[Cosign-discuss] JavaCosign3 & HTTP 503 - Security Exception

[Kopáč Peter]

Greetings, 

 

We've encountered an issue while trying to deploy the Javacosign v3 filter 
along with the demo application supplied. Application name (both in the config 
files and CN on the cert) is demoapp, its deployment path on the server is 
/test2/

 

Both the initial redirect to the central login server, as well as the round of 
redirects back to Tomcat  and to the resource originally requested seem to work 
fine. After that, however, instead of displaying the resource, we get an "HTTP 
Status 503 - Security Exception" with no more helpful information. The logs 
don't have anything more detailed, either. When tracing the issue via a 
debugging mode, the problem appears to originate with the call 
"loginContext.login();" - because that's a JAAS method, we're unable to trace 
the execution any further. 

 

Since the authentication process (and the filter itself) seems to be working, 
currently we suspect that a mis-configuration of JAAS is at fault. Would it be 
possible to get an example jaas.conf from a working instance of javacosign v3? 
Also, has anyone encountered this issue before? Any thoughts on that subject? 
We've been stumped by the issue for a couple days now, any assistance would be 
greatly appreciated! 

 

Here's the exception encountered:

 

ERROR edu.umich.auth.cosign.CosignAuthenticationFilterIII - Security Exception

javax.servlet.ServletException: Security Exception

                at 
edu.umich.auth.cosign.CosignServletCallbackHandler.handleFailedLogin(CosignServletCallbackHandler.java:162)

                at 
edu.umich.auth.cosign.CosignAuthenticationFilterIII.doFilter(CosignAuthenticationFilterIII.java:393)

                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

                at java.lang.reflect.Method.invoke(Method.java:597)

                at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)

                at java.security.AccessController.doPrivileged(Native Method)

                at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)

                at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)

                at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:218)

                at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)

                at 
org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilterChain.java:192)

                at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:171)

                at java.security.AccessController.doPrivileged(Native Method)

                at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)

                at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

                at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)

                at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

                at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)

                at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)

                at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)

                at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)

                at 
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)

                at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)

                at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)

                at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)

                at java.lang.Thread.run(Thread.java:619)

 

Our cosignConfig.xml looks like this:

 

<?xml version="1.0" encoding="UTF-8"?>

<CosignConfig>

  <KeyStorePath>/var/lib/tomcat5.5/webapps/test2/keystore.jks</KeyStorePath>

  <KeyStorePassword>*****</KeyStorePassword>

  <CosignServerHost>cosign.uniba.sk</CosignServerHost>

  <CosignServerPort>6663</CosignServerPort>

  <ConnectionPoolSize>30</ConnectionPoolSize>

  <CookieExpireSecs>120</CookieExpireSecs>

  <CookieCacheExpireSecs>30</CookieCacheExpireSecs>

  <LoginRedirectUrl>https://cosign.uniba.sk/</LoginRedirectUrl>

  <LoginPostErrorUrl> https://cosign.uniba.sk/</LoginPostErrorUrl>

  <LoginSiteEntryUrl>  </LoginSiteEntryUrl>

  <CheckClientIP>false</CheckClientIP>

  <HttpsOnly>false</HttpsOnly>

  <HttpsPort>8443</HttpsPort>

  <ClearSessionOnLogin>true</ClearSessionOnLogin>

  <ConfigFileMonitoringIntervalSecs>60</ConfigFileMonitoringIntervalSecs>

  <CosignGetProxies>false</CosignGetProxies>

  <LocationHandlerRef>/test2/cosign/valid/</LocationHandlerRef>

  <ValidationErrorRedirect></ValidationErrorRedirect>

   <!--<RedirectRegex>http://patkm-xp</RedirectRegex> -->

   <RedirectRegex>http://.*/.*</RedirectRegex>

  <!-- how long - in minutes - before a cosign host DNS ip refresh is to occure 
-->

  <CosignServerHostIpCheck>2</CosignServerHostIpCheck>

   <services>

   <service name="cosign-demoapp" getproxies="false">

      <protected>/</protected>

    </service>

  </services>

</CosignConfig>

 

And our web.xml is:

 

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 
2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";>

 

<web-app>

  <display-name>Welcome to Tomcat</display-name>

  <description>Welcome to Tomcat</description>

  <filter>

    <filter-name>Cosign Authentication Filter</filter-name>

    
<filter-class>edu.umich.auth.cosign.CosignAuthenticationFilterIII</filter-class>

    <init-param>

      <param-name>Cosign.ConfigurationFile</param-name>

      
<param-value>/var/lib/tomcat5.5/webapps/test2/cosignConfig.xml</param-value>

    </init-param>

    <init-param>

      <param-name>Auth.JAASConfigurationFile</param-name>

      <param-value>/etc/tomcat5.5/jaas.conf</param-value>

    </init-param>

  </filter>

  <filter-mapping>

    <filter-name>Cosign Authentication Filter</filter-name>

    <url-pattern>/*</url-pattern>

  </filter-mapping>

</web-app>

 

 

Thanks in advance!

 

Peter Kopáč

Comenius University, Bratislava


------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss