一、背景介紹

? ? ? ? 某個供應(yīng)商服務(wù)需要部署到海外，如果海外多個地區(qū)需要部署多個服務(wù)，最好能實現(xiàn)統(tǒng)一登錄，這樣可以減輕用戶的使用負(fù)擔(dān)（不用記錄一堆密碼）。由于安全問題（可能會泄露用戶數(shù)據(jù)），海外服務(wù)不能直連公司sso服務(wù)端，因此需要其他的方案解決安全問題。最終的安全方案中需要用到SSL雙向認(rèn)證進(jìn)行數(shù)據(jù)的傳輸和交互，并且只指定某些個別接口實現(xiàn)SSL雙向認(rèn)證。在此背景下，這篇文章介紹基于tomcat的SSL雙向認(rèn)證的簡單實現(xiàn)。

二、SSL簡單介紹

????????SSL(Secure Sockets Layer 安全套接層)就是一種協(xié)議（規(guī)范），用于保障客戶端和服務(wù)器端通信的安全，以免通信時傳輸?shù)男畔⒈桓`取或者修改。

????????1.怎樣保障數(shù)據(jù)傳輸安全？

????????客戶端和服務(wù)器端在進(jìn)行握手（客戶端和服務(wù)器建立連接和交換參數(shù)的過程稱之為握手）時會產(chǎn)生一個“對話密鑰”（session key），用來加密接下來的數(shù)據(jù)傳輸，解密時也是用的這個“對話密鑰”，而這個“對話密鑰”只有客戶端和服務(wù)器端知道。也就是說只要這個“對話密鑰”不被破解，就能保證安全。

　　2. 客戶端證書和服務(wù)器端證書

????????客戶端證書和服務(wù)器端證書用于證明自己的身份，就好比每個人都有一張身份證，這種身份證是唯一的。一般來說，只要有服務(wù)器端的證書就可以了，但是有時需要客戶端提供自己的證書，已證明其身份。

三、生成自簽名的服務(wù)器端證書和導(dǎo)入服務(wù)器端信任證書庫

????????一般證書可以使用權(quán)威機(jī)構(gòu)頒發(fā)的證書，如：veri sign，百度使用的就是veri sign頒發(fā)的證書，這樣的權(quán)威證書機(jī)構(gòu)是受信任的，但是這些機(jī)構(gòu)頒發(fā)的證書往往是需要收費的，這樣的證書也難得到。對于小型企業(yè)來說為了節(jié)約成本，常常使用自簽名的證書。 ??

????????接下來使用JDK?keytool工具來簽發(fā)證書，如果未安裝JDK，請先安裝JDK（本文使用的是JDK8）。本文所有的證書文件都放到/cert/test1(操作系統(tǒng)centos)，您可以選擇一個目錄來存放。

????????1.制作服務(wù)端密鑰庫

keytool -genkey -v -alias server -keyalg RSA 
-keystore /cert/test1/server.keystore -validity 36500 
-ext SAN=dns:test-ssl,ip:10.1.x.x 
-dname "CN=test,OU=test,O=test,L=hz,ST=hz,C=cn"

?注意：SAN填寫的是域名，IP填寫是服務(wù)端IP。SAN和IP是解決谷歌瀏覽器證書無效的關(guān)鍵。

????????2.制作客戶端密鑰庫

keytool -genkey -v -alias client -keyalg RSA -storetype PKCS12 
-keystore /cert/test1/client.p12 -dname "CN=test,OU=test,O=test,L=hz,ST=hz,C=cn"

????????3.客戶端證書導(dǎo)入服務(wù)端密鑰庫

????????由于不能直接將p12導(dǎo)入，需要先從客戶端密鑰庫導(dǎo)出證書，再將導(dǎo)出的證書導(dǎo)入服務(wù)端密鑰庫。? ?

keytool -export -alias client -keystore /cert/test1/client.p12 
-storetype PKCS12 -storepass 123456 -rfc -file /cert/test1/client.cer

keytool -import -v -file /cert/test1/client.cer -keystore /cert/test1/server.keystore

????????4.導(dǎo)出服務(wù)端密鑰庫證書?

keytool -keystore /cert/test1/server.keystore -export -alias server -file /cert/test1/server.cer

????????5.配置tomcat?

