RE: Re: HTTP over SSL client
Hi Bruno, I'd like to sincerely thanks for your answer :) After following your suggestions now I set parameters in this way: org.restlet.Server https_server = new org.restlet.Server(Protocol.HTTPS, https_port); https_server.setContext(new Context()); //otherwise getContext() returns null SeriesParameter parameters = https_server.getContext().getParameters(); parameters.add(sslContextFactory, org.restlet.engine.security.DefaultSslContextFactory); parameters.add(keystorePath, KEYSTORE_PATH); parameters.add(keystorePassword, myApplication.properties.get(ADMIN_PASSWORD_KEY)); parameters.add(keyPassword, myApplication.properties.get(ADMIN_PASSWORD_KEY)); parameters.add(keystoreType, JKS); I use DefaultSslContextFactory and DSA as keyalg as suggested by you in other threads (such as http://www.mail-archive.com/discuss@restlet.tigris.org/msg07087.html ) but now the following exception gets thrown: java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at java.security.KeyStore.load(KeyStore.java:1185) at org.restlet.engine.security.DefaultSslContextFactory.createSslContext(DefaultSslContextFactory.java:198) at org.restlet.ext.simple.HttpsServerHelper.start(HttpsServerHelper.java:272) at org.restlet.Server.start(Server.java:571) at org.restlet.Component.startServers(Component.java:581) at org.restlet.Component.start(Component.java:508) as the command myApplication.component.start() is executed: cnritb_asa_application.component = new Component(); myApplication.component.getServers().add(https_server); myApplication.component.getDefaultHost() .attach(/ + myApplication.properties.get(CONTEXT_ROOT_KEY), cnritb_asa_application); So now there's another issue..at least it's clear that previously my server's certification was nor even considered Why does this happen? Candid thanks in advance -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2610447
RE: HTTP over SSL client
Sorry, I forgot to specify that into the code pasted the second time, I've not sent any credential to the server because I previously added the ping resource to a not guarded router. However this doesn't change a thing because while debugging, the exception is thrown before any verifier or PingResource.class get called on the server side. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2610417
Re: HTTP over SSL client
On 18/05/2010 18:17, webp...@tigris.org wrote: Hi Bruno, I'd like to sincerely thanks for your answer :) After following your suggestions now I set parameters in this way: org.restlet.Server https_server = new org.restlet.Server(Protocol.HTTPS, https_port); https_server.setContext(new Context()); //otherwise getContext() returns null SeriesParameter parameters = https_server.getContext().getParameters(); parameters.add(sslContextFactory, org.restlet.engine.security.DefaultSslContextFactory); parameters.add(keystorePath, KEYSTORE_PATH); parameters.add(keystorePassword, myApplication.properties.get(ADMIN_PASSWORD_KEY)); parameters.add(keyPassword, myApplication.properties.get(ADMIN_PASSWORD_KEY)); parameters.add(keystoreType, JKS); I use DefaultSslContextFactory and DSA as keyalg as suggested by you in other threads (such as http://www.mail-archive.com/discuss@restlet.tigris.org/msg07087.html ) but now the following exception gets thrown: I can't remember suggesting DSA, and the DefaultSslContextFactory is now the default anyway (so you don't need to specify it). If you created the Server after created the component, it would have a context: Server server = component.getServers().add(Protocol.HTTPS, 8183); java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at java.security.KeyStore.load(KeyStore.java:1185) at org.restlet.engine.security.DefaultSslContextFactory.createSslContext(DefaultSslContextFactory.java:198) at org.restlet.ext.simple.HttpsServerHelper.start(HttpsServerHelper.java:272) at org.restlet.Server.start(Server.java:571) at org.restlet.Component.startServers(Component.java:581) at org.restlet.Component.start(Component.java:508) I'm not sure, what's in KEYSTORE_PATH? Have you checked for example that you can read its content using keytool? keytool -list -keystore your_file.jks -storetype JKS Best wishes, Bruno. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2610810
Re: HTTP over SSL client
Hi Bruno! Thanks a lot! I made some confusion between restlet application and restlet server's parameters/attributes etc. However I was able to adjust everything starting from the observation you wrote to me in your first reply. However I continued getting the Invalid format exception until I changed the keystore_path to my home folder. Then, I managed to execute a (not guarded) access to my ping resource through https, using my web browser mozilla (which asked me to accept the self-signed certificate), but I couldn't access it through my java client. Finally I solved, simply adding the following line to my client code: System.setProperty(javax.net.ssl.trustStore, jksPath); I don't know if that instruction is obvious or not, however I didn't know about it neither I found anything about it throughout my web searches...I just found and tried it (successfully) in a very old (2003) forum thread, inserted into a piece of code casually..However I hope this could be helpful to others Thanks really a lot Bruno, you're really kind ;) myriam -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/HTTP-over-SSL-client-tp5070519p5075086.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2610850
