]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225) ~[na:1.8.0_275]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) ~[na:1.8.0_275]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:243) ~[na:1.8.0_275]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) ~[na:1.8.0_275]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) ~[na:1.8.0_275]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[na:1.8.0_275]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[na:1.8.0_275]
at javax.naming.InitialContext.init(InitialContext.java:244) ~[na:1.8.0_275]
at javax.naming.InitialContext.<init>(InitialContext.java:216) ~[na:1.8.0_275]
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) ~[na:1.8.0_275]
at com.ricoh.sdced.festo.pab.web.login.LdapAuthentication.createLoginSession(LdapAuthentication.java:78) [classes!/:na]
at com.ricoh.sdced.festo.pab.web.login.LdapAuthentication.startLoginSession(LdapAuthentication.java:43) [classes!/:na]
at com.ricoh.sdced.festo.pab.web.views.LoginView.performLogin(LoginView.java:54) [classes!/:na]
at com.ricoh.sdced.festo.pab.web.views.LoginView.lambda$createLoginLayout$565279a2$1(LoginView.java:47) [classes!/:na]
at com.vaadin.flow.component.ComponentEventBus.fireEventForListener(ComponentEventBus.java:205) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.component.ComponentEventBus.handleDomEvent(ComponentEventBus.java:373) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.component.ComponentEventBus.lambda$addDomTrigger$dd1b7957$1(ComponentEventBus.java:264) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.internal.nodefeature.ElementListenerMap.lambda$fireEvent$2(ElementListenerMap.java:441) ~[flow-server-2.1.5.jar!/:2.1.5]
at java.util.ArrayList.forEach(ArrayList.java:1259) ~[na:1.8.0_275]
at com.vaadin.flow.internal.nodefeature.ElementListenerMap.fireEvent(ElementListenerMap.java:441) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.server.communication.rpc.EventRpcHandler.handleNode(EventRpcHandler.java:59) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.server.communication.rpc.AbstractRpcInvocationHandler.handle(AbstractRpcInvocationHandler.java:64) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.server.communication.ServerRpcHandler.handleInvocationData(ServerRpcHandler.java:402) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.server.communication.ServerRpcHandler.lambda$handleInvocations$1(ServerRpcHandler.java:383) ~[flow-server-2.1.5.jar!/:2.1.5]
at java.util.ArrayList.forEach(ArrayList.java:1259) ~[na:1.8.0_275]
at com.vaadin.flow.server.communication.ServerRpcHandler.handleInvocations(ServerRpcHandler.java:383) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.server.communication.ServerRpcHandler.handleRpc(ServerRpcHandler.java:318) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.server.communication.UidlRequestHandler.synchronizedHandleRequest(UidlRequestHandler.java:89) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:40) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.server.VaadinService.handleRequest(VaadinService.java:1540) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.server.VaadinServlet.service(VaadinServlet.java:247) ~[flow-server-2.1.5.jar!/:2.1.5]
at com.vaadin.flow.spring.SpringServlet.service(SpringServlet.java:95) ~[vaadin-spring-12.1.2.jar!/:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) ~[tomcat-embed-core-9.0.37.jar!/:4.0.FR]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:712) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:459) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:352) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:312) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.springframework.web.servlet.mvc.ServletForwardingController.handleRequestInternal(ServletForwardingController.java:141) ~[spring-webmvc-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:177) ~[spring-webmvc-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:52) ~[spring-webmvc-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) ~[spring-webmvc-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) ~[spring-webmvc-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) ~[spring-webmvc-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:652) ~[tomcat-embed-core-9.0.37.jar!/:4.0.FR]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) ~[tomcat-embed-core-9.0.37.jar!/:4.0.FR]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-embed-websocket-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:93) ~[spring-boot-actuator-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[na:1.8.0_275]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[na:1.8.0_275]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.37.jar!/:9.0.37]
at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_275]
Caused by: java.net.SocketException: Connection or outbound has closed
at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:967) ~[na:1.8.0_275]
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) ~[na:1.8.0_275]
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) ~[na:1.8.0_275]
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:448) ~[na:1.8.0_275]
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:421) ~[na:1.8.0_275]
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) ~[na:1.8.0_275]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) ~[na:1.8.0_275]
... 88 common frames omitted

代码中的逻辑如何?

public class BlindSSLSocketFactory extends SocketFactory {

private static SocketFactory blindFactory = null;
/**
 * Builds an ALL trusting "blind" ssl socket factory.
 */
static {
// create a trust manager that will purposefully fall down on the
// job
    TrustManager[] blindTrustMan = new TrustManager[] { new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        public void checkClientTrusted(X509Certificate[] c, String a) {
        }

        public void checkServerTrusted(X509Certificate[] c, String a) {
        }
    } };

    // create our "blind" ssl socket factory with our lazy trust manager
    try {
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, blindTrustMan, new java.security.SecureRandom());
        blindFactory = sc.getSocketFactory();
    } catch (GeneralSecurityException e) {
        e.printStackTrace();
    }
}