????????5.1配置server.xml

????????找到conf目錄下的server.xml文件，增加如下配置。

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
 SSLEnabled="true"maxThreads="150" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"
               keystoreFile="/cert/test1/server.keystore" keystorePass="123456"
               truststoreFile ="/cert/test1/server.keystore" truststorePass="123456"
/>

????????說明：

• clientAuth為true表示開啟SSL雙向認(rèn)證
• keystoreFile指定服務(wù)器端的證書位置
• ?truststoreFile指定服務(wù)器端信任證書庫

?????????5.2配置web.xml

????????找到conf目錄下的server.xml文件，增加如下配置。

<security-constraint>
    <web-resource-collection>
      <web-resource-name>SSL</web-resource-name>
      <url-pattern>/ssl_test/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <description>SSL required</description>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

????????說明：

• 如果不加入這個配置，那么所有訪問的地址都必須要使用SSL才能訪問，有時我們可能只需要通過某個或者某些SSL地址獲取客戶端證書來認(rèn)證用戶身份，認(rèn)證成功后不需要使用SSL來進(jìn)行訪問（可以配置多個security-constraint）
• url-pattern：指定需要SSL才能進(jìn)行訪問的地址(/ssl_test/*)
• transport-guarantee：合法值為NONE、 INTEGRAL或CONFIDENTIAL，transport-guarantee為NONE值將對所用的通訊協(xié)議不加限制。INTEGRAL值表示數(shù)據(jù)必須以一種防止截取它的人閱讀它的方式傳送。雖然原理上（并且在未來的HTTP版本中），在 INTEGRAL和CONFIDENTIAL之間可能會有差別，但在當(dāng)前實踐中，他們都只是簡單地要求用SSL
• 創(chuàng)建SSLServlet獲取客戶端證書

????????6.編寫用來獲取客戶端證書的filter及測試接口類

????????客戶端證書驗證攔截器(攔截路徑：/ssl_test/*)

package com.example.demo;

import java.io.IOException;
import java.security.cert.X509Certificate;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;

/**
 * description:MyFilter
 *
 * @author: lgq
 * @create: 2024-02-02 10:55
 */

@WebFilter(urlPatterns = "/ssl_test/*")
public class MyFilter implements Filter {

    private static final String REQUEST_ATTR_CERT = "javax.servlet.request.X509Certificate";
    private static final String SCHEME_HTTPS = "https";

    /**
     * web應(yīng)用啟動時，web服務(wù)器將創(chuàng)建Filter的實例對象，并調(diào)用init方法，讀取web.xml的配置，完成對象的初始化功能，
     * 從而為后續(xù)的用戶請求做好攔截的準(zhǔn)備工作（filter對象只會創(chuàng)建一次，init方法也只會執(zhí)行一次，開發(fā)人員通過init的參數(shù)，
     * 可或得代表當(dāng)前filter配置信息的FilterConfig對象）
     * @param filterConfig
     * @throws ServletException
     */
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    /**
     * 這個方法完成實際的過濾操作，當(dāng)客戶請求訪問與過濾器相關(guān)聯(lián)的URL的時候，Servlet過濾器將先執(zhí)行doFilter方法，F(xiàn)ilterChain參數(shù)用于訪問后續(xù)過濾器
     * @param request
     * @param response
     * @param filterChain
     * @throws IOException
     * @throws ServletException
     */
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
            throws IOException, ServletException {
        X509Certificate[] certs = (X509Certificate[]) request.getAttribute(REQUEST_ATTR_CERT);
        if (certs != null) {
            int count = certs.length;
            System.out.println("共檢測到[" + count + "]個客戶端證書");
            for (int i = 0; i < count; i++) {
                X509Certificate cert = certs[i];
                System.out.println("客戶端證書 [" + cert.getSubjectDN() + "]： ");
                System.out.println("證書是否有效：" + (verifyCertificate(cert) ? "是" : "否"));
                System.out.println("證書詳細(xì)信息：\r" + cert.toString());
            }
            filterChain.doFilter(request, response);
        } else {
            if (SCHEME_HTTPS.equalsIgnoreCase(request.getScheme())) {
                System.out.println("這是一個HTTPS請求，但是沒有可用的客戶端證書");
            } else {
                System.out.println("這不是一個HTTPS請求，因此無法獲得客戶端證書列表 ");
            }
        }
        System.out.println("我是過濾器，我進(jìn)來了");

