Re: cas-server V3 and generic https certificate

Fri, 02 Feb 2007 03:04:44 -0800

Scott,
      To correct this we have made modification in CAS server to define a new bean which is the SSLProtocolSocketFactory and we inject it in HttpClient3FactoryBean and HttpBasedServiceCredentialsAuthenticationHandler.     

    Following file are modified  :
         - applicationContext.xml
         - deployerConfigContext.xml
         - HttpBasedServiceCredentialsAuthenticationHandler.java
         - HttpClient3FactoryBean.java.

  This modification  permit to correct bug and if we want we can write our own SSLProtocolSocketFactory (to really validate generic certificat).
  I joint the diff file.
  Do you thinks it's good solution to correct this ?

Thanks

Scott Battaglia a écrit :
Vincent,

That's actually a bug that that the handler can execute that code (note it can only execute the code if you don't provide an HttpClient instance). I've logged a bug report and it will be fixed for 3.0.7 and 3.1 M2.

Thanks
-Scott

On 1/29/07, Vincent MATHIEU <[EMAIL PROTECTED] > wrote:
Thank's Scott,

but this modification is not sufficient.
HttpBasedServiceCredentialsAuthenticationHandler class is loaded after HttpClient3FactoryBean class.

HttpBasedServiceCredentialsAuthenticationHandler make also call to StrictSSLProtocolSocketFactory class, and crush  initialization of property useStrictHostNameChecking.

And it is dangerous to complete deactive hostname certificate control.

I will probably patch StrictSSLProtocolSocketFactory class to permit generic certificates working.

With CAS V2 server, I controled certificate with a keystore on tomcat startup :
CATALINA_OPTS="-Djavax.net.ssl.trustStore=/etc/cert/portail.keystore" ; that doesn't work now.

Vincent

Scott Battaglia a écrit :
CAS 3 checks the host name very strictly (i.e. * doesn't work).  You can disable this check by setting the property useStrictHostNameChecking to false on the HttpClient3FactoryBean.  However, that means while it will check that the certificate is valid, it will not match the host name to the host name on the certificate.

-Scott

On 1/8/07, Vincent MATHIEU <[EMAIL PROTECTED]> wrote:
Hello,


We used cas-server V2 for several years, and we would like to migrate
towards cas-server  V3.

cas-server V3 work's correctly fot authenticating (via LDAP), but
doesn't work in CAS proxy mode.

Here is a log (catalina.out) from cas V3 server :

2007-01-08 21:25:22,248 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler
successfully authenticated the user which provided the following
credentials: vmathieu>

2007-01-08 21:25:22,279 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-2-bjB6dheW1LDH0Fl2fXvYjTqYDlEbD50L1mk-20] for service
[http://esupdev1.univ-nancy2.fr/package/Login] for user [vmathieu]>

2007-01-08 21:25:26,974 ERROR
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler ]
- <javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
expected 'esupdev1.univ-nancy2.fr', received '*.univ-nancy2.fr '>
javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
expected 'esupdev1.univ-nancy2.fr', received '*.univ- nancy2.fr' at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
(StrictSSLProtocolSocketFactory.java:303)

We use 'generic' ssl certificate for our https server :
CN=*.univ-nancy2.fr (and not CN= auth.univ-nancy2.fr).

The problem seems to come from.
CAS serveur V2 work's correctly with same certificates.
Is there a simple solution to treat the problem, or do I have to patch
the code ?


Thank's


Vincent

--
Vincent MATHIEU
Université Nancy 2 - CRI
Equipe système et réseaux
tel : 03 54 50 36 56
coordonnées : http://www.univ-nancy2.fr/ANNUAIRE/PERS/detail_pres.php?uid=vmathieu



_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas




_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas


-- 



  
    

      
      
      

        
          

             Pôle Lorrain de Gestion

13 rue du Maréchal Ney

CO 30075

54036 NANCY Cedex

            		
          

          

            > Téléphone
            03.54.50.36.54 
          

          

            > Fax
            03.54.50.36.51 
          

        
      

      		
    

    

      Julien Marchal 
    

    

      Equipe réseau - CRI 
    

  



diff -urb 
cas-server-3.0.6.org/core/src/main/java/org/jasig/cas/authentication/handler/support/HttpBasedServiceCredentialsAuthenticationHandler.java
 
cas-server-3.0.6/core/src/main/java/org/jasig/cas/authentication/handler/support/HttpBasedServiceCredentialsAuthenticationHandler.java
--- 
cas-server-3.0.6.org/core/src/main/java/org/jasig/cas/authentication/handler/support/HttpBasedServiceCredentialsAuthenticationHandler.java
  2006-04-26 00:24:54.000000000 +0200
+++ 
cas-server-3.0.6/core/src/main/java/org/jasig/cas/authentication/handler/support/HttpBasedServiceCredentialsAuthenticationHandler.java
      2007-02-01 12:02:27.000000000 +0100
@@ -8,10 +8,10 @@
 import java.net.HttpURLConnection;
 
 import org.apache.commons.httpclient.HttpClient;
-import 
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory;
 import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.commons.httpclient.protocol.Protocol;
 import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
+import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.jasig.cas.authentication.handler.AuthenticationHandler;
@@ -35,6 +35,8 @@
 public final class HttpBasedServiceCredentialsAuthenticationHandler implements
     AuthenticationHandler, InitializingBean {
 
