Re: client ssl renegotiation after invalidating session

2016-02-01 Thread Gael Abadin
Thank you very much for your reply,

I tried your solution on APR, NIO and BIO connectors but it seems my
problem comes from somewhere else.

>From what I could gather, it is a matter of browser SSL credentials store
mechanism, and it doesn't seem to have a solution yet (even the suggested
window.crypto.logout() for Firefox doesn't work for me. Firefox doesn't
seem to implement that function on its latest version):

http://stackoverflow.com/questions/10487205/https-client-certificate-logout-relogin
:

http://stackoverflow.com/questions/10229027/how-to-trigger-ssl-rehandshake-on-a-web-browser


For the time being I'll just warn the users that they are not being truly
logged out until they close all browser windows.


2016-01-29 18:56 GMT+01:00 George Stanchev :

>
> 
> -Original Message-
> From: Gael Abadin [mailto:gael.aba...@imatia.com]
> Sent: Friday, January 29, 2016 10:33 AM
> To: Tomcat Users List
> Subject: client ssl renegotiation after invalidating session
>
> I want to invalidate the client ssl cert authentication after the user
> logs out of my application.
>
> There is nothing about it in the docs and google just digs out this
> unanswered old thread from this users list in 2007:
>
>
> https://mail-archives.apache.org/mod_mbox/tomcat-users/200706.mbox/%3c306958.89260...@web36804.mail.mud.yahoo.com%3E
>
> Does anybody know if there is any way to do it?
> 
>
> Depends what your version of Tomcat is. Since we skipped from 5.5 to 7.0 I
> don't know if 6 has this attribute. For 5.5 we used reflection to dig into
> the Request object and dig the SSLSessionManager which was kind of annoying
> since things shifted underground and we had to readjust for different
> releases of 5.5
>
>
>
> private static boolean
> invalidateTomcat7AndAboveSSLSession(HttpServletRequest httpRequest) {
> String serverInfo =
> FedSrvServlet.getServletContainerServerInfo();
>
> if (serverInfo == null) {
> log.error("Failed to determine server version");
> return false;
> }
>
> boolean compatibleTomcat =
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("7.0") > 0) ||
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("8.0") > 0) ||
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("9.0") > 0);
>
> if (compatibleTomcat) {
> // Invalidate the SSL Session
> (org.apache.tomcat.util.net.SSLSessionManager)
> Method invalidateSessionMethod = null;
> Object mgr =
> httpRequest.getAttribute("javax.servlet.request.ssl_session_mgr");
> if (mgr != null) {
> try {
> invalidateSessionMethod =
> mgr.getClass().getMethod("invalidateSession");
> if (invalidateSessionMethod ==
> null) {
> log.error("Failed to reset
> SSL session: Method invalidateSessionMethod =
> mgr.getClass().getMethod(\"invalidateSession\") failed to return method");
> }
>
> invalidateSessionMethod.setAccessible(true);
> } catch (Throwable t) {
> log.error("Failed to reset SSL
> session: " + t.getMessage(), t);
> }
>
> // Invalidate the session
> try {
>
> invalidateSessionMethod.invoke(mgr);
> log.trace("SSL session reset
> successfully");
> return true;
> } catch (Throwable t) {
> log.error("Failed to reset SSL
> session: invalidateSession() threw exception: " + t.getMessage(), t);
> }
> } else {
> log.error("Failed to reset SSL session:
> httpRequest.getAttribute(\"javax.servlet.request.ssl_session_mgr\") call
> failed to return session manager object");
> }
> }
>
> return false;
> }
>
> Hope this helps.
>
> George
>



-- 



.

Alberto Gael Abadin Martinez
Junior Developer

[image: IMATIA]

www.imatia.com

*Tel: *+34 986 342 774 ext 4531

*Email: *gael.aba...@imatia.com
Edificio CITEXVI
Fonte das Abelleiras, s/n - Local 27
36310 Vigo (Pontevedra)
España

.



.

Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede
contener información confidencial, siendo para uso exclusivo del
destinatario. Queda prohibida su divulgación copia o 

RE: client ssl renegotiation after invalidating session

2016-02-01 Thread George Stanchev
Yeah I forgot to mention that this works for NIO and BIO connectors. Not sure 
about the APR. And been there in regards to the caching in the browser. There 
is nothing I have found either...

George


-Original Message-
From: Gael Abadin [mailto:gael.aba...@imatia.com] 
Sent: Monday, February 01, 2016 2:17 AM
To: Tomcat Users List
Subject: Re: client ssl renegotiation after invalidating session

Thank you very much for your reply,

I tried your solution on APR, NIO and BIO connectors but it seems my problem 
comes from somewhere else.

From what I could gather, it is a matter of browser SSL credentials store 
mechanism, and it doesn't seem to have a solution yet (even the suggested
window.crypto.logout() for Firefox doesn't work for me. Firefox doesn't seem to 
implement that function on its latest version):

http://stackoverflow.com/questions/10487205/https-client-certificate-logout-relogin
:

http://stackoverflow.com/questions/10229027/how-to-trigger-ssl-rehandshake-on-a-web-browser


For the time being I'll just warn the users that they are not being truly 
logged out until they close all browser windows.


