Re: Client authentication and customized error pages
I'm sorry to insist...anyone at Jakarta knows about this problem?? Gustavo Rodríguez wrote: Hi everyone! We were working in this issue some time ago, and reported that when using the clientAuth=want parameter, we got the following exception: java.net.SocketException: Socket Closed at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177) We left it for some time, as mister Bill Barker had developed a patch that, according to changelog, was finally included in tomcat 5.0.20. So, now we just downloaded tomcat 5.0.24 and tried this authentication mechanism again. This time we get a similar error, althought at a different place: 2004-05-11 12:45:16 RequestDumperValve[localhost]: --- 2004-05-11 12:45:18 [EMAIL PROTECTED]: Exception Processing ErrorPage[errorCode=400, location=/Error.do] ClientAbortException: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset at org.apache.coyote.tomcat5.OutputBuffer.doFlush(OutputBuffer.java:331) at org.apache.coyote.tomcat5.OutputBuffer.flush(OutputBuffer.java:297) at org.apache.coyote.tomcat5.CoyoteResponse.flushBuffer(CoyoteResponse.java:537) at org.apache.coyote.tomcat5.CoyoteResponseFacade.flushBuffer(CoyoteResponseFacade.java:238) at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:303) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:147) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.valves.RequestDumperValve.invoke(RequestDumperValve.java:169) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:535) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:793) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:702) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:571) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:644) at java.lang.Thread.run(Thread.java:534) Is the socket still being closed by tomcat somewhere? May there be anything we should change in our configuration? Thanks very much in advance. Regads, Gustavo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -- Gustavo Rodríguez Castillo Área de Desarrollo [EMAIL PROTECTED] SATEC - Madrid Av. Europa 34 A 28023 - Aravaca (Madrid) Tlf.: (+34) 91 708 90 00 / (+34) 91 211 03 00 Fax: (+34) 91 708 90 90 / (+34) 91 211 03 90 -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Client authentication and customized error pages
(Hi everyone! Here i'm again, asking for some help about https authentication and custom error pages.) Dear Mr. Bill Barker, We've used clientAuth=want as you suggested; and now we've managed to know that a client tried to access the application without a valid certificate. That's is OK, and we thank you very much. But when we try to launch an customized error page, a new error happens. It seems that the conection with the remote browser is broken. Who closed it? When? How? The point is that we can't return our error page... I've seen that Mr. Alain Baucant has been working with the same problem. Maybe he could help us. Thanks in advice, Carlos Guardiola PS- We've got the stacktrace in our catalina.out; it's quite large, i think i'm gonna send you a shorter one ;-) ADVERTENCIA: Exception getting SSL Cert java.net.SocketException: Socket Closed at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177) at java.net.Socket.setSoTimeout(Socket.java:924) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA6275) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup port.java:137) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1 05) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupp ort.java:163) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1082) () (Sysdate) org.apache.tomcat.util.net.jsse.JSSE14Support synchronousHandshake INFO: SSL Error getting client Certs javax.net.ssl.SSLProtocolException: handshake alert: no_certificate at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275) at java.io.InputStream.read(InputStream.java:89) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup port.java:126) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1 05) () (Sysdate) org.apache.coyote.http11.Http11Processor action ADVERTENCIA: Exception getting SSL Cert javax.net.ssl.SSLProtocolException: handshake alert: no_certificate at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275) at java.io.InputStream.read(InputStream.java:89) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup port.java:126) () Here is the access log; it seems that it's trying to get the Error 400 page... (client IP) - - [(Sysdate)] GET /(app. directory)/ HTTP/1.1 400 45 -Mensaje original- De: news [mailto:[EMAIL PROTECTED] En nombre de Bill Barker Enviado el: viernes, 05 de marzo de 2004 3:20 Para: [EMAIL PROTECTED] Asunto: Re: Client authentication and customized error pages Using clientAuth=true, the error happens too early to be able to invoke an error-page. You might try using clientAuth=want instead. In this case, the user still gets prompted for a cert, but the request continues if she hits cancel. It is then the responsibility of your webapp to handle the case where there is no cert sent. Carlos Guardiola [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi everyone! I'm using SSL client authentication in a tomcat 5.0.19. Everything goes fine, but i need some help customizing error pages. When a client want to use my application, the browser asks him to choose a valid certificate, but perhaps he hasn't a valid one. If he doesn't have a certificate, the client authentication can't be done, so my application is never invoked. O.K. So, the browser shows a page not found error, wich isn't one of my application's customized error pages (as my application have never been invoked). How can i customize that error page, in order to show something like you need a valid certificate? I've created my own ErrorReportValve, used in the errorReportValveClass directive of the Host in my tomcat's server.xml. But it also seems not being invoked... Any help will be useful, thanks in advice, Carlos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client authentication and customized error pages