/**
 * @see javax.net.SocketFactory#getDefault()
 */
public static SocketFactory getDefault() {
    return new BlindSSLSocketFactory();
}

/**
 * @see javax.net.SocketFactory#createSocket(java.lang.String, int)
 */
public Socket createSocket(String arg0, int arg1) throws IOException, UnknownHostException {
    return blindFactory.createSocket(arg0, arg1);
}

/**
 * @see javax.net.SocketFactory#createSocket(java.net.InetAddress, int)
 */
public Socket createSocket(InetAddress arg0, int arg1) throws IOException {
    return blindFactory.createSocket(arg0, arg1);
}

/**
 * @see javax.net.SocketFactory#createSocket(java.lang.String, int,
 *      java.net.InetAddress, int)
 */
public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3)
        throws IOException, UnknownHostException {
    return blindFactory.createSocket(arg0, arg1, arg2, arg3);
}

/**
 * @see javax.net.SocketFactory#createSocket(java.net.InetAddress, int,
 *      java.net.InetAddress, int)
 */
public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2, int arg3) throws IOException {
    return blindFactory.createSocket(arg0, arg1, arg2, arg3);
}

}
以及我的ldap登录类,我在其中注入了这个blindsslfactory类

@Component
public class LdapAuthentication {

private final Logger logger = LoggerFactory.getLogger(getClass());

private String username;

private String password;

private boolean isLoggedIn;

public LdapAuthentication() {
}

public void startLoginSession(String username, String password)
        throws NamingException {

    logger.info("preparing user login details...");

    this.username = username;
    this.password = password;

    logger.info("user login will be attempted for user: " + this.username);

    this.isLoggedIn = createLoginSession(this.username, this.password);

    logger.info("login attempt success result: " + this.isLoggedIn); 
}

private boolean createLoginSession(String username, String password)
        throws NamingException {

    logger.info("creating a LDAP Authentication session...");
    logger.info("System property value for            -Dcom.sun.jndi.ldap.object.disableEndpointIdentification:"
            + System.getProperty("com.sun.jndi.ldap.object.disableEndpointIdentification"));

    String ldapServerUrl = buildLdapPrefix()
            + SettingsResolver.getInstance().getSetting(
                    "ldap.server.address")
            + ":"
            + SettingsResolver.getInstance().getSetting(
                    "ldap.server.port.number");

    logger.info("LDAP authentication URL: " + ldapServerUrl);

    Properties props = new Properties();

    //use this line if you wanna discard ssl certificate validation
    props.put("java.naming.ldap.factory.socket",
            BlindSSLSocketFactory.class.getName());

    props.put(Context.INITIAL_CONTEXT_FACTORY,
            "com.sun.jndi.ldap.LdapCtxFactory");
    props.put(Context.PROVIDER_URL, ldapServerUrl);
    props.put(Context.SECURITY_PRINCIPAL, username);
    props.put(Context.SECURITY_CREDENTIALS, password);

    InitialDirContext context = null;
    try {
        context = new InitialDirContext(props);
        SearchControls controls = new SearchControls();
        controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
        NamingEnumeration<SearchResult> results = context.search(
                toDC(SettingsResolver.getInstance().getSetting(
                        "ldap.server.domain.name")), String.format(
                        "(& (userPrincipalName=%s)(objectClass=user))",
                        this.username), controls);

        return results.hasMore();
    } catch (NamingException namingException) {
        logger.error(
                "Exception occurred while authenticating to LDAP Server: ",
                namingException);

        throw namingException;
    } finally {
        try {
            if (context != null)
                context.close();
        } catch (Exception ex) {
        }
    }
}

private static String toDC(String username) {
    String result = "";
    String[] parts = username.split("\\.");
    for (int index = 0; index < parts.length - 1; index++)
        result = result.concat("DC=").concat(parts[index]).concat(",");
    return result.concat("DC=").concat(parts[parts.length - 1]);
}

public boolean isUserLoggedIn() {
    return this.isLoggedIn;
}

private String buildLdapPrefix() {
    String securePortEnabled = SettingsResolver.getInstance().getSetting(
            "ldap.server.secure.port.enabled");

    if (securePortEnabled.contains("true")) {
        return "ldaps://";
    } else {
        return "ldap://";
    }
}

}

pgpifvop

pgpifvop1#

您的代码看起来不错,提供的所有配置似乎都是正确的。
在深入研究这个问题之后——请参阅对主要问题的不同评论——通过应用不同的配置和调试策略,正如您所指出的,这个问题似乎与安装程序(独立程序)的创建方式有关,而不是与问题中提供的ldap服务器集成代码有关。

iqih9akk

iqih9akk2#

也许你的 BlindSSLFactory 实际上没有在生产环境中使用。我的钱在上面 java.naming.ldap.factory.socket 在代码的其他地方被重写,因为这似乎是让你的应用知道它应该通过一个类似spi的接口使用这个工厂的方法
一个好的起点是远程调试jvm,并查看在运行时属性值设置为什么。

相关问题