關於HttpClient繞過SSL認證以及NTLM認證

時間  2019-11-17
標籤 關於 httpclient 繞過 ssl 認證 以及 ntlm 欄目 系統網絡 简体版
原文   原文鏈接

前言

本篇文章只涉及本人在工做上使用HttpClient遇到的狀況,並不會詳細地展開講如何使用HttpClient.html

image

1. 爲何使用HttpClient?

一開始實際上是考慮使用RestTemplate的,但遇到的難題天然是SSL認證以及NTLM的認證.以目前的RestTemplate還作不到NTLM認證.並且使用SSL認證的過程也是挺複雜的.複雜的是:竟然仍是要藉助HttpClient.apache

@Bean
    public RestTemplate buildRestTemplate(List<CustomHttpRequestInterceptor> interceptors) throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
    HttpComponentsClientHttpRequestFactory factory = new                                                    
        HttpComponentsClientHttpRequestFactory();
    factory.setConnectionRequestTimeout(requestTimeout);
    factory.setConnectTimeout(connectTimeout);
    factory.setReadTimeout(readTimeout);
    // https
    SSLContextBuilder builder = new SSLContextBuilder();
    builder.loadTrustMaterial(null, (X509Certificate[] x509Certificates, String s) -> true);
    SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(builder.build(), new String[]{"SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.2"}, null, NoopHostnameVerifier.INSTANCE);
    Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
            .register("http", new PlainConnectionSocketFactory())
            .register("https", socketFactory).build();
    PoolingHttpClientConnectionManager phccm = new PoolingHttpClientConnectionManager(registry);
    phccm.setMaxTotal(200);
    CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).setConnectionManager(phccm).setConnectionManagerShared(true).build();
    factory.setHttpClient(httpClient);

    RestTemplate restTemplate = new RestTemplate(factory);
    List<ClientHttpRequestInterceptor> clientInterceptorList = new ArrayList<>();
    for (CustomHttpRequestInterceptor i : interceptors) {
        ClientHttpRequestInterceptor interceptor = i;
        clientInterceptorList.add(interceptor);
    }
    restTemplate.setInterceptors(clientInterceptorList);
    
    return restTemplate;
}
複製代碼

2. 爲何要繞過SSL認證?

至於爲何要繞過SSL認證,由於裝證書的這些操做我並不會.同時也想試試能不能忽略這個證書認證調用接口.數組

  • 首先若是想繞過證書,都必先建立X509TrustManager這個對象而且重寫它的方法.

X509TrustManager該接口是一個用於Https的證書信任管理器,咱們能夠在這裏添加咱們的證書,讓該管理器知道咱們有那些證書是能夠信任的.安全

該接口會有三個方法:bash

void checkClientTrusted(X509Certificate[] xcs, String str)
 
 void checkServerTrusted(X509Certificate[] xcs, String str)
 
  X509Certificate[] getAcceptedIssuers()
複製代碼

  1. 第一個方法checkClientTrusted.該方法檢查客戶端的證書,若不信任該證書則拋出異常。因爲咱們不須要對客戶端進行認證,所以咱們只須要執行默認的信任管理器的這個方法。JSSE中,默認的信任管理器類爲TrustManager。服務器

  2. 第二個方法checkServerTrusted.該方法檢查服務器的證書,若不信任該證書一樣拋出異常。經過本身實現該方法,可使之信任咱們指定的任何證書。在實現該方法時,也能夠簡單的不作任何處理,即一個空的函數體,因爲不會拋出異常,它就會信任任何證書。dom

  3. 第三個方法getAcceptedIssusers,返回受信任的X509證書數組。socket

而咱們只須要重寫這三個方法,而且不須要修改裏面的內容.而後再交給HttpClient就能夠實現繞過SSL認證了.ide

X509TrustManager trustManager = new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() {
    return null;
}

@Override
public void checkClientTrusted(X509Certificate[] xcs, String str) {
}

@Override
public void checkServerTrusted(X509Certificate[] xcs, String str) {
}

SSLContext ctx = SSLContext.getInstance(SSLConnectionSocketFactory.SSL);
ctx.init(null, new TrustManager[]{trustManager}, null);

//生成工廠
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(ctx, NoopHostnameVerifier.INSTANCE);

//並註冊到HttpClient中
Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", PlainConnectionSocketFactory.INSTANCE)
.register("https", socketFactory).build();

HttpClientBuilder httpClientBuilder = HttpClients.custom().setConnectionManager(connectionManager);

CloseableHttpClient httpClient = httpClientBuilder.build();
複製代碼

回顧一下步驟:函數

  1. 建立X509TrustManager對象並重寫方法.
  2. 建立SSLContext實例,並交到工廠管理.
  3. 註冊到HttpClient中.經過ConnectionManager最後生成httpClient.

3. 什麼是NTLM?

