我正在尝试基于Spring Websocket Demo构建一个websocket消息应用程序,运行ActiveMQ作为Undertow的STOMP消息代理。该应用程序在不安全的连接上运行良好。但是,我很难将STOMP代理中继配置为转发SSL连接。
正如Spring WebSocket Docs中提到的…
上述配置中的“STOMP代理中继”是一个Spring MessageHandler,它通过将消息转发到外部消息代理来处理消息。为此,它与代理建立TCP连接,将所有消息转发给它,然后通过客户端的WebSocket会话将从代理接收到的所有消息转发给客户端。本质上,它充当一个双向转发消息的“中继”。
此外,该文档声明了我对Reacer-net的依赖…
请添加一个依赖于org. project ectreacter-net的传输控制协议管理。
问题是我当前的实现没有通过SSL初始化NettyTCPClient,因此ActiveMQ连接失败并出现SSLException。
[r.i.n.i.n.t.NettyTcpClient:307] » CONNECTED:
[id: 0xcfef39e9, /127.0.0.1:17779 => localhost/127.0.0.1:8442]
...
[o.a.a.b.TransportConnection.Transport:245] »
Transport Connection to: tcp://127.0.0.1:17779 failed:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
...
因此,我试图研究项目Reactor文档来设置连接的SSL选项,但我没有成功。
此时,我发现StompBrokerRelayMessageHandler在Reactor2TcpClient中默认初始化NettyTCPClient,但它似乎不可配置。
将不胜感激。
SSCCE
app. props
spring.activemq.in-memory=true
spring.activemq.pooled=false
spring.activemq.broker-url=stomp+ssl://localhost:8442
server.port=8443
server.ssl.enabled=true
server.ssl.protocol=tls
server.ssl.key-alias=undertow
server.ssl.key-store=classpath:undertow.jks
server.ssl.key-store-password=xxx
server.ssl.trust-store=classpath:undertow_certs.jks
server.ssl.trust-store-password=xxx
WebSocketConfig
//...
@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {
private static final Logger log = LoggerFactory.getLogger(WebSocketConfig.class);
private final static String KEYSTORE = "/activemq.jks";
private final static String KEYSTORE_PASS = "xxx";
private final static String KEYSTORE_TYPE = "JKS";
private final static String TRUSTSTORE = "/activemq_certs.jks";
private final static String TRUSTSTORE_PASS = "xxx";
private static String getBindLocation() {
return "stomp+ssl://localhost:8442?transport.needClientAuth=false";
}
@Bean(initMethod = "start", destroyMethod = "stop")
public SslBrokerService activeMQBroker() throws Exception {
final SslBrokerService service = new SslBrokerService();
service.setPersistent(false);
KeyManager[] km = SecurityManager.getKeyManager();
TrustManager[] tm = SecurityManager.getTrustManager();
service.addSslConnector(getBindLocation(), km, tm, null);
final ActiveMQTopic topic = new ActiveMQTopic("jms.topic.test");
service.setDestinations(new ActiveMQDestination[]{topic});
return service;
}
@Override
public void configureMessageBroker(MessageBrokerRegistry config) {
config.enableStompBrokerRelay("/topic").setRelayHost("localhost").setRelayPort(8442);
config.setApplicationDestinationPrefixes("/app");
}
@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
registry.addEndpoint("/welcome").withSockJS();
registry.addEndpoint("/test").withSockJS();
}
private static class SecurityManager {
//elided...
}
}
根据罗森的建议解决。以下是任何感兴趣的人的实施细节。
WebSocketConfig
@Configuration
public class WebSocketConfig extends DelegatingWebSocketMessageBrokerConfiguration {
...
@Bean
public AbstractBrokerMessageHandler stompBrokerRelayMessageHandler() {
StompBrokerRelayMessageHandler handler = (StompBrokerRelayMessageHandler) super.stompBrokerRelayMessageHandler();
ConfigurationReader reader = new StompClientDispatcherConfigReader();
Environment environment = new Environment(reader).assignErrorJournal();
TcpOperations<byte[]> client = new Reactor2TcpClient<>(new StompTcpClientSpecFactory(environment,"localhost", 8443));
handler.setTcpClient(client);
return handler;
}
}
Stomp TCP客户端规范工厂
private static class StompTcpClientSpecFactory
implements NetStreams.TcpClientFactory<Message<byte[]>, Message<byte[]>> {
private static final Logger log = LoggerFactory.getLogger(StompTcpClientSpecFactory.class);
private final String host;
private final int port;
private final String KEYSTORE = "src/main/resources/tcpclient.jks";
private final String KEYSTORE_PASS = "xxx";
private final String KEYSTORE_TYPE = "JKS";
private final String TRUSTSTORE = "/src/main/resources/tcpclient_certs.jks";
private final String TRUSTSTORE_PASS = "xxx";
private final String TRUSTSTORE_TYPE = "JKS";
private final Environment environment;
private final SecurityManager tcpManager = new SecurityManager
.SSLBuilder(KEYSTORE, KEYSTORE_PASS)
.keyStoreType(KEYSTORE_TYPE)
.trustStore(TRUSTSTORE, TRUSTSTORE_PASS)
.trustStoreType(TRUSTSTORE_TYPE)
.build();
public StompTcpClientSpecFactory(Environment environment, String host, int port) {
this.environment = environment;
this.host = host;
this.port = port;