    }

    /**
     * filter創(chuàng)建后會保存在內(nèi)存中，當(dāng)web應(yīng)用移除或者服務(wù)器停止時才銷毀，該方法在Filter的生命周期中僅執(zhí)行一次，在這個方法中，可以釋放過濾器使用的資源
     */
    @Override
    public void destroy() {

    }

    /**
     *
     * 校驗證書是否過期
     *
     *
     * @param certificate
     * @return
     */
    private boolean verifyCertificate(X509Certificate certificate) {
        boolean valid = true;
        try {
            certificate.checkValidity();
        } catch (Exception e) {
            e.printStackTrace();
            valid = false;
        }
        return valid;
    }
}

?????????啟動類（服務(wù)部署到tomcat）

package com.example.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.web.servlet.ServletComponentScan;
import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;

@SpringBootApplication
@ServletComponentScan
public class DemoApplication extends SpringBootServletInitializer {

    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) {
        return builder.sources(DemoApplication.class);
    }

}

????????pom依賴（打war包）

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.4.3</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

    <groupId>com.example</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>demo</name>
    <description>Demo project for Spring Boot</description>
    <packaging>war</packaging>
    <properties>
        <java.version>8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-tomcat</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <!--spring boot tomcat（默認(rèn)可以不用配置，但當(dāng)需要把當(dāng)前web應(yīng)用布置到外部servlet容器時就需要配置，并將scope配置為provided）-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-tomcat</artifactId>
            <scope>provided</scope>
        </dependency>

    </dependencies>

    <build>
        <finalName>test</finalName>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-war-plugin</artifactId>
                <version>2.1.1</version>
                <configuration>
                    <failOnMissingWebXml>false</failOnMissingWebXml>
                </configuration>
            </plugin>

        </plugins>
    </build>

</project>

? ? ? ? tomcat下服務(wù)目錄（工程路徑/test）

????????啟動服務(wù)命令

????????客戶端ssl證書認(rèn)證接口

package com.example.demo;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

/**
 * description:SSLTestController 
 *
 * @author: lgq
 * @create: 2024-01-25 10:42
 */
@RestController
@RequestMapping("/ssl_test")
public class SSLTestController {


    @GetMapping("/hello")
    public String auth() {
        return "Hello, I am the server! Your client's SSL certificate has been authenticated!";
    }
}

????????不需要認(rèn)證客戶端證書的接口

package com.example.demo;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

/**
 * description:NoSSLTestController
 *
 * @author: lgq
 * @create: 2024-01-25 10:42
 */
@RestController
@RequestMapping("/no_ssl_test")
public class NoSSLTestController {


    @GetMapping("/hello")
    public String auth() {
        return "Hello, I am the server!";
    }
}

????????7.測試

? ? ? ? 7.1 瀏覽器訪問測試

? ? ? ? 7.1.1ssl雙向認(rèn)證測試

????????用瀏覽器訪問http://10.1.x.x:8080/test/ssl_test/hello????????