NTLM是NT LAN Manager的縮寫,這也說明了協議的來源。NTLM 是 Windows NT 早期版本的標準安全協議,Windows 2000 支持 NTLM 是爲了保持向後兼容。Windows 2000內置三種基本安全協議之一。

NTLM的原理

NTLM的工做原理描述

其實我對這個瞭解得不是很深,由於趕上這種狀況的感受不會不少,因此網上的資源也不太多. 這裏只是針對HttpClient趕上NTLM認證的狀況詳細描述一下.有興趣的朋友能夠經過以上的連接瞭解下.

4. 如何使用HttpClient進行NTLM認證?

這個查閱了官網的文檔.官網也給出瞭解決方案.

hc.apache.org/httpcompone…

須要把這幾個類編寫一下.

JCIFSEngine:

public final class JCIFSEngine implements NTLMEngine {

    private static final int TYPE_1_FLAGS =
            NtlmFlags.NTLMSSP_NEGOTIATE_56 |
                    NtlmFlags.NTLMSSP_NEGOTIATE_128 |
                    NtlmFlags.NTLMSSP_NEGOTIATE_NTLM2 |
                    NtlmFlags.NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
                    NtlmFlags.NTLMSSP_REQUEST_TARGET;


    @Override
    public String generateType1Msg(final String domain, final String workstation) throws NTLMEngineException {
        final Type1Message type1Message = new Type1Message(TYPE_1_FLAGS, domain, workstation);
        return Base64.encode(type1Message.toByteArray());
    }

    @Override
    public String generateType3Msg(final String username, final String password,
                                   final String domain, final String workstation, final String challenge)
            throws NTLMEngineException {
        Type2Message type2Message;
        try {
            type2Message = new Type2Message(Base64.decode(challenge));
        } catch (final IOException exception) {
            throw new NTLMEngineException("Invalid NTLM type 2 message", exception);
        }
        final int type2Flags = type2Message.getFlags();
        final int type3Flags = type2Flags
                & (0xffffffff ^ (NtlmFlags.NTLMSSP_TARGET_TYPE_DOMAIN | NtlmFlags.NTLMSSP_TARGET_TYPE_SERVER));
        final Type3Message type3Message = new Type3Message(type2Message, password, domain,
                username, workstation, type3Flags);
        return Base64.encode(type3Message.toByteArray());
    }
}
複製代碼

JCIFSNTLMSchemeFactory:

public class JCIFSNTLMSchemeFactory implements AuthSchemeProvider {

    public AuthScheme create(final HttpContext context){
        return new NTLMScheme(new JCIFSEngine());
    }
}
複製代碼

最後就在HttpClient註冊:

Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create()
        .register(AuthSchemes.NTLM, new JCIFSNTLMSchemeFactory())
        .register(AuthSchemes.BASIC, new BasicSchemeFactory())
        .register(AuthSchemes.DIGEST, new DigestSchemeFactory())
        .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory())
        .register(AuthSchemes.KERBEROS, new KerberosSchemeFactory())
        .build();
CloseableHttpClient httpClient = HttpClients.custom()
        .setDefaultAuthSchemeRegistry(authSchemeRegistry)
        .build();
複製代碼

最後就同時使用繞過SSL驗證以及NTLM驗證:

private static PoolingHttpClientConnectionManager connectionManager;
private static RequestConfig requestConfig;
private static Registry<AuthSchemeProvider> authSchemeRegistry;
private static Registry<ConnectionSocketFactory> socketFactoryRegistry;
private static CredentialsProvider credsProvider;


public void init() {
try {
X509TrustManager trustManager = new X509TrustManager() {
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

@Override
    public void checkClientTrusted(X509Certificate[] xcs, String str) {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] xcs, String str) {
    }
};
SSLContext ctx = SSLContext.getInstance(SSLConnectionSocketFactory.SSL);
ctx.init(null, new TrustManager[]{trustManager}, null);
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(ctx, NoopHostnameVerifier.INSTANCE);
NTCredentials creds = new NTCredentials("用戶名", "密碼", "工做站(workstation)", "域名");
credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY, creds);
socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
        .register("http", PlainConnectionSocketFactory.INSTANCE)
        .register("https", socketFactory).build();
connectionManager = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
connectionManager.setMaxTotal(18);
connectionManager.setDefaultMaxPerRoute(6);
requestConfig = RequestConfig.custom()
        .setSocketTimeout(30000)
        .setConnectTimeout(30000)
        .build();
authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create()
        .register(AuthSchemes.NTLM, new JCIFSNTLMSchemeFactory())
        .register(AuthSchemes.BASIC, new BasicSchemeFactory())
        .register(AuthSchemes.DIGEST, new DigestSchemeFactory())
        .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory())
        .register(AuthSchemes.KERBEROS, new KerberosSchemeFactory())
        .build();
} catch (Exception e) {
e.printStackTrace();
}
}
複製代碼
參考資料

www.jianshu.com/p/8d4e7dcb2…

blog.csdn.net/cj649934578…

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程