Project basic Maven setup and working server-alice and server-tom.

Author: jonashackt

.gitignore

@@ -0,0 +1,31 @@
+*.class
+*.springBeans
+
+# Package Files #
+*.jar
+*.war
+*.ear
+
+# Eclipse #
+.settings
+.project
+.classpath
+.studio
+target
+
+# Apple # 
+.DS_Store
+
+# Intellij #
+.idea
+*.iml
+*.log
+
+# logback
+logback.out.xml
+
+# certificate stuff
+*.key
+*.csr
+*.crt
+*.p12

.travis.yml

@@ -0,0 +1,5 @@
+language: java
+jdk:
+  - oraclejdk8
+
+script: mvn clean install

README.md

@@ -0,0 +1,139 @@
+REST Client uses clientcertificate to authenticate to Spring Boot Server
+=============================
+[![Build Status](https://travis-ci.org/jonashackt/spring-boot-rest-clientcertificate.svg?branch=master)](https://travis-ci.org/jonashackt/spring-boot-rest-clientcertificate)
+
+This repository basically forks all the ground work that was done in https://github.com/jonashackt/spring-boot-rest-clientcertificate. This is a basic example, where the client certificate secured server is a Spring Boot Application and the client is just a Testcase that uses Spring´s RestTemplate which is configured to use the client certificate.
+
+In contrast the present project focusses on the configuration of more than one client certificates and how to access REST endpoints from multiple servers that are secured by different client certificates with Spring´s RestTemplate.
+
+Therefore we use several Spring Boot based microservices that provide different client certificate secured REST endpoint and a separate microservice that accesses these services:
+
+```
+                                   ================
+                                   =              =
+                                   = server-alice =
+==============                     =              =
+=            = ------------------> ================
+= client-bob =                     
+=            = ------------------> ================
+==============                     =              =
+                                   =  server-tom  =
+                                   =              =
+                                   ================
+```
+
+
+For a general approach on how to generate private keys and certificates and create Java Keystores, have a look into https://github.com/jonashackt/spring-boot-rest-clientcertificate#generate-the-usual-key-and-crt---and-import-them-into-needed-keystore-jks-files
+
+## server-alice client certificate & truststore (see /server-alice/src/main/resources)
+
+#### 1. Private Key: aliceprivate.key
+
+```
+openssl genrsa -des3 -out aliceprivate.key 128
+```
+
+- passphrase `alicepassword`
+
+
+#### 2. Certificate Signing Request (CSR): alice.csr
+
+```
+openssl req -new -key aliceprivate.key -out alice.csr
+```
+
+__Common Name__: `server-alice`, which will later be a DNS alias inside the Docker network 
+
+
+#### 3. self-signed Certificate: alice.crt
+
+```
+openssl x509 -req -days 3650 -in alice.csr -signkey aliceprivate.key -out alice.crt
+```
+
+
+#### 4. Java Truststore Keystore, that inherits the generated self-signed Certificate: alice-truststore.jks
+
+```
+keytool -import -file alice.crt -alias alicesCA -keystore alice-truststore.jks
+```
+
+__the same password__ `alicepassword`
+
+
+#### 5. Java Keystore, that inherits Public and Private Keys (keypair): alice-keystore.jks
+
+```
+openssl pkcs12 -export -in alice.crt -inkey aliceprivate.key -certfile alice.crt -name "alicecert" -out alice-keystore.p12
+```
+
+__the same password__ `alicepassword`
+
+
+
+## server-tom client certificate & truststore (see /server-tom/src/main/resources)
+
+#### 1. Private Key: tomprivate.key
+
+```
+openssl genrsa -des3 -out tomprivate.key 1024
+```
+
+- passphrase `tompassword`
+
+
+#### 2. Certificate Signing Request (CSR): tom.csr
+
+```
+openssl req -new -key tomprivate.key -out tom.csr
+```
+
+__Common Name__: `server-tom`, which will later be a DNS alias inside the Docker network 
+
+
+#### 3. self-signed Certificate: tom.crt
+
+```
+openssl x509 -req -days 3650 -in tom.csr -signkey tomprivate.key -out tom.crt
+```
+
+
+#### 4. Java Truststore Keystore, that inherits the generated self-signed Certificate: tom-truststore.jks
+
+```
+keytool -import -file tom.crt -alias tomsCA -keystore tom-truststore.jks
+```
+
+__the same password__ `tompassword`
+
+
+#### #### 5. Java Keystore, that inherits Public and Private Keys (keypair): tom-keystore.p12
+
+```
+openssl pkcs12 -export -in tom.crt -inkey tomprivate.key -certfile tom.crt -name "tomcert" -out tom-keystore.p12
+```
+
+__the same password__ `tompassword`
+
+
+
+## client-bob truststore & keystore (see /server-alice/src/main/resources)
+
+#### 1. Java Truststore Keystore, that inherits the generated self-signed Certificate: client-truststore.jks
+
+```
+keytool -import -file alice.crt -alias alicesCA -keystore client-truststore.jks
+keytool -import -file tom.crt -alias tomsCA -keystore client-truststore.jks
+```
+
+__password__ `bobpassword`
+
+
+#### 2. Java Keystore, that inherits Public and Private Keys (keypair): server-tom-keystore.p12
+
+```
+openssl pkcs12 -export -in tom.crt -inkey tomprivate.key -certfile tom.crt -name "tomcert" -out server-tom-keystore.p12
+```
+
+__the same password__ `tompassword`
+

