我想在我们的应用程序中为两个 JAX-WS/RS 客户端实现 CXF 的故障转移功能,这些客户端必须使用客户端证书通过 HTTPS 调用远程 Web 服务。已部署 2 个远程服务器:主服务器 + 备用服务器。
我有点迷失如何在故障转移发生后保证相同的功能(使用正确的 TLS 参数/SSL session )。
JAX-WS 客户端
有6个ClientServices扩展AbstractClientServiceImpl并使用相同的PortType wsClient bean和远程服务器的相同basePath,但是它们设置了要调用的服务的最后一个uri部分使用自己的 String getEndpointUrl(){ return "X";} 方法。
BasePath: https://remote1.server.com:443/api
Alternate addresses: https://remote2.server.com:443/api
请看一下代码 - ClientEndpointAddressInterceptor。使用此拦截器,我可以组合 basePath + lastUriPart 并为特定 ClientService 调用正确的目标端点 - 即使发生故障转移也是如此。例如:
target endpoint for ClientService1.class https://remote1.server.com:443/api/service1
target endpoint for ClientService2.class: https://remote1.server.com:443/api/service2
两周来我一直在努力寻找正确的设置/配置。 如果我不像这样将 tlsClientParameters 或 HttpClientPolicy 添加到扩展程序,那么在进行故障转移后,我将无法看到新创建的任何 TLS 设置导管!
// ssl settings
endpointInfo.addExtensor(tlsClientParameters);
我不知道这是否是正确的方法,但是通过这种狡猾的解决方法,我可以设法为 2 个远程调用“提供”相同的 tlsClientParams(主要 +备用远程服务器地址)- 客户端证书的 SAN 具有两个服务器的 DNS 名称。
技术:SpringBoot v2.1 + CXF 3.3.0 + Tomcat8.5
@Bean
public PortType wsClient(Properties properties,
TLSClientParameters tlsClientParameters,
LoggingFeature loggingFeature,
ClientEndpointAddressFeature clientEndpointAddressFeature) {
return createClient(properties, huTlsClientParameters, loggingFeature,
createFailoverFeature(properties.getFailover().getAddresses(), properties.getFailover().getRetryDelay()),
clientEndpointAddressFeature);
}
private FailoverFeature createFailoverFeature(String[] alternateAddresses, long failOverRetryDelay) {
final FailoverFeature failOverFeature = new FailoverFeature();
final SequentialStrategy strategy = new SequentialStrategy();
strategy.setAlternateAddresses(Arrays.asList(alternateAddresses));
strategy.setDelayBetweenRetries(failOverRetryDelay);
failOverFeature.setStrategy(strategy);
return failOverFeature;
}
private PortType createClient(Properties properties, TLSClientParameters tlsClientParameters, WebServiceFeature... features) {
final Service service = new Service();
final PortType client = service.getPortType(features);
final Client clientProxy = ClientProxy.getClient(client);
final EndpointInfo endpointInfo = clientProxy.getEndpoint().getEndpointInfo();
final HTTPClientPolicy httpClientPolicy = Optional.ofNullable(endpointInfo.getExtensor(HTTPClientPolicy.class))
.orElseGet(() -> {
// if there is no XYFeature, policy has to be initialized at this point
final HTTPClientPolicy policy = new HTTPClientPolicy();
policy.setAccept(HuHttpHeaders.HEADER_ACCEPT_VALUE);
endpointInfo.addExtensor(policy);
return policy;
});
// timeout settings
httpClientPolicy.setConnectionTimeout(properties.getConnectionTimeout());
httpClientPolicy.setReceiveTimeout(properties.getReadTimeout());
// set content-length by default
httpClientPolicy.setAllowChunking(false);
// ssl settings
endpointInfo.addExtensor(tlsClientParameters);
// set global requestContext
setRequestContext((BindingProvider) client, properties.getUrl());
return client;
}
private void setRequestContext(BindingProvider bp, String server) {
bp.getRequestContext().put(Message.ENDPOINT_ADDRESS, server);
bp.getRequestContext().put(ClientImpl.THREAD_LOCAL_REQUEST_CONTEXT, true);
bp.getRequestContext().put(Message.SCHEMA_VALIDATION_ENABLED, true);
bp.getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, true);
}
public class ClientEndpointAddressOutInterceptor extends AbstractPhaseInterceptor<Message> {
public ClientEndpointAddressOutInterceptor() {
super(Phase.PREPARE_SEND);
addBefore(MessageSenderInterceptor.class.getName());
}
@Override
public void handleMessage(Message message) throws Fault {
final String previousEndpointAddress = (String) message.get(Message.ENDPOINT_ADDRESS);
final String lastUriPath = (String) message.get("lastUriPath");
message.put(Message.ENDPOINT_ADDRESS, previousEndpointAddress + lastUriPath);
}
}
public abstract class AbstractClientServiceImpl implements ClientService {
public AbstractClientServiceImpl(PortType PortType) {
this.portType = portType;
}
@Override
public HttpStatus sendRequest(String xmlData) {
...