}
@Override
public Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> apply(
Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> tcpClientSpec) {
return tcpClientSpec
.ssl(new SslOptions()
.sslProtocol("TLS")
.keystoreFile(tcpManager.getKeyStore())
.keystorePasswd(tcpManager.getKeyStorePass())
.trustManagers(tcpManager::getTrustManager)
.trustManagerPasswd(tcpManager.getTrustStorePass()))
.codec(new Reactor2StompCodec(new StompEncoder(), new StompDecoder()))
.env(this.environment)
.dispatcher(this.environment.getCachedDispatchers("StompClient").get())
.connect(this.host, this.port);
}
}
StompBrokerRelayMessageHandler有一个您可以设置的tcpClient属性。但是看起来我们没有通过WebSocketMessageBrokerConfirer设置公开它。
您可以删除@EnableWebSocketMessageBroker并扩展委托WebSocketMessageBrokerConfiguration。它实际上是相同的,但您现在直接从提供所有bean的配置类扩展。
这允许您覆盖stompBrokerRelayMessageHandler()bean并直接设置其TcpClient属性。只需确保覆盖方法标记为@Bean。
我需要使用Spring Messaging 4.2.5和Java8来保护STOMP代理中继到RabbitMQ,发现问题的后续代码已经过时。
当启动我的应用程序时,我提供信任库环境属性来信任内部自签名证书颁发机构。java-Djavax.net. ssl.信任库=/etc/pki/java/server.jks-Djavax.net.ssl.信任库密码=xxxxx-jarbuild/libs/server.war
根据Rossen的回答我变了
@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {
到
@Configuration
public class WebSocketConfig extends DelegatingWebSocketMessageBrokerConfiguration {
然后,在那个WebSocketConfig中,我提供了我自己的AbstractBrokerMessageHandlerbean:
@Bean
public AbstractBrokerMessageHandler stompBrokerRelayMessageHandler() {
AbstractBrokerMessageHandler handler = super.stompBrokerRelayMessageHandler();
if (handler instanceof StompBrokerRelayMessageHandler) {
((StompBrokerRelayMessageHandler) handler).setTcpClient(new Reactor2TcpClient<>(
new StompTcpFactory("127.0.0.1", 61614, true)
));
}
return handler;
}
instanceof条件是为了简化单元测试中NoOpBrokerMessageHandler的使用。
最后,以下是上面使用的StompTcpFactory的实现:
public class StompTcpFactory implements NetStreams.TcpClientFactory<Message<byte[]>, Message<byte[]>> {
private final Environment environment = new Environment(new SynchronousDispatcherConfigReader());
private final String host;
private final int port;
private final boolean ssl;
public StompTcpFactory(String host, int port, boolean ssl) {
this.host = host;
this.port = port;
this.ssl = ssl;
}
@Override
public Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> apply(Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> tcpClientSpec) {
return tcpClientSpec
.env(environment)
.codec(new Reactor2StompCodec(new StompEncoder(), new StompDecoder()))
.ssl(ssl ? new SslOptions() : null)
.connect(host, port);
}
private static class SynchronousDispatcherConfigReader implements ConfigurationReader {
@Override
public ReactorConfiguration read() {
return new ReactorConfiguration(Collections.emptyList(), "sync", new Properties());
}
}
}
@amoebob的回答很好,但是线程没有正确关闭。每次客户端的连接打开时,都会打开一个新线程,并且从未关闭。我在生产中发现了这个问题,并花了几天时间来解决它。所以我建议您更改StompTcpFactory以提高线程重用:
import io.netty.channel.EventLoopGroup;
import org.springframework.messaging.Message;
import org.springframework.messaging.simp.stomp.Reactor2StompCodec;
import org.springframework.messaging.simp.stomp.StompDecoder;
import org.springframework.messaging.simp.stomp.StompEncoder;
import org.springframework.messaging.tcp.reactor.Reactor2TcpClient;
import reactor.Environment;
import reactor.core.config.ReactorConfiguration;
import reactor.io.net.NetStreams;
import reactor.io.net.Spec;
import reactor.io.net.config.SslOptions;
import reactor.io.net.impl.netty.NettyClientSocketOptions;
public class StompTcpFactory implements NetStreams.TcpClientFactory<Message<byte[]>, Message<byte[]>> {
private final Environment environment;
private final EventLoopGroup eventLoopGroup;
private final String host;
private final int port;
private final boolean ssl;
public StompTcpFactory(String host, int port, boolean ssl) {
this.host = host;
this.port = port;
this.ssl = ssl;
this.environment = new Environment(() -> new ReactorConfiguration(emptyList(), "sync", new Properties()));
this.eventLoopGroup = Reactor2TcpClient.initEventLoopGroup();
}
@Override
public Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> apply(Spec.TcpClientSpec<Message<byte[]>, Message<byte[]>> tcpClientSpec) {
return tcpClientSpec
.env(environment)
.options(new NettyClientSocketOptions().eventLoopGroup(eventLoopGroup))
.codec(new Reactor2StompCodec(new StompEncoder(), new StompDecoder()))
.ssl(ssl ? new SslOptions() : null)
.connect(host, port);
}
}
