A record of weblogic host name varify Problems

A question about weblogic host name varify

The problem was discovered by a colleague in the project team.
The error code is as follows:

StringBuilder document = new StringBuilder (); URL url = new URL (Constants. URL); // remote url, the actual value is: https://mapi.alipay.com/...URLConnection conn = url. openConnection (); BufferedReader reader = new BufferedReader (new InputStreamReader (conn. getInputStream (); String line = null; while (line = reader. readLine ())! = Null) {document. append (line + "") ;}reader. close ();

When running on the weblogic Server, the following exception is thrown:

<02:11:12 P.M. CST> <Error> <HTTP> <BEA-101019> <[ServletContext @ 25331129 [app: httpTest module: WebContent path:/TestHTTPS spec-version: 2.5] Servlet failed with IOExceptionjavax.net. ssl. SSLKeyException: [Security: 090504] Certificate chain received ed from mapi.alipay.com-110.75.142.31 failed hostname verification check. certificate contained * .alipay.com but check expected mapi.alipay.com at com. certicom. tls. interfaceimpl. TLSConnectionImpl. fireException (Unknown Source) at com. certicom. tls. interfaceimpl. TLSConnectionImpl. fireAlertSent (Unknown Source) at com. certicom. tls. record. handshake. handshakeHandler. fireAlert (Unknown Source) at com. certicom. tls. record. handshake. handshakeHandler. fireAlert (Unknown Source) at com. certicom. tls. record. handshake. clientStateReceivedServerHello. handle (Unknown Source) Truncated. see log file for complete stacktrace>

Through the unremitting efforts of that colleague, I found the problem:
When initiating an https request as a client, the weblogic Server performs SSL host name verification on the requested server. The verification method is to compare the server's authorization certificate with the URL of the https request, the comparison rule depends on the configuration item. On the weblogic server console, environment, server, configuration, and SSL page, click "advanced. Check the "host name verification" host name varify) option. The default configuration here is "BEA host name validator" BEA host name varify ). By default, this configuration will completely verify the authorization certificate and URL, that is, it must be identical to pass the verification and allow https requests.

Corresponding to the problem in the system, that is, because the address in the authorization certificate is "* .alipay.com" and the actual access address is "mapi.alipay.com ". Under a completely matched rule, verification fails.

Most of the solutions found on the Internet are to directly disable weblogic's host name verification service, that is, select "none" none in the above configuration items ). However, this choice is indeed risky.

After the continuous efforts of the colleague, I found another solution.
Modify the Code as follows:

StringBuffer result = new StringBuffer (); HttpClient httpClient = new DefaultHttpClient (); // The request method used is GETHttpGet httpGet = new HttpGet (Constants. URL); try {HttpResponse response = httpClient.exe cute (httpGet); HttpEntity httpEntity = response. getEntity (); if (httpEntity! = Null) {InputStream inputStream = httpEntity. getContent (); byte [] responseByte = new byte [2048]; int len = 0; while (len = inputStream. read (responseByte ))! =-1) {result. append (new String (responseByte, 0, len) ;}} catch (ClientProtocolException e) {e. printStackTrace ();} catch (IOException e) {e. printStackTrace ();} finally {// disable the http request httpClient. getConnectionManager (). shutdown ();}

The main modification point is to rewrite the URL-based URLConnection method with HttpClient. After rewriting, even if the weblogic server configuration is still "BEA host name validators", https requests will be unobstructed.

The reason for success is that in HttpClient, a host name validator is attached to the Https request. The default value is BrowserCompatHostnameVerifier. The validators work in the same way as Firefox. They can match wildcards of all subdomains, such as "* .foo.com "). HttpClient also has two host name validators, which are not listed below.

Then, the colleague discussed with us why the host name validator configured on weblogic becomes invalid after HttpClient is used?

Weblogic encapsulates an https request as an instance of the "weblogic. security. SSL. SSLClientInfo" class. In this instance, there is a field "private HostnameVerifier hostnameVerifier ;". When weblogic uses the "weblogic. security. utils. SSLSetup" class to construct this instance, weblogic determines whether the original connection contains a HostnameVerifier. If yes, the original configuration is used. Otherwise, a host name validator is assembled Based on the configuration of the weblogic Server.

Therefore, when HttpClient is used, the server will verify it according to the host name validators provided by HttpClient, but its own configuration will be taken away.

In addition to HttpClient, there are two ways to solve this problem.

The first is to follow the HttpClient idea and bring a custom host name validator to the Https request,
The Code is as follows:

URL url = new URL (Constants. URL); // remote urlHttpsURLConnection conn = new HttpsURLConnection (url); conn. setHostnameVerifier (new HostnameVerifier () {@ Override public boolean verify (String arg0, SSLSession arg1) {System. out. println ("here is a special custom processing: print only, do not validate"); return true ;}}); System. out. println (conn. getHostnameVerifier (); BufferedReader reader = new BufferedReader (new InputStreamReader (conn. getInputStream (); String line = null; while (line = reader. readLine ())! = Null) {document. append (line + "") ;}reader. close ();

HttpsURLConnection is used here, because only this class has setHostnameVerifier and other related interfaces.

Another way is to customize a host name validator for weblogic and configure the "Custom host name validator" for the server.
The code for the custom validator is as follows:

Package verifier; import javax.net. ssl. SSLSession; import weblogic. security. SSL. hostnameVerifier;/*** custom host name verification class * @ since 2013-10-14 * @ version 1.0.0 */public class CustomerVerifier implements HostnameVerifier {/*** verification method. * @ Since 2013-10-14 * @ param arg0 * @ param arg1 * @ return * @ see weblogic. security. SSL. hostnameVerifier # verify (java. lang. string, * javax.net. ssl. SSLSession) **/@ Override public boolean verify (String arg0, SSLSession arg1) {System. out. println ("this is the CustomerVerifier by Loy, arg0 =" + arg0 + ", arg1 =" + arg1); return true ;}}

Make the following configuration on the server:
1. Select "Custom host name validators" for the host name verification option ";
2. "Custom host name validators:" in the input box, enter the full path Class Name of the custom class, for example, "verifier. CustomerVerifier ";
3. Place the class file of the custom class to the ClassPath of the weblogic Server. For example, export it as a jar package and add the configuration in the weblogic Startup Script: set CLASSPATH = % CLASSPATH %; d: \ bea \ user_projects \ domains \ car_domain_10 \ lib \ CustomerVerifier. jar

After the configuration is complete, restart the server and run the earliest code that will throw an exception. Under normal circumstances, this request can obtain the returned data.

This article from the "programming Capricorn male" blog, please be sure to keep this source http://winters1224.blog.51cto.com/3021203/1313111