client-bob/pom.xml

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>de.jonashackt</groupId>
+	<artifactId>client-bob</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<packaging>jar</packaging>
+
+	<parent>
+		<groupId>de.jonashackt</groupId>
+		<artifactId>spring-boot-rest-clientcertificates-docker-compose</artifactId>
+		<version>0.0.1-SNAPSHOT</version>
+	</parent>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<java.version>1.8</java.version>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+
+        <!-- we need this here for server certificate handling -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+
+		<!-- we need httpclient here for client certificate handling -->
+		<dependency>
+			<groupId>org.apache.httpcomponents</groupId>
+			<artifactId>httpclient</artifactId>
+		</dependency>
+		
+		<!-- Testing -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+	</dependencies>
+	
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+	
+
+</project>

client-bob/src/main/java/de/jonashackt/restexamples/ServerApplication.java

@@ -0,0 +1,13 @@
+package de.jonashackt.restexamples;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.PropertySource;
+
+@SpringBootApplication
+public class ServerApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(ServerApplication.class, args);
+    }
+}

client-bob/src/main/java/de/jonashackt/restexamples/configuration/WebSecurityConfig.java

@@ -0,0 +1,30 @@
+package de.jonashackt.restexamples.configuration;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    /*
+     * Enable x509 client authentication.
+     */
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.x509();
+    }
+
+    /*
+     * Create an in-memory authentication manager. We create 1 user (localhost which
+     * is the CN of the client certificate) which has a role of USER.
+     */
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth.inMemoryAuthentication()
+                .withUser("localhost")
+                .password("none")
+                .roles("USER");
+    }
+}

client-bob/src/main/java/de/jonashackt/restexamples/controller/ServerController.java

@@ -0,0 +1,18 @@
+package de.jonashackt.restexamples.controller;
+
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/restexamples")
+public class ServerController {
+
+    public static final String RESPONSE = "Hello Rest-User!";
+
+    @RequestMapping(path="/hello", method=RequestMethod.GET)
+    public String helloWorld() {
+        System.out.println("Rocking REST!");
+    	return RESPONSE;
+    }
+}

client-bob/src/main/resources/application.yml

@@ -0,0 +1,11 @@
+server:
+  port: 8443
+  ssl:
+    key-store: classpath:keystore.jks
+    key-store-password: allpassword
+    trust-store: classpath:truststore.jks
+    trust-store-password: allpassword
+    client-auth: need
+security:
+  headers:
+    hsts: NONE

client-bob/src/main/resources/keystore.jks

@@ -0,0 +1,33 @@
+package de.jonashackt.restexamples;
+
+import de.jonashackt.restexamples.controller.ServerController;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.context.embedded.LocalServerPort;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.web.client.RestTemplate;
+
+import static org.junit.Assert.assertEquals;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(
+		classes = ServerApplication.class,
+		webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT
+)
+public class RestClientCertTest {
+
+	@LocalServerPort
+	private int port;
+
+	@Autowired
+    private RestTemplate restTemplate;
+
+	@Test
+	public void is_hello_resource_callable_with_client_cert() {
+		String response = restTemplate.getForObject("https://localhost:" + port + "/restexamples/hello", String.class);
+	    
+	    assertEquals(ServerController.RESPONSE, response);
+	}
+}

client-bob/src/main/resources/truststore.jks

@@ -0,0 +1,37 @@
+package de.jonashackt.restexamples;
+
+import org.apache.http.client.HttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.springframework.boot.web.client.RestTemplateBuilder;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.util.ResourceUtils;
+import org.springframework.web.client.RestTemplate;
+
+import javax.net.ssl.SSLContext;
+
+@Configuration
+public class RestClientCertTestConfiguration {
+
+    private char[] allPassword = "allpassword".toCharArray();
+
+    @Bean
+    public RestTemplate restTemplate(RestTemplateBuilder builder) throws Exception {
+
+        SSLContext sslContext = SSLContextBuilder
+                .create()
+                .loadKeyMaterial(ResourceUtils.getFile("classpath:keystore.jks"), allPassword, allPassword)
+                .loadTrustMaterial(ResourceUtils.getFile("classpath:truststore.jks"), allPassword)
+                .build();
+
+        HttpClient client = HttpClients.custom()
+                .setSSLContext(sslContext)
+                .build();
+
+        return builder
+                .requestFactory(new HttpComponentsClientHttpRequestFactory(client))
+                .build();
+    }
+}