????????細(xì)心的讀者可能發(fā)現(xiàn)鏈接已經(jīng)跳轉(zhuǎn)到了??https://10.1.x.x:8443/test/ssl_test/hello，這是由于這個地址被設(shè)置為需要SSL才能訪問，所以跳轉(zhuǎn)到了這個地址。訪問時頁面提示如下：

????????為了不出現(xiàn)這樣的警告信息，我們可以導(dǎo)入服務(wù)器端證書到客戶端，雙擊服務(wù)端證書

????????選擇當(dāng)前用戶?

????????將證書放入可信任的根證書列表 ，隨后安裝成功

????????再次訪問：?http://10.1.x.x:8080/test/ssl_test/hello,出現(xiàn)如下錯誤

????????由于我們訪問的接口是雙向認(rèn)證，所以也需要客戶端的證書，我們接下來導(dǎo)入客戶端證書

????????自動選擇證書存儲?

????????輸入證書密鑰，隨即安裝成功?

????????第三次訪問：?http://10.1.x.x:8080/test/ssl_test/hello，結(jié)果如下所示

????????需要選擇客戶端證書

????????輸出結(jié)果如下?

????????tomcat 日志如下，（證書是否有效：是）表示客戶端證書已經(jīng)通過服務(wù)端驗證

? ? ? ? 7.1.2 不驗證客戶端證書

????????訪問地址http://10.1.x.x:8080/test/no_ssl_test/hello??????， 發(fā)現(xiàn)沒有跳轉(zhuǎn)到8443端口，正常返回內(nèi)容如下

????????7.2 測試java通過httpclient調(diào)用雙向認(rèn)證接口?

????????1.增加apache httpclient依賴

 <!-- https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore -->
<dependency>
     <groupId>org.apache.httpcomponents</groupId>
     <artifactId>httpcore</artifactId>
     <version>4.4.10</version>
</dependency>

<!-- https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient -->
<dependency>
     <groupId>org.apache.httpcomponents</groupId>
     <artifactId>httpclient</artifactId>
     <version>4.5.6</version>
</dependency>

????????2.構(gòu)建http請求類

package com.example.demo;

/**
 * description:HttpsRequest
 *
 * @author: lgq
 * @create: 2024-02-04 18:17
 */

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.HashMap;
import java.util.Map;

import javax.net.ssl.SSLContext;

import org.apache.http.HttpEntity;
import org.apache.http.HttpHost;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;

public class HttpsRequest {
    //.p12文件路徑
    private String filePath;
    //密碼
    private String passWord;
    //外呼url
    private String url;
    // 請求體
    private String body;
    //請求頭
    private Map<String, String> header;
    //代理IP
    private String proxyIP;
    //代理端口
    private int proxyPort;


    private HttpsRequest(Builder builder) {
        this.filePath = builder.filePath;
        this.passWord = builder.passWord;
        this.url = builder.url;
        this.body = builder.body;
        this.header = builder.header;
        this.proxyIP = builder.proxyIP;
        this.proxyPort = builder.proxyPort;
    }

    public static class Builder {
        //.p12文件路徑
        private String filePath;
        //密碼
        private String passWord;
        //外呼url
        private String url;
        // 請求體
        private String body;
        //請求頭
        private Map<String, String> header = new HashMap<>();
        //代理IP
        private String proxyIP;
        //代理端口
        private int proxyPort;


        public Builder filePath(String filePath) {
            this.filePath = filePath;
            return this;
        }

        public Builder passWord(String passWord) {
            this.passWord = passWord;
            return this;
        }

        public Builder url(String url) {
            this.url = url;
            return this;
        }

        public Builder body(String body) {
            this.body = body;
            return this;
        }

        public Builder header(String key, String value) {
            this.header.put(key, value);
            return this;
        }


        public Builder proxy(String ip, int port) {
            this.proxyPort = port;
            this.proxyIP = ip;
            return this;
        }