final BindingProvider bindingProvider = (BindingProvider) this.portType;
try {
// set http header for this particular request
// also store bindingProvider.getRequestContext().put("lastUriPath", getEndpointUrl());
HttpHeaderUtil.setHttpHeader(getSoapActionUrl(), bindingProvider, getEndpointUrl());
execute(xmlData, createSoapHeader());
} catch (Exception ex) {
...
}
...
}
// last uri part
protected abstract String getEndpointUrl();
// execute is responsible for calling a particular service. e.g: in ClientService1.class portType.callService1(xmlData);
protected abstract void execute(String xmlData, TransactionHeader transactionHeader);
}
问题
JAX-WS 客户端
- 发生故障转移后,之前设置的 (thread-local-requests,true) 设置会发生什么情况? 6 ClientServices 类调用的以下服务调用之后是否仍保持线程安全?
- 我有一个要求,即我应该使用 SSL session 重用机制。如果 CXF 的故障转移功能删除了管道并创建了一个新管道,那么在故障转移后如何再次应用此功能?或者 Tomcat 是否以某种方式处理这个问题而无需为此烦恼?我不是 CXF 方面的专家,并且在 CXF 的站点/邮件列表中没有找到太多与 SSL session 相关的信息。
JAX-RS 客户端
实际上,上面针对 JAX-WS 客户端解决了同样的 2 个关注点/问题。
唯一的区别是 RS 有 3 个客户端调用方法,使用声明为 的相同客户端实例
private WebClient webClient(){
final JAXRSClientFactoryBean clientFactoryBean = new JAXRSClientFactoryBean();
clientFactoryBean.setThreadSafe(true);
final WebClient webClient = clientFactoryBean.createWebClient();
final ClientConfiguration config = WebClient.getConfig(webClient);
config.getRequestContext().put(HTTPConduit.NO_IO_EXCEPTIONS, Boolean.TRUE);
// ssl settings
config.getEndpoint().getEndpointInfo().addExtensor(tlsClientParameters);
return webClient;
}
感谢您提前提供的帮助。
最佳答案
解决方案是使用 CXF 的 HTTPConduitConfigurator,详细信息如下:https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=49941#ClientHTTPTransport(includingSSLsupport)-HowtouseHTTPConduitConfigurer ?
HTTPConduitConfigurer httpConduitConfigurer = new HTTPConduitConfigurer() {
public void configure(String name, String address, HTTPConduit c) {
c.setTlsClientParameters(_tlsParams);
}
}
bus.setExtension(httpConduitConfigurer, HTTPConduitConfigurer.class);
这将在创建的所有管道上设置 TLS 客户端参数,例如使用故障转移时。
关于java - CXF 故障转移管道即时修改 - 保证相同的 SSL session 和客户端线程安全?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56658741/