2016-01-29 18:56 GMT+01:00 George Stanchev <gstanc...@serena.com>:

>
> 
> -Original Message-
> From: Gael Abadin [mailto:gael.aba...@imatia.com]
> Sent: Friday, January 29, 2016 10:33 AM
> To: Tomcat Users List
> Subject: client ssl renegotiation after invalidating session
>
> I want to invalidate the client ssl cert authentication after the user 
> logs out of my application.
>
> There is nothing about it in the docs and google just digs out this 
> unanswered old thread from this users list in 2007:
>
>
> https://mail-archives.apache.org/mod_mbox/tomcat-users/200706.mbox/%3C
> 306958.89260...@web36804.mail.mud.yahoo.com%3E
>
> Does anybody know if there is any way to do it?
> 
>
> Depends what your version of Tomcat is. Since we skipped from 5.5 to 
> 7.0 I don't know if 6 has this attribute. For 5.5 we used reflection 
> to dig into the Request object and dig the SSLSessionManager which was 
> kind of annoying since things shifted underground and we had to 
> readjust for different releases of 5.5
>
>
>
> private static boolean
> invalidateTomcat7AndAboveSSLSession(HttpServletRequest httpRequest) {
> String serverInfo =
> FedSrvServlet.getServletContainerServerInfo();
>
> if (serverInfo == null) {
> log.error("Failed to determine server version");
> return false;
> }
>
> boolean compatibleTomcat =
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("7.0") > 0) ||
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("8.0") > 0) ||
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("9.0") > 0);
>
> if (compatibleTomcat) {
> // Invalidate the SSL Session
> (org.apache.tomcat.util.net.SSLSessionManager)
> Method invalidateSessionMethod = null;
> Object mgr =
> httpRequest.getAttribute("javax.servlet.request.ssl_session_mgr");
> if (mgr != null) {
> try {
> invalidateSessionMethod = 
> mgr.getClass().getMethod("invalidateSession");
> if (invalidateSessionMethod ==
> null) {
> log.error("Failed to 
> reset SSL session: Method invalidateSessionMethod =
> mgr.getClass().getMethod(\"invalidateSession\") failed to return method");
> }
>
> invalidateSessionMethod.setAccessible(true);
> } catch (Throwable t) {
> log.error("Failed to reset SSL
> session: " + t.getMessage(), t);
> }
>
> // Invalidate the session
> try {
>
> invalidateSessionMethod.invoke(mgr);
> log.trace("SSL session reset 
> successfully");
> return true;
> } catch (Throwable t) {
> log.error("Failed to reset SSL
> session: invalidateSession() threw exception: " + t.getMessage(), t);
> }
> } els

RE: client ssl renegotiation after invalidating session

2016-01-29 Thread George Stanchev


-Original Message-
From: Gael Abadin [mailto:gael.aba...@imatia.com] 
Sent: Friday, January 29, 2016 10:33 AM
To: Tomcat Users List
Subject: client ssl renegotiation after invalidating session

I want to invalidate the client ssl cert authentication after the user logs out 
of my application.

There is nothing about it in the docs and google just digs out this unanswered 
old thread from this users list in 2007:

https://mail-archives.apache.org/mod_mbox/tomcat-users/200706.mbox/%3c306958.89260...@web36804.mail.mud.yahoo.com%3E

Does anybody know if there is any way to do it?


Depends what your version of Tomcat is. Since we skipped from 5.5 to 7.0 I 
don't know if 6 has this attribute. For 5.5 we used reflection to dig into the 
Request object and dig the SSLSessionManager which was kind of annoying since 
things shifted underground and we had to readjust for different releases of 5.5



private static boolean invalidateTomcat7AndAboveSSLSession(HttpServletRequest 
httpRequest) {
String serverInfo = 
FedSrvServlet.getServletContainerServerInfo();

if (serverInfo == null) {
log.error("Failed to determine server version");
return false;
}

boolean compatibleTomcat =
(serverInfo.indexOf("Tomcat") > 0 && 
serverInfo.indexOf("7.0") > 0) ||
(serverInfo.indexOf("Tomcat") > 0 && 
serverInfo.indexOf("8.0") > 0) ||
(serverInfo.indexOf("Tomcat") > 0 && 
serverInfo.indexOf("9.0") > 0);

if (compatibleTomcat) {
// Invalidate the SSL Session 
(org.apache.tomcat.util.net.SSLSessionManager)
Method invalidateSessionMethod = null;
Object mgr = 
httpRequest.getAttribute("javax.servlet.request.ssl_session_mgr");
if (mgr != null) {
try {
invalidateSessionMethod = 
mgr.getClass().getMethod("invalidateSession");
if (invalidateSessionMethod == null) {
log.error("Failed to reset SSL 
session: Method invalidateSessionMethod = 
mgr.getClass().getMethod(\"invalidateSession\") failed to return method");
}

invalidateSessionMethod.setAccessible(true);
} catch (Throwable t) {
log.error("Failed to reset SSL session: 
" + t.getMessage(), t);
}

// Invalidate the session
try {
invalidateSessionMethod.invoke(mgr);
log.trace("SSL session reset 
successfully");
return true;
} catch (Throwable t) {
log.error("Failed to reset SSL session: 
invalidateSession() threw exception: " + t.getMessage(), t);
}
} else {
log.error("Failed to reset SSL session: 
httpRequest.getAttribute(\"javax.servlet.request.ssl_session_mgr\") call failed 
to return session manager object");
}
}

return false;
}

Hope this helps.

George