I have a requirement to use springboot rest template which calls 3rd party and connects over 2-way ssl but it should go through the proxy, but I am getting "
Encountered connectivity issue while reaching APIsun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
" exception. This is very generic exception. Keystore and certificate are accessible. Without proxy I can able to call same 3rd party API with same set of certificates in different environement. So no issue with certs and location.
Looks like proxy is not able to forward/find certificates to server. Anyone knows how to solve this? following is the code for creating rest template.
HttpClientBuilder httpClientBuilder = null;
if(proxyEnabled){
httpClientBuilder = getHttpClientBuilderWithProxy();
} else{
httpClientBuilder = getHttpClientBuilderWithoutProxy();
}
CloseableHttpClient client = null;
if(isSslEnabled){
logger.info("SSL enabled for closable http client");
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory( new SSLContextBuilder()
.loadKeyMaterial( ResourceUtils.getFile(keyStore) , keyStorePassword.toCharArray(), keyStorePassword.toCharArray())
.loadTrustMaterial(ResourceUtils.getFile(trustStore), trustStorePassword.toCharArray()) .build());
client = httpClientBuilder
.setSSLSocketFactory(csf)
.setProxyAuthenticationStrategy(new ProxyAuthenticationStrategy())
.build();
} else{
logger.info("SSL disabled for closable http client");
client = httpClientBuilder
.build();
}
clientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(client);
private HttpClientBuilder getHttpClientBuilderWithoutProxy(){
return HttpClientBuilder.create()
.disableAutomaticRetries();
}
private HttpClientBuilder getHttpClientBuilderWithProxy(){
HttpHost proxy = new HttpHost(httpProxyHost, httpProxyPort);
return HttpClientBuilder.create()
.setProxy(proxy)
.disableAutomaticRetries();
}
I am expecting it to call 3rd party API with proxy and ssl.
Related
I have one requirement i.e. to bypass SSL verification while connecting to webservice using rest template.
Currently I am implementing proxy to rest template via below code.
SimpleClientHttpRequestFactory clientHttpRequestFactory = new
SimpleClientHttpRequestFactory();
Proxy proxy = new Proxy(Proxy.Type.HTTP,new InetSocketAddress(proxyHost,
Integer.parseInt(proxyPort)));
clientHttpRequestFactory.setProxy(proxy);
RestTemplate restTemplate = new RestTemplate(clientHttpRequestFactory);
ResponseEntity<String> responseEntity= restTemplate.exchange(url,HttpMethod.POST,
entity,String.class);
response = responseEntity.getBody();
How can I modify my Rest template so while connecting to URL it doesn't look for SSL certificate Validation.
I do checked couple of solutions online for this but all are implemented with
HttpComponentsClientHttpRequestFactory
which don't have provision to pass proxy host and server (Java.net.proxy object).
Can anyone help me here, I am stuck from long on this.
Solution I found online is below
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
.loadTrustMaterial(null, acceptingTrustStrategy)
.build();
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
CloseableHttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(csf)
.build();
HttpComponentsClientHttpRequestFactory requestFactory =
new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
restTemplate = new RestTemplate(requestFactory);
Thanks,
Anshu
We have a generic application which delivers message to different POST endpoints. And we are using
CloseableHttpAsyncClient for this purpose. Its been built/initialized as follows,
private static CloseableHttpAsyncClient get() {
CloseableHttpAsyncClient lInstance;
IOReactorConfig ioReactorConfig = IOReactorConfig.custom()
.setIoThreadCount(100)
.setConnectTimeout(10000)
.setSoTimeout(10000).build();
ConnectingIOReactor ioReactor = null;
try {
ioReactor = new DefaultConnectingIOReactor(ioReactorConfig);
} catch (IOReactorException e) {
logger_.logIfEnabled(Level.ERROR, e);
}
PoolingNHttpClientConnectionManager connManager = new PoolingNHttpClientConnectionManager(ioReactor);
connManager.setDefaultMaxPerRoute(50);
connManager.setMaxTotal(5000);
connManager.closeIdleConnections(10000, TimeUnit.MILLISECONDS);
baseRequestConfig = RequestConfig.custom().setConnectTimeout(10000)
.setConnectionRequestTimeout(10000)
.setSocketTimeout(10000).build();
lInstance = HttpAsyncClients.custom().setDefaultRequestConfig(baseRequestConfig)
.setConnectionManager(connManager).build();
lInstance.start();
return lInstance;
}
This is prebuilt and initialized. As an when a new request arrives to our application, based on message, authentication type, a new postRequest is built httpPost = new HttpPost(builder.build());
After setting the required header, payload etc. exiting httpClient is used to send the request.
httpClient.execute(httpPost, httpContext, null);
Now, the question is based on the our new requirement to support client certificate based authentication. And since our current approach is to create httpClient in the beginning, the question is how to change the behaviour of httpClient to send client certificate to some endpoints and work as it is for other endpoints which doesn't require certificate to be send?
I know I can introduce SSLContext to CloseableHttpAsyncClient while creating, but at the time of creating I don't have any information that we have any endpoint which requires certificate based authentication. And we can have many endpoints which would be supporting client certificate and that would be known at runtime.