        public HttpsRequest build() {
            return new HttpsRequest(this);
        }
    }


    public String doPost() {
        String rep = "";
        SSLContext sslcontext;
        try {
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            try (FileInputStream fileInputStream = new FileInputStream(filePath)) {
                keyStore.load(fileInputStream, passWord.toCharArray());

                sslcontext = SSLContexts.custom()
                        //忽略掉對服務(wù)器端證書的校驗
                        //.loadTrustMaterial((TrustStrategy) (chain, authType) -> true)
                        //加載服務(wù)端提供的truststore(如果服務(wù)器提供truststore的話就不用忽略對服務(wù)器端證書的校驗了)
                        .loadTrustMaterial(new File("E:\\abc\\def\\server.jks"), "123456".toCharArray(),
                                new TrustSelfSignedStrategy())
                        .loadKeyMaterial(keyStore, passWord.toCharArray())
                        .build();
            }
            SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(
                    sslcontext,
                    new String[]{"TLSv1"},
                    null,
                    SSLConnectionSocketFactory.getDefaultHostnameVerifier());


            try (CloseableHttpClient client = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build()) {
                HttpPost httpPost = new HttpPost(url);
                StringEntity req = new StringEntity(body, "UTF-8");
                httpPost.setEntity(req);
                if (header != null) {
                    header.entrySet().stream().forEach((h) -> {
                        httpPost.addHeader(h.getKey(), h.getValue());
                    });
                }
                RequestConfig config;
                if (!StringUtils.isEmpty(proxyIP) && !StringUtils.isEmpty(proxyPort)) {
                    HttpHost proxy = new HttpHost(proxyIP, proxyPort);
                    config = RequestConfig.custom().setProxy(proxy).setConnectionRequestTimeout(5000)
                            .setSocketTimeout(30000).setConnectTimeout(20000).build();
                } else {
                    config = RequestConfig.custom().setConnectionRequestTimeout(5000)
                            .setSocketTimeout(30000).setConnectTimeout(20000).build();
                }
                //連接超時時間, 單位毫秒
                //requestConfigBuilder.setConnectTimeout(2000);
                //從池中獲取連接超時時間
                //requestConfigBuilder.setConnectionRequestTimeout(500);
                //讀超時時間（等待數(shù)據(jù)超時時間）
                //requestConfigBuilder.setSocketTimeout(2000);

                httpPost.setConfig(config);


                try (CloseableHttpResponse httpResponse = client.execute(httpPost)) {
                    HttpEntity entity = httpResponse.getEntity();
                    rep = EntityUtils.toString(entity);
                }
            }
        } catch (KeyStoreException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (CertificateException e) {
            e.printStackTrace();
        } catch (KeyManagementException e) {
            e.printStackTrace();
        } catch (UnrecoverableKeyException e) {
            e.printStackTrace();
        }
        return rep;
    }

    public String doGet() {
        String rep = "";
        SSLContext sslcontext;
        try {
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            try (FileInputStream fileInputStream = new FileInputStream(filePath)) {
                keyStore.load(fileInputStream, passWord.toCharArray());

                sslcontext = SSLContexts.custom()
                        //忽略掉對服務(wù)器端證書的校驗
                        //.loadTrustMaterial((TrustStrategy) (chain, authType) -> true)
                        //加載服務(wù)端提供的truststore(如果服務(wù)器提供truststore的話就不用忽略對服務(wù)器端證書的校驗了)
                        .loadTrustMaterial(new File("E:\\abc\\def\\server.jks"), "123456".toCharArray(),
                                new TrustSelfSignedStrategy())
                        .loadKeyMaterial(keyStore, passWord.toCharArray())
                        .build();
            }
            SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(
                    sslcontext,
                    new String[]{"TLSv1.2"},
                    null,
                    SSLConnectionSocketFactory.getDefaultHostnameVerifier());


