Sarah, Is it a commercially signed certificate? If not, make sure its in the JVM's cacerts file so that it can trust it. Also, make sure your LDAP server is accepting SSL connections.
-Scott On Jan 14, 2008 6:41 AM, Sara_Abasi <[EMAIL PROTECTED]> wrote: > > Hi > i`m newbie in LDAP with SLL. > My problem is, i connect in server LDAP from my web application and do the > authentication by LDAP with SSL. > when i enter user name and password throws this exception: > > 2008-01-14 15:04:52,074 ERROR > [org.apache.catalina.core.ContainerBase > .[Catalina].[localhost].[/cas].[cas]] > - <Servlet.service() for servlet cas threw exception> > java.io.EOFException: SSL peer shut down incorrectly > at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java > :333) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java > :723) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake( > SSLSocketImpl.java:1030) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java > :622) > at > com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java > :59) > at java.io.BufferedOutputStream.flushBuffer( > BufferedOutputStream.java:65) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java > :123) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:390) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java > :175) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs( > LdapCtxFactory.java:193) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java > :136) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) > at javax.naming.spi.NamingManager.getInitialContext( > NamingManager.java:667) > at javax.naming.InitialContext.getDefaultInitCtx( > InitialContext.java:247) > at javax.naming.InitialContext.init(InitialContext.java:223) > at javax.naming.ldap.InitialLdapContext.<init>( > InitialLdapContext.java:134) > at > org.springframework.ldap.support.LdapContextSource.getDirContextInstance( > LdapContextSource.java:59) > at > org.springframework.ldap.support.AbstractContextSource.createContext( > AbstractContextSource.java:193) > at > org.springframework.ldap.support.AbstractContextSource.getReadOnlyContext( > AbstractContextSource.java:104) > at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java > :263) > at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java > :314) > at > > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal > (BindLdapAuthenticationHandler.java:70) > at > > org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.authenticate > (AbstractUsernamePasswordAuthenticationHandler.java:58) > at > org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate( > AuthenticationManagerImpl.java:79) > at > org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket( > CentralAuthenticationServiceImpl.java:282) > at > org.jasig.cas.web.flow.AuthenticationViaFormAction.submit( > AuthenticationViaFormAction.java:116) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java > :39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:585) > at > org.springframework.webflow.util.DispatchMethodInvoker.invoke( > DispatchMethodInvoker.java:103) > at > org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java > :136) > at > org.springframework.webflow.action.AbstractAction.execute( > AbstractAction.java:203) > at > org.springframework.webflow.engine.AnnotatedAction.execute( > AnnotatedAction.java:142) > at > org.springframework.webflow.engine.ActionExecutor.execute( > ActionExecutor.java:61) > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java > :180) > at org.springframework.webflow.engine.State.enter(State.java:200) > at > org.springframework.webflow.engine.Transition.execute(Transition.java:229) > at > org.springframework.webflow.engine.TransitionableState.onEvent( > TransitionableState.java:112) > at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) > at > > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent > (RequestControlContextImpl.java:207) > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java > :185) > at org.springframework.webflow.engine.State.enter(State.java:200) > at > org.springframework.webflow.engine.Transition.execute(Transition.java:229) > at > org.springframework.webflow.engine.TransitionableState.onEvent( > TransitionableState.java:112) > at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) > at > > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent > (RequestControlContextImpl.java:207) > at > org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent( > FlowExecutionImpl.java:214) > at > org.springframework.webflow.executor.FlowExecutorImpl.resume( > FlowExecutorImpl.java:238) > at > > org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest > (FlowRequestHandler.java:115) > at > > org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal > (FlowController.java:170) > at > org.springframework.web.servlet.mvc.AbstractController.handleRequest( > AbstractController.java:153) > at > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle( > SimpleControllerHandlerAdapter.java:48) > at > org.springframework.web.servlet.DispatcherServlet.doDispatch( > DispatcherServlet.java:819) > at > org.springframework.web.servlet.DispatcherServlet.doService( > DispatcherServlet.java:754) > at > org.springframework.web.servlet.FrameworkServlet.processRequest( > FrameworkServlet.java:399) > at > org.springframework.web.servlet.FrameworkServlet.doPost( > FrameworkServlet.java:364) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > at > org.jasig.cas.web.init.SafeDispatcherServlet.service( > SafeDispatcherServlet.java:115) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:269) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:188) > at > org.apache.catalina.core.StandardWrapperValve.invoke( > StandardWrapperValve.java:210) > at > org.apache.catalina.core.StandardContextValve.invoke( > StandardContextValve.java:174) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java > :127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java > :117) > at > org.apache.catalina.core.StandardEngineValve.invoke( > StandardEngineValve.java:108) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java > :151) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870) > at > > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection > (Http11BaseProtocol.java:665) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket( > PoolTcpEndpoint.java:528) > at > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt( > LeaderFollowerWorkerThread.java:81) > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( > ThreadPool.java:685) > at java.lang.Thread.run(Thread.java:595) > > this is my deployConfigContext.xml > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" > "http://www.springframework.org/dtd/spring-beans.dtd";> > <!