I am trying to create one http client using useSystemProperties() as i need to default the ssl properties to that of WAS [like to get the WAS ciphers in runtime ]. And I have to set some max connections and connection manager also to the httpclient. This is a very high traffic rest call.
I have tried 3 ways,
-- This did not set the WAS ssl properties and thus the connection got failed.
httpclient = HttpClients.custom().useSystemProperties()
.setConnectionManager("some value")
.setMaxConnPerRoute("some value")
.setMaxConnTotal("some value")
.setUserAgent("Custom Browser")
.disableCookieManagement().build();
-- This did not set the WAS ssl properties and thus the connection failed.
httpclient1 = HttpClientBuilder.create().useSystemProperties()
.setConnectionManager(connManager)
.setMaxConnPerRoute(maxConnPerRoute)
.setMaxConnTotal(maxConnTotal)
.setUserAgent("Custom Browser")
.disableCookieManagement().build();
-- This one defaulted to WAS ssl configurations and connection was fine but other params are missing here.
httpclient2 = HttpClientBuilder.create().useSystemProperties().build();
Can I really achieve both these options?
You would need to override the SSLConnectionSocketFactory for your ConnectionManager, for example, on the example below will be created default SSLConnectionSocketFactory if you would use useSystemProperties
DefaultHostnameVerifier hostnameVerifier = new DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault());
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(
(SSLSocketFactory) SSLSocketFactory.getDefault(), null, null, hostnameVerifier
);
final PoolingHttpClientConnectionManager connManager = new PoolingHttpClientConnectionManager(
RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", PlainConnectionSocketFactory.getSocketFactory())
.register("https", sslConnectionSocketFactory)
.build()
);
connManager.setDefaultMaxPerRoute(20);
connManager.setMaxTotal(20);
final HttpClientBuilder builder = HttpClientBuilder
.create()
.setConnectionManager(connManager);
You can also set useSystemProperties() as below to your HttpClient:
HttpClient httpClient = HttpClientBuilder.create()
.setConnectionManager(connectionManager)
.useSystemProperties()
.setDefaultRequestConfig(requestConfig).build();
I am using the latest version of JDK8
My CloseableHttpAsyncClient is created by doing the following
try{
sslContext = SSLContexts.custom()
.setProvider(Conscrypt.newProvider())
.build();
}catch (Exception e){
e.printStackTrace();
}
final PoolingAsyncClientConnectionManager cm = PoolingAsyncClientConnectionManagerBuilder.create()
.setTlsStrategy(new ConscryptClientTlsStrategy(sslContext))
.build();
BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
if (proxy.isAuth()) {
credentialsProvider.setCredentials(
new AuthScope(proxy.getIp(), Integer.parseInt(proxy.getPort())),
new UsernamePasswordCredentials(proxy.getUsername(), proxy.getPassword().toCharArray()));
}
HttpHost p = new HttpHost(proxy.getIp(), Integer.parseInt(proxy.getPort()), "http");
asyncClient = HttpAsyncClients.custom()
.setVersionPolicy(HttpVersionPolicy.FORCE_HTTP_1)
.setConnectionManager(cm)
.setUserAgent(Utils.USER_AGENT)
.setDefaultCookieStore(cookieStore)
.setDefaultCredentialsProvider(credentialsProvider)
.setProxy(p)
.build();
asyncClient.start();
I am then trying to do a post request which works without a proxy. The request with the proxy also works with the url using http and not https. I receive the following error java.lang.IllegalStateException: No tunnel unless connected when using https and a proxy.
I am using jersey client with ApacheConnection Provider.
Builder builder = RequestConfig.custom().setConnectTimeout(timeout);
List<Proxy> proxies = ProxyManager.getInstance().select(baseUrl.toURI());
if (useProxy) {
...
builder.setProxy(new HttpHost(proxyUri.getHost(), proxyUri.getPort()));
}
RequestConfig requestConfig = builder.build();
final ClientConfig clientConfig = new ClientConfig();
clientConfig.property(ApacheClientProperties.REQUEST_CONFIG, requestConfig);
clientConfig.connectorProvider(new ApacheConnectorProvider());
client = ClientBuilder.newBuilder().withConfig(clientConfig).sslContext(getSSLContext()).build();
client.property(ClientProperties.CONNECT_TIMEOUT, 5000);
But how to add username and password for Proxy authentication?
Seems like apache connection provider does not use the standard java proxy selector mechanisms.
I finally found the solution by myself. Unfortunately this is documented nowhere:
HttpHost proxyhost = new HttpHost(host,pw);
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(new AuthScope(proxyhost), new UsernamePasswordCredentials(user, pw));
clientConfig.property(ApacheClientProperties.CREDENTIALS_PROVIDER, credsProvider);
builder.setProxy(proxyhost);
I think you should add few more lines of code
builder.setProxy(proxyhost).setDefaultCredentialsProvider(credsProvider)
.setProxyAuthenticationStrategy(new ProxyAuthenticationStrategy());
otherwise it wont really authenticate the proxy host I feel. In your case it might be bypassing the proxy. ?