            try (CloseableHttpClient client = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build()) {
                HttpGet httpGet = new HttpGet(url);
                if (!ObjectUtils.isEmpty(header)) {
                    header.entrySet().stream().forEach((h) -> {
                        httpGet.addHeader(h.getKey(), h.getValue());
                    });
                }
                RequestConfig config;
                if (!ObjectUtils.isEmpty(proxyIP) && !ObjectUtils.isEmpty(proxyPort)) {
                    HttpHost proxy = new HttpHost(proxyIP, proxyPort);
                    config = RequestConfig.custom().setProxy(proxy).setConnectionRequestTimeout(5000)
                            .setSocketTimeout(30000).setConnectTimeout(20000).build();
                } else {
                    config = RequestConfig.custom().setConnectionRequestTimeout(5000)
                            .setSocketTimeout(30000).setConnectTimeout(20000).build();
                }
                //連接超時時間, 單位毫秒
                //requestConfigBuilder.setConnectTimeout(2000);
                //從池中獲取連接超時時間
                //requestConfigBuilder.setConnectionRequestTimeout(500);
                //讀超時時間（等待數(shù)據(jù)超時時間）
                //requestConfigBuilder.setSocketTimeout(2000);

                httpGet.setConfig(config);


                try (CloseableHttpResponse httpResponse = client.execute(httpGet)) {
                    HttpEntity entity = httpResponse.getEntity();
                    rep = EntityUtils.toString(entity);
                }
            }
        } catch (KeyStoreException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (CertificateException e) {
            e.printStackTrace();
        } catch (KeyManagementException e) {
            e.printStackTrace();
        } catch (UnrecoverableKeyException e) {
            e.printStackTrace();
        }
        return rep;
    }

}

3.將服務(wù)端證書由?cer格式轉(zhuǎn)為jks

keytool -import -alias server -file /cert/test1/server.cer -keystore /cert/test1/server.jks

?4.測試雙向認(rèn)證請求

package com.example.demo;

/**
 * description:HttpsRequestTest
 *
 * @author: lgq
 * @create: 2024-02-04 18:24
 */
public class HttpsRequestTest {
    public static void main(String[] args) {
        String result = new HttpsRequest.Builder()
                .filePath("E:\\abc\\def\\client.p12")
                .passWord("123456")
                .url("https://10.1.x.x:8443/test/ssl_test/hello")
                .header("charset", "UTF-8")//頭信息，多個頭信息多次調(diào)用此方法即可
                .build()
                .doGet();
        System.out.println(result);
    }
}

