有一种方法可以实现它,但并不那么简单。
想法是实现接口org.apache.kafka.common.security.auth.SslEngineFactory,该接口将忽略证书验证。当您将其用作客户端时,应足以仅实现createClientSslEngine方法,类似于以下方式:
import org.apache.kafka.common.security.auth.SslEngineFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Set;
public class InsecureSslEngineFactory implements SslEngineFactory {
private final TrustManager INSECURE_TRUST_MANAGER = new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
};
@Override
public SSLEngine createClientSslEngine(String peerHost, int peerPort, String endpointIdentification) {
TrustManager[] trustManagers = new TrustManager[]{ INSECURE_TRUST_MANAGER };
try {
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustManagers, new SecureRandom());
SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
sslEngine.setUseClientMode(true);
return sslEngine;
} catch (NoSuchAlgorithmException | KeyManagementException e) {
throw new RuntimeException(e);
}
}
@Override
public SSLEngine createServerSslEngine(String peerHost, int peerPort) {
return null;
}
@Override
public boolean shouldBeRebuilt(Map<String, Object> nextConfigs) {
return false;
}
@Override
public Set<String> reconfigurableConfigs() {
return null;
}
@Override
public KeyStore keystore() {
return null;
}
@Override
public KeyStore truststore() {
return null;
}
@Override
public void close() {
}
@Override
public void configure(Map<String, ?> configs) {
}
}
完成这个类后,您只需将其配置为kafka(生产者或消费者)属性中的SSL_ENGINE_FACTORY_CLASS即可:
props.put(SslConfigs.SSL_ENGINE_FACTORY_CLASS, InsecureSslEngineFactory.class)
或者,如果您不想使用常量:
props.put("ssl.engine.factory.class", InsecureSslEngineFactory.class)
请确保不要在生产环境中使用此设置!