+       private SecureProtocolSocketFactory sslFactory;
+    
     /** The string representing the HTTPS protocol. */
     private static final String PROTOCOL_HTTPS = "https";
 
@@ -140,9 +142,13 @@
             this.httpClient = new HttpClient();
             Protocol myhttps = new Protocol(
                     "https",
-                    (ProtocolSocketFactory) new 
StrictSSLProtocolSocketFactory(),
+                    (ProtocolSocketFactory) sslFactory,
                     443);
             Protocol.registerProtocol("https", myhttps);
         }
     }
+
+       public void setSslFactory(SecureProtocolSocketFactory sslFactory) {
+               this.sslFactory = sslFactory;
+       }
 }
diff -urb 
cas-server-3.0.6.org/core/src/main/java/org/jasig/cas/util/HttpClient3FactoryBean.java
 
cas-server-3.0.6/core/src/main/java/org/jasig/cas/util/HttpClient3FactoryBean.java
--- 
cas-server-3.0.6.org/core/src/main/java/org/jasig/cas/util/HttpClient3FactoryBean.java
      2006-07-21 01:30:44.000000000 +0200
+++ 
cas-server-3.0.6/core/src/main/java/org/jasig/cas/util/HttpClient3FactoryBean.java
  2007-02-01 12:02:38.000000000 +0100
@@ -8,11 +8,11 @@
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.HttpVersion;
 import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
-import 
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory;
 import org.apache.commons.httpclient.params.HttpClientParams;
 import org.apache.commons.httpclient.params.HttpConnectionManagerParams;
 import org.apache.commons.httpclient.protocol.Protocol;
 import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
+import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.DisposableBean;
@@ -46,6 +46,8 @@
     /** Boolean to determine whether to use strict host name checking or not. 
Enabled by default. */
     private boolean useStrictHostNameChecking = true;
 
+    private SecureProtocolSocketFactory sslFactory;
+    
     /**
      * Instance of HttpConnectionManagerParams to populate the
      * HttpConnectionManager.
@@ -62,10 +64,8 @@
             log.warn("Strict host name checking disabled.  DO NOT DO THIS IN 
PRODUCTION.");
         }
 
-        final StrictSSLProtocolSocketFactory factory = new 
StrictSSLProtocolSocketFactory();
-        factory.setHostnameVerification(this.useStrictHostNameChecking);
         Protocol myhttps = new Protocol("https",
-            (ProtocolSocketFactory) factory, 443);
+                (ProtocolSocketFactory) sslFactory, 443);
         Protocol.registerProtocol("https", myhttps);
     }
 
@@ -148,4 +148,8 @@
     public void setUseStrictHostNameChecking(final boolean 
useStrictHostNameChecking) {
         this.useStrictHostNameChecking = useStrictHostNameChecking;
     } 
+
+       public void setSslFactory(SecureProtocolSocketFactory sslFactory) {
+               this.sslFactory = sslFactory;
+       } 
 }
diff -urb cas-server-3.0.6.org/webapp/WEB-INF/applicationContext.xml 
cas-server-3.0.6/webapp/WEB-INF/applicationContext.xml
--- cas-server-3.0.6.org/webapp/WEB-INF/applicationContext.xml  2006-07-27 
23:56:16.000000000 +0200
+++ cas-server-3.0.6/webapp/WEB-INF/applicationContext.xml      2007-02-01 
12:03:46.000000000 +0100
@@ -20,6 +20,14 @@
        </bean>
        
        <bean
+               id="sslBean"
+               
class="org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory">
+               <property
+                       name="hostnameVerification"
+                       value="false" />
+       </bean>
+       
+       <bean
                id="httpClient"
                class="org.jasig.cas.util.HttpClient3FactoryBean">
                <property
@@ -37,6 +45,8 @@
                <property
                        name="maxTotalConnections"
                        value="50" />
+               <property
+                       name="sslFactory" ref="sslBean"/>
        </bean>
        
        
diff -urb cas-server-3.0.6.org/webapp/WEB-INF/deployerConfigContext.xml 
cas-server-3.0.6/webapp/WEB-INF/deployerConfigContext.xml
--- cas-server-3.0.6.org/webapp/WEB-INF/deployerConfigContext.xml       
2005-05-31 14:10:10.000000000 +0200
+++ cas-server-3.0.6/webapp/WEB-INF/deployerConfigContext.xml   2007-02-01 
12:01:23.000000000 +0100
@@ -77,7 +77,10 @@
                                        | a server side SSL certificate.
                                        +-->
                                <bean
-                                       
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
 />
+                                       
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
 >
+                                               <property
+                                                       name="sslFactory" 
ref="sslBean"/>
+                               </bean>
 
                                <!--
                                        | This is the authentication handler 
declaration that every CAS deployer will need to change before deploying CAS 

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to