Hello, thanks for you feedback.
Regarding your argument, if I'm not mistaken, there is no distintion bewteen
user and client in the servlet spec, so the fact that one web app requiring
client certificates forces other clients from other web apps running in
completely diferent security domains to also present certificates seems to be
non-compliant with the spec.
A litle more pragramtically, despite the validity of the theoretic argument, I
would like to know if it is so by design in JBoss or due to some
misconfiguration on my part.
My original problem happened with webservices, but I setup a small servlet app
to ilustrate it. Here is what it looks like:
the servlet
------------------------------------------------
package sslservlet;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class MyServlet extends HttpServlet
{
public void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
{
this.doGet(request, response);
}
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
{
PrintWriter out = response.getWriter();
try{
out.println("ola");
}catch(Throwable e)
{
e.printStackTrace();
}
}
}
web.xml
------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";
version="2.4">
<servlet-name>MyServlet</servlet-name>
<servlet-class>sslservlet.MyServlet</servlet-class>
<servlet-mapping>
<servlet-name>MyServlet</servlet-name>
<url-pattern>/myservlet</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>MyServlet</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
the excerpt of the server.xml file
------------------------------------------------
the keystore (localhost.ks)
------------------------------------------------
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: trut
Creation date: 6/Jun/2006
Entry type: trustedCertEntry
Owner: CN=localhost
Issuer: CN=localhost
Serial number: 4485527a
Valid from: Tue Jun 06 11:01:30 BST 2006 until: Mon Sep 04 11:01:30 BST 2006
Certificate fingerprints:
MD5: 99:B2:EF:4D:F0:1C:5F:22:4B:0B:2B:82:33:6A:AF:BA
SHA1: 7B:24:F3:83:4F:08:0A:1B:FC:97:1E:8B:F9:8D:D1:82:00:CF:D7:B6
*******************************************
*******************************************
Alias name: mykey
Creation date: 6/Jun/2006
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost
Issuer: CN=localhost
Serial number: 4485527a
Valid from: Tue Jun 06 11:01:30 BST 2006 until: Mon Sep 04 11:01:30 BST 2006
Certificate fingerprints:
MD5: 99:B2:EF:4D:F0:1C:5F:22:4B:0B:2B:82:33:6A:AF:BA
SHA1: 7B:24:F3:83:4F:08:0A:1B:FC:97:1E:8B:F9:8D:D1:82:00:CF:D7:B6
*******************************************
*******************************************
the client
------------------------------------------------
package sslservlet;
import java.io.InputStream;
import java.net.URL;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;
public class Client {
private static class _HostNameVerifier implements HostnameVerifier
{
public boolean verify(String arg0, SSLSession arg1){
return true;
}
}
public static void main(String[] args)
{
try{
URL url = new
URL("https://localhost:8443/sslservlet/myservlet";);
HttpsURLConnection conn = (HttpsURLConnection)
url.openConnection();
conn.setHostnameVerifier(new _HostNameVerifier());
String msg = "";
InputStream istream = conn.getInputStream();
int i = 0;
while((i = istream.read()) != -1)
msg+=(char)i;
System.out.print(msg);
}
catch(Throwable e){
e.printStackTrace();
}
}
}
the client is called with the following property set
-Djavax.net.ssl.trustStore=conf/localhost.ks
the response:
-----------------------------------------------------------
java.io.IOException: Server returned HTTP response code: 401 for URL:
https://localhost:8443/sslservlet/myservlet
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1149)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at sslservlet.Client.main(Client.java:29)
This is expected since I'm not providing any username + password. This is not a
problem since the reality I'm trying to replicate happens before this step.
So now, after changing the clientAuth to "true" the answer becomes
--------------------------------------------------------------------------------
java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at
com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:284)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:319)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:720)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1345)
at
com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:590)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:697)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:623)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at sslservlet.Client.main(Client.java:29)
If I setup the client side keystore definition properties, the problem
disapears. That is, adding to the jvm startup
-Djavax.net.ssl.keyStore=conf/localhost.ks
-Djavax.net.ssl.keyStorePassword=123456
the response is again
java.io.IOException: Server returned HTTP response code: 401 for URL:
https://localhost:8443/sslservlet/myservlet
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1149)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at sslservlet.Client.main(Client.java:29)
Again, thanks for your valid argumentation and general help.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3949331#3949331
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3949331
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
