解决PKIX path building failed的问题

在一次调试中，出现了这个错误：

Java代码

[ERROR] http-8080-Processor25 2010-01-20 15:29:28,640 org.jasig.cas.client.validation.Cas20ServiceTicketValidator     - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target   javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)       at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)       at org.jasig.ca 4000 s.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:58)       at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:167)       at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:141)       at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:137)       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)       at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:149)       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)       at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:78)       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)       at com.web114.web.filter.UTF8EncoderFilter.doFilter(UTF8EncoderFilter.java:57)       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)       at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)       at java.lang.Thread.run(Unknown Source)

这个错误最终定位在这个方法：

Java代码

protected final String retrieveResponseFromServer(final URL validationUrl,               final String ticket) {           HttpURLConnection connection = null;           try {               connection = (HttpURLConnection) validationUrl.openConnection();               final BufferedReader in = new BufferedReader(new InputStreamReader(                       connection.getInputStream()));                  String line;               final StringBuffer stringBuffer = new StringBuffer(255);                  synchronized (stringBuffer) {                   while ((line = in.readLine()) != null) {                       stringBuffer.append(line);                       stringBuffer.append("\n");                   }                   return stringBuffer.toString();               }              } catch (final IOException e) {               log.error(e, e);               return null;           } catch (final Exception e1){               log.error(e1, e1);               return null;           }finally {               if (connection != null) {                   connection.disconnect();               }           }       }

后来上网查了很久，说是证书出问题了，服务器不信任我们自己创建的证书，所以在代码中必须要忽略证书信任问题。只要在创建connection之前调用两个方法：

Java代码

trustAllHttpsCertificates();   HttpsURLConnection.setDefaultHostnameVerifier(hv);

具体的实现是：

Java代码

HostnameVerifier hv = new HostnameVerifier() {           public boolean verify(String urlHostName, SSLSession session) {               System.out.println("Warning: URL Host: " + urlHostName + " vs. "                                  + session.getPeerHost());               return true;           }       };              private static void trustAllHttpsCertificates() throws Exception {           javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];           javax.net.ssl.TrustManager tm = new miTM();           trustAllCerts[0] = tm;           javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext                   .getInstance("SSL");           sc.init(null, trustAllCerts, null);           javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc                   .getSocketFactory());       }          static class miTM implements javax.net.ssl.TrustManager,               javax.net.ssl.X509TrustManager {           public java.security.cert.X509Certificate[] getAcceptedIssuers() {               return null;           }              public boolean isServerTrusted(                   java.security.cert.X509Certificate[] certs) {               return true;           }              public boolean isClientTrusted(                   java.security.cert.X509Certificate[] certs) {               return true;           }              public void checkServerTrusted(                   java.security.cert.X509Certificate[] certs, String authType)                   throws java.security.cert.CertificateException {               return;           }              public void checkClientTrusted(                   java.security.cert.X509Certificate[] certs, String authType)                   throws java.security.cert.CertificateException {               return;           }       }