Home > Enterprise >  spring oauth2 resource server: disable ssl verification
spring oauth2 resource server: disable ssl verification

Time:10-27

I have a spring oauth2 service and the moment the service tries to create the bean jwtDecoderByIssuerUri it fails because of:

...
Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of <issuer>
...
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "<issuer>": No subject alternative names present; nested exception is javax.net.ssl.SSLHandshakeException: No subject alternative names present

This error appears after I already disabled ssl verification doing the following:

public final class SSLUtil {

    private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[]{
            new X509TrustManager() {
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return null;
                }

                public void checkClientTrusted(X509Certificate[] certs, String authType) {
                }

                public void checkServerTrusted(X509Certificate[] certs, String authType) {
                }
            }
    };

    public static void turnOffSslChecking() throws NoSuchAlgorithmException, KeyManagementException {
        // Install the all-trusting trust manager
        final SSLContext sc = SSLContext.getInstance("SSL");

        sc.init(null, UNQUESTIONING_TRUST_MANAGER, null);

        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    }

    public static void turnOnSslChecking() throws KeyManagementException, NoSuchAlgorithmException {
        // Return it to the initial state (discovered by reflection, now hardcoded)
        SSLContext.getInstance("SSL").init(null, null, null);
    }

    private SSLUtil() {
        throw new UnsupportedOperationException("Do not instantiate libraries.");
    }
}

    @Bean
    JwtDecoder jwtDecoderByIssuerUri(final OAuth2ResourceServerProperties properties) throws KeyManagementException, NoSuchAlgorithmException {
        turnOffSslChecking();

        return JwtDecoders.fromIssuerLocation(properties.getJwt().getIssuerUri());
    }

Before I added turnOffSslChecking() the error was:

...
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Is there a way to avoid all this ssl verification stuff?

CodePudding user response:

Oauth2 servers require the use of SSL/TLS. (Section 2.3.1 which then references section 1.6 TLS Version of the Oauth spec -- https://www.rfc-editor.org/rfc/rfc6749) You're better off solving your original issue rather than disabling SSL.

Your original issue is because you need to install the certificates's public key into the TrustStore instead of creating an all-trusting TrustManager. You don't specify, but I assume you're using self-signed certificates with the default java TrustStore. If so, the steps in this article should resolve the issue. https://medium.com/expedia-group-tech/how-to-import-public-certificates-into-javas-truststore-from-a-browser-a35e49a806dc

If I've made an incorrect assumption, please post more information.

  • Related