Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trying to rewrite request URI in a WebFilter fails on missing client TLS certificate [SPR-16244] #20791

Closed
spring-issuemaster opened this issue Nov 29, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented Nov 29, 2017

Oleg Alexeyev opened SPR-16244 and commented

Stack: Spring WebFlux 5.0.2, reactor-netty 0.7.2, netty 4.1.17, netty-tcnative-boringssl-static 2.0.7, java 8u152.
Connection: TLS, no client certificate.

We're rewriting request URI from absolute form to relative in a WebFilter because of #20790 using the following construct:

request
      .mutate()
      .uri(relativeUri)
      .build()

This results in the following exception:

java.lang.IllegalStateException: Failed to get SSL certificates
	at org.springframework.http.server.reactive.DefaultSslInfo.initCertificates(DefaultSslInfo.java:94) ~[spring-web-5.0.2.RELEASE.jar:5.0.2.RELEASE]
	at org.springframework.http.server.reactive.DefaultSslInfo.<init>(DefaultSslInfo.java:51) ~[spring-web-5.0.2.RELEASE.jar:5.0.2.RELEASE]
	at org.springframework.http.server.reactive.ReactorServerHttpRequest.initSslInfo(ReactorServerHttpRequest.java:141) ~[spring-web-5.0.2.RELEASE.jar:5.0.2.RELEASE]
	at org.springframework.http.server.reactive.AbstractServerHttpRequest.getSslInfo(AbstractServerHttpRequest.java:162) ~[spring-web-5.0.2.RELEASE.jar:5.0.2.RELEASE]
	at org.springframework.http.server.reactive.DefaultServerHttpRequestBuilder$DefaultServerHttpRequest.<init>(DefaultServerHttpRequestBuilder.java:176) ~[spring-web-5.0.2.RELEASE.jar:5.0.2.RELEASE]
	at org.springframework.http.server.reactive.DefaultServerHttpRequestBuilder.build(DefaultServerHttpRequestBuilder.java:133) ~[spring-web-5.0.2.RELEASE.jar:5.0.2.RELEASE]
...
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not verified
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine$OpenSslSession.getPeerCertificates(ReferenceCountedOpenSslEngine.java:2121) ~[netty-handler-4.1.17.Final.jar:4.1.17.Final]
	at org.springframework.http.server.reactive.DefaultSslInfo.initCertificates(DefaultSslInfo.java:91) ~[spring-web-5.0.2.RELEASE.jar:5.0.2.RELEASE]
...

Affects: 5.0.2

Issue Links:

  • #20790 Controller cannot be found if absolute URI is given in HTTP request

Referenced from: commits b9a1168

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Nov 29, 2017

Rossen Stoyanchev commented

Ah yes, it looks like we need to be a little more careful in the copy constructor to avoid causing a premature peer unverified exception. In the mean time, as a workaround, you can use ServerHttpRequestDecorator and override the getURI method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.