????????輸出結(jié)果

"C:\Program Files\Java\jdk1.8.0_101\bin\java.exe" -Dvisualvm.id=375771477320700 "-javaagent:E:\software-tools\JetBrains\IntelliJ IDEA 2020.3.3\lib\idea_rt.jar=55001:E:\software-tools\JetBrains\IntelliJ IDEA 2020.3.3\bin" -Dfile.encoding=UTF-8 -classpath "C:\Program Files\Java\jdk1.8.0_101\jre\lib\charsets.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\deploy.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\access-bridge-64.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\cldrdata.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\dnsns.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\jaccess.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\jfxrt.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\localedata.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\nashorn.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\sunec.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\sunjce_provider.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\sunmscapi.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\sunpkcs11.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\ext\zipfs.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\javaws.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\jce.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\jfr.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\jfxswt.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\jsse.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\management-agent.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\plugin.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\resources.jar;C:\Program Files\Java\jdk1.8.0_101\jre\lib\rt.jar;D:\project\demo1\target\classes;D:\maven\repository\org\springframework\boot\spring-boot-starter-web\2.4.3\spring-boot-starter-web-2.4.3.jar;D:\maven\repository\org\springframework\boot\spring-boot-starter\2.4.3\spring-boot-starter-2.4.3.jar;D:\maven\repository\org\springframework\boot\spring-boot\2.4.3\spring-boot-2.4.3.jar;D:\maven\repository\org\springframework\boot\spring-boot-autoconfigure\2.4.3\spring-boot-autoconfigure-2.4.3.jar;D:\maven\repository\org\springframework\boot\spring-boot-starter-logging\2.4.3\spring-boot-starter-logging-2.4.3.jar;D:\maven\repository\ch\qos\logback\logback-classic\1.2.3\logback-classic-1.2.3.jar;D:\maven\repository\ch\qos\logback\logback-core\1.2.3\logback-core-1.2.3.jar;D:\maven\repository\org\slf4j\slf4j-api\1.7.30\slf4j-api-1.7.30.jar;D:\maven\repository\org\apache\logging\log4j\log4j-to-slf4j\2.13.3\log4j-to-slf4j-2.13.3.jar;D:\maven\repository\org\apache\logging\log4j\log4j-api\2.13.3\log4j-api-2.13.3.jar;D:\maven\repository\org\slf4j\jul-to-slf4j\1.7.30\jul-to-slf4j-1.7.30.jar;D:\maven\repository\org\springframework\spring-core\5.3.4\spring-core-5.3.4.jar;D:\maven\repository\org\springframework\spring-jcl\5.3.4\spring-jcl-5.3.4.jar;D:\maven\repository\org\yaml\snakeyaml\1.27\snakeyaml-1.27.jar;D:\maven\repository\org\springframework\boot\spring-boot-starter-json\2.4.3\spring-boot-starter-json-2.4.3.jar;D:\maven\repository\com\fasterxml\jackson\core\jackson-databind\2.11.4\jackson-databind-2.11.4.jar;D:\maven\repository\com\fasterxml\jackson\core\jackson-annotations\2.11.4\jackson-annotations-2.11.4.jar;D:\maven\repository\com\fasterxml\jackson\core\jackson-core\2.11.4\jackson-core-2.11.4.jar;D:\maven\repository\com\fasterxml\jackson\datatype\jackson-datatype-jdk8\2.11.4\jackson-datatype-jdk8-2.11.4.jar;D:\maven\repository\com\fasterxml\jackson\datatype\jackson-datatype-jsr310\2.11.4\jackson-datatype-jsr310-2.11.4.jar;D:\maven\repository\com\fasterxml\jackson\module\jackson-module-parameter-names\2.11.4\jackson-module-parameter-names-2.11.4.jar;D:\maven\repository\org\springframework\spring-web\5.3.4\spring-web-5.3.4.jar;D:\maven\repository\org\springframework\spring-beans\5.3.4\spring-beans-5.3.4.jar;D:\maven\repository\org\springframework\spring-webmvc\5.3.4\spring-webmvc-5.3.4.jar;D:\maven\repository\org\springframework\spring-aop\5.3.4\spring-aop-5.3.4.jar;D:\maven\repository\org\springframework\spring-context\5.3.4\spring-context-5.3.4.jar;D:\maven\repository\org\springframework\spring-expression\5.3.4\spring-expression-5.3.4.jar;D:\maven\repository\jakarta\annotation\jakarta.annotation-api\1.3.5\jakarta.annotation-api-1.3.5.jar;D:\maven\repository\org\apache\httpcomponents\httpcore\4.4.10\httpcore-4.4.10.jar;D:\maven\repository\org\apache\httpcomponents\httpclient\4.5.6\httpclient-4.5.6.jar;D:\maven\repository\commons-codec\commons-codec\1.15\commons-codec-1.15.jar" com.example.demo.HttpsRequestTest
18:55:06.389 [main] DEBUG org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: default
18:55:06.411 [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context
18:55:06.413 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://10.1.x.x:8443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
18:55:06.429 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {s}->https://10.1.x.x:8443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
18:55:06.431 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->https://10.1.x.x:8443
18:55:06.434 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to /10.1.x.x:8443
18:55:06.434 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Connecting socket to /10.1.x.x:8443 with timeout 20000