Carlos Guardiola [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] (Hi everyone! Here i'm again, asking for some help about https authentication and custom error pages.) Dear Mr. Bill Barker, We've used clientAuth=want as you suggested; and now we've managed to know that a client tried to access the application without a valid certificate. That's is OK, and we thank you very much. But when we try to launch an customized error page, a new error happens. It seems that the conection with the remote browser is broken. Who closed it? When? How? The point is that we can't return our error page... When checking for CLIENT-CERT authentication, Tomcat converts the clientAuth=want to clientAuth=true. The result is that JSSE drops the connection when no cert is sent. I've just committed a patch to leave the clientAuth alone when want is specified. The result is that the socket will remain open even if the client refuses to send a cert, and so an error page can be sent back. I've seen that Mr. Alain Baucant has been working with the same problem. Maybe he could help us. Thanks in advice, Carlos Guardiola PS- We've got the stacktrace in our catalina.out; it's quite large, i think i'm gonna send you a shorter one ;-) ADVERTENCIA: Exception getting SSL Cert java.net.SocketException: Socket Closed at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177) at java.net.Socket.setSoTimeout(Socket.java:924) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA6275) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup port.java:137) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1 05) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupp ort.java:163) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1082) () (Sysdate) org.apache.tomcat.util.net.jsse.JSSE14Support synchronousHandshake INFO: SSL Error getting client Certs javax.net.ssl.SSLProtocolException: handshake alert: no_certificate at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275) at java.io.InputStream.read(InputStream.java:89) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup port.java:126) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1 05) () (Sysdate) org.apache.coyote.http11.Http11Processor action ADVERTENCIA: Exception getting SSL Cert javax.net.ssl.SSLProtocolException: handshake alert: no_certificate at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275) at java.io.InputStream.read(InputStream.java:89) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup port.java:126) () Here is the access log; it seems that it's trying to get the Error 400 page... (client IP) - - [(Sysdate)] GET /(app. directory)/ HTTP/1.1 400 45 -Mensaje original- De: news [mailto:[EMAIL PROTECTED] En nombre de Bill Barker Enviado el: viernes, 05 de marzo de 2004 3:20 Para: [EMAIL PROTECTED] Asunto: Re: Client authentication and customized error pages Using clientAuth=true, the error happens too early to be able to invoke an error-page. You might try using clientAuth=want instead. In this case, the user still gets prompted for a cert, but the request continues if she hits cancel. It is then the responsibility of your webapp to handle the case where there is no cert sent. Carlos Guardiola [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi everyone! I'm using SSL client authentication in a tomcat 5.0.19. Everything goes fine, but i need some help customizing error pages. When a client want to use my application, the browser asks him to choose a valid certificate, but perhaps he hasn't a valid one. If he doesn't have a certificate, the client authentication can't be done, so my application is never invoked. O.K. So, the browser shows a page not found error, wich isn't one of my application's customized error pages (as my application have never been invoked). How can i customize that error page, in order to show something like you need a valid certificate? I've created my own ErrorReportValve, used in the errorReportValveClass directive of the Host in my
Re: Client authentication and customized error pages
Using clientAuth=true, the error happens too early to be able to invoke an error-page. You might try using clientAuth=want instead. In this case, the user still gets prompted for a cert, but the request continues if she hits cancel. It is then the responsibility of your webapp to handle the case where there is no cert sent. Carlos Guardiola [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi everyone! I'm using SSL client authentication in a tomcat 5.0.19. Everything goes fine, but i need some help customizing error pages. When a client want to use my application, the browser asks him to choose a valid certificate, but perhaps he hasn't a valid one. If he doesn't have a certificate, the client authentication can't be done, so my application is never invoked. O.K. So, the browser shows a page not found error, wich isn't one of my application's customized error pages (as my application have never been invoked). How can i customize that error page, in order to show something like you need a valid certificate? I've created my own ErrorReportValve, used in the errorReportValveClass directive of the Host in my tomcat's server.xml. But it also seems not being invoked... Any help will be useful, thanks in advice, Carlos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