-- > | deployerConfigContext.xml centralizes into one file some of the > declarative configuration that > | all CAS deployers will need to modify. > | > | This file declares some of the Spring-managed JavaBeans that make > up a > CAS deployment. > | The beans declared in this file are instantiated at context > initialization time by the Spring > | ContextLoaderListener declared in web.xml. It finds this file > because > this > | file is among those declared in the context parameter > "contextConfigLocation". > | > | By far the most common change you will need to make in this file > is to > change the last bean > | declaration to replace the default > SimpleTestUsernamePasswordAuthenticationHandler with > | one implementing your approach for authenticating usernames and > passwords. > +--> > <beans> > > <!-- > | This bean declares our AuthenticationManager. The > CentralAuthenticationService service bean > | declared in applicationContext.xml picks up this > AuthenticationManager > by reference to its id, > | "authenticationManager". Most deployers will be able to > use the default > AuthenticationManager > | implementation and so do not need to change the class of > this bean. We > include the whole > | AuthenticationManager here in the userConfigContext.xmlso > that you can > see the things you will > | need to change in context. > +--> > <bean id="authenticationManager" > class=" > org.jasig.cas.authentication.AuthenticationManagerImpl"> > <!-- > | This is the List of > CredentialToPrincipalResolvers that identify what > Principal is trying to authenticate. > | The AuthenticationManagerImpl considers them in > order, finding a > CredentialToPrincipalResolver which > | supports the presented credentials. > | > | AuthenticationManagerImpl uses these resolvers > for two purposes. > First, it uses them to identify the Principal > | attempting to authenticate to CAS /login . In > the default > configuration, it is the DefaultCredentialsToPrincipalResolver > | that fills this role. If you are using some > other kind of credentials > than UsernamePasswordCredentials, you will need to replace > | DefaultCredentialsToPrincipalResolver with a > CredentialsToPrincipalResolver that supports the credentials you are > | using. > | > | Second, AuthenticationManagerImpl uses these > resolvers to identify a > service requesting a proxy granting ticket. > | In the default configuration, it is the > HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. > | You will need to change this list if you are > identifying services by > something more or other than their callback URL. > +--> > <property name="credentialsToPrincipalResolvers"> > <list> > <!-- > | > UsernamePasswordCredentialsToPrincipalResolver supports the > UsernamePasswordCredentials that we use for /login > | by default and produces > SimplePrincipal instances conveying the > username from the credentials. > | > | If you've changed your > LoginFormAction to use credentials other than > UsernamePasswordCredentials then you will also > | need to change this bean > declaration (or add additional declarations) > to declare a CredentialsToPrincipalResolver that supports the > | Credentials you are using. > +--> > <bean > > class=" > org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver > " > /> > <!-- > | > HttpBasedServiceCredentialsToPrincipalResolver supports > HttpBasedCredentials. It supports the CAS 2.0 approach of > | authenticating services by SSL > callback, extracting the callback URL > from the Credentials and representing it as a > | SimpleService identified by that > callback URL. > | > | If you are representing services > by something more or other than an > HTTPS URL whereat they are able to > | receive a proxy callback, you > will need to change this bean > declaration (or add additional declarations). > +--> > <bean > > class=" > org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver > " > /> > </list> > </property> > > <!-- > | Whereas CredentialsToPrincipalResolvers identify > who it is some > Credentials might authenticate, > | AuthenticationHandlers actually authenticate > credentials. Here we > declare the AuthenticationHandlers that > | authenticate the Principals that the > CredentialsToPrincipalResolvers > identified. CAS will try these handlers in turn > | until it finds one that both supports the > Credentials presented and > succeeds in authenticating. > +--> > <property name="authenticationHandlers"> > <list> > <!-- > | This is the authentication > handler that authenticates services by > means of callback via SSL, thereby validating > | a server side SSL certificate. > +--> > <bean > > class=" > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > "> > <property > name="httpClient" > ref="httpClient" /> > </bean> > > <!-- > | This is the authentication > handler declaration that every CAS > deployer will need to change before deploying CAS > | into production. The default > SimpleTestUsernamePasswordAuthenticationHandler authenticates > UsernamePasswordCredentials > | where the username equals the > password. You will need to replace > this with an AuthenticationHandler that implements your > | local authentication strategy. > You might accomplish this by coding a > new such handler and declaring > | > edu.someschool.its.cas.MySpecialHandler here, or you might use one of > the handlers provided in the adaptors modules. > +--> > > > <bean > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property name="filter" > value="uid=%u" /> > <property name="searchBase" > value="cn=Users,dc=z,dc=z" /> > <property name="contextSource" > ref="contextSource" /> > <property name="ignorePartialResultException" > value="yes" /> > </bean> > </list> > </property> > </bean> > <bean id="contextSource" > class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> > <property name="password" value="{11111}"/> > <property name="pooled" value="true" /> > <property name="urls"> > <list> > <value>ldaps://irisad.net/</value> > </list> > </property> > <property name="userName" value="{cn=aa,cn=Users,dc=z,dc=z}"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > <value>java.naming.security.protocol</value> > </key> > <value>ssl</value> > </entry> > <entry> > <key> > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > <entry> > <key> > <value>java.naming.referral</value> > </key> > <value>follow</value> > </entry> > </map> > </property> > </bean> > </beans> > > thanks. > -- > View this message in context: > http://www.nabble.com/SSLHandshakeException-when-try-connect-LDAP-tp14799522p14799522.html > Sent from the CAS Users mailing list archive at Nabble.com. > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