18:55:06.491 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled protocols: [TLSv1.2]
18:55:06.491 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
18:55:06.491 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Starting handshake
18:55:06.598 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Secure session established
18:55:06.598 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory -  negotiated protocol: TLSv1.2
18:55:06.598 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory -  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
18:55:06.598 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory -  peer principal: CN=test, OU=test, O=test, L=hz, ST=hz, C=cn
18:55:06.599 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory -  peer alternative names: [test-ssl, 10.1.x.x]
18:55:06.599 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory -  issuer principal: CN=test, OU=test, O=test, L=hz, ST=hz, C=cn
18:55:06.605 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connection established 10.26.54.125:55008<->10.1.x.x:8443
18:55:06.605 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: set socket timeout to 30000
18:55:06.606 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request GET /test/ssl_test/hello HTTP/1.1
18:55:06.606 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: UNCHALLENGED
18:55:06.607 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED
18:55:06.609 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET /test/ssl_test/hello HTTP/1.1
18:55:06.609 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> charset: UTF-8
18:55:06.609 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: 10.1.x.x:8443
18:55:06.610 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: Keep-Alive
18:55:06.610 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.6 (Java/1.8.0_101)
18:55:06.610 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate
18:55:06.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "GET /test/ssl_test/hello HTTP/1.1[\r][\n]"
18:55:06.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "charset: UTF-8[\r][\n]"
18:55:06.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: 10.1.x.x:8443[\r][\n]"
18:55:06.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
18:55:06.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.6 (Java/1.8.0_101)[\r][\n]"
18:55:06.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
18:55:06.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]"
18:55:06.619 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 200 [\r][\n]"
18:55:06.619 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Cache-Control: private[\r][\n]"
18:55:06.619 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Content-Type: text/plain;charset=UTF-8[\r][\n]"
18:55:06.619 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Content-Length: 77[\r][\n]"
18:55:06.619 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Date: Sun, 04 Feb 2024 10:55:07 GMT[\r][\n]"
18:55:06.619 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Keep-Alive: timeout=60[\r][\n]"
18:55:06.619 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Connection: keep-alive[\r][\n]"
18:55:06.619 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "[\r][\n]"
18:55:06.619 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Hello, I am the server! Your client's SSL certificate has been authenticated!"
18:55:06.624 [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 
18:55:06.624 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control: private
18:55:06.624 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type: text/plain;charset=UTF-8
18:55:06.624 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Length: 77
18:55:06.624 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Sun, 04 Feb 2024 10:55:07 GMT
18:55:06.624 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Keep-Alive: timeout=60
18:55:06.624 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Connection: keep-alive
18:55:06.632 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 60000 MILLISECONDS
18:55:06.640 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 0][route: {s}->https://10.1.x.x:8443][state: CN=test, OU=test, O=test, L=hz, ST=hz, C=cn] can be kept alive for 60.0 seconds
18:55:06.640 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: set socket timeout to 0
18:55:06.640 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://10.1.x.x:8443][state: CN=test, OU=test, O=test, L=hz, ST=hz, C=cn][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 20]
18:55:06.641 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection manager is shutting down
18:55:06.641 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Close connection
18:55:06.642 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection manager shut down
Hello, I am the server! Your client's SSL certificate has been authenticated!

Process finished with exit code 0

? ? ? ? 其中，輸出內(nèi)容:“Hello, I am the server! Your client's SSL certificate has been authenticated!”，表示客戶端證書認(rèn)證已經(jīng)通過。需要注意的是，上面方法中，客戶端證書使用的是p12格式，服務(wù)端證書使用jks格式。文章來源地址http://www.zghlxwxcb.cn/news/detail-829882.html

到了這里，關(guān)于基于tomcat的https(ssl)雙向認(rèn)證的文章就介紹完了。如果您還想了解更多內(nèi)容，請在右上角搜索TOY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！