RE: Re: HTTP over SSL client
ok, I've solved adding the following line (what a damn) to my java client: System.setProperty(javax.net.ssl.trustStore, jksPath); IMHO The needing for that line should be specified into the Configuiring https restlet wiki page http://wiki.restlet.org/docs_2.0/13-restlet/27-restlet/46-restlet/213-restlet.html -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2610800
RE: Re: HTTP over SSL client
I solved the Invalid keystore format exception by moving into my home directory the .jks and .cer files created. Currently I have (not guarded) access to my ping resource and I managed to access it successfully from my browser. However from my java client class, I still get the javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated exception thrown, and my client code has been minimized to the following lines: ClientResource resource = new ClientResource(new Context(), samplesUri); resource.setProtocol(Protocol.HTTPS); resource.get(); //at this point the exception is thrown of course I've previously executed the command keytool -import -alias localhost -file homPath\localhost.cer -keystore Path\cacerts -storepass changeit from the command line. This is the full stack trace: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554) at org.restlet.ext.httpclient.internal.HttpMethodCall.sendRequest(HttpMethodCall.java:331) at org.restlet.engine.http.adapter.ClientAdapter.commit(ClientAdapter.java:112) at org.restlet.engine.http.HttpClientHelper.handle(HttpClientHelper.java:110) at org.restlet.Client.handle(Client.java:177) at org.restlet.resource.ClientResource.handle(ClientResource.java:838) at org.restlet.resource.ClientResource.handle(ClientResource.java:806) at org.restlet.resource.ClientResource.handle(ClientResource.java:745) at org.restlet.resource.ClientResource.handle(ClientResource.java:660) at org.restlet.resource.ClientResource.get(ClientResource.java:408) -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2610759
HTTP over SSL client
thrown: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554) There's no more client connectors supporting the https protocol to try, so I really don't know how to solve this anymore...I've surfed and surfed the web a lot..please help me... P.S. I've not created any client certificate but on the server side I've set: SeriesParameter parameters = myApplication.getContext().getParameters(); parameters.add(wantClientAuthentication, true); which should mean that the client authentication is optional REALLY DEEP THANKS to anyone who's going to help me -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/HTTP-over-SSL-client-tp5070519p5070519.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2610413
Re: HTTP over SSL client
Hi, On 18/05/10 16:19, iammyr wrote: Hi everyone, I have set up a REST application, using restlet-jse-2.0snapshot to which I've added to servers: the first one supports the http protocol on port 9877, while the second one supports the https protocol on port 9873 org.restlet.Server http_server = new org.restlet.Server(Protocol.HTTP, port); org.restlet.Server https_server = new org.restlet.Server(Protocol.HTTPS, https_port); myApplication.component.getDefaultHost().attach(/appcontext, myApplication); myApplication.component.getServers().add(http_server); myApplication.component.getServers().add(https_server); then I should have up and running: http://localhost:9877/appcontext https://localhost:9873/appcontext I've also added a verifier and I provide a ping resource: Router authRouter = new Router(getContext()); authRouter.attach(/ping, PingResource.class); Cnritb_asaVerifier verifier = new Cnritb_asaVerifier(); ChallengeAuthenticator guard = new ChallengeAuthenticator(getContext(),ChallengeScheme.HTTP_BASIC, ProbesetPreprocessor); guard.setVerifier(verifier); guard.setNext(authRouter); Router router = new Router(getContext()); //attach resources which don't require authentication router.attachDefault(guard); I've created a keystore file and exported the .cer file specifying https://localhost:9873/appcontext; as both -dname and alias (-keyalg \RSA\ -sigalg \MD5withRSA\). Then I've added this .cer file to the certificates trusted by the jvm on the client side: It's not clear from this where you've actually configured the use of this keystore. It must be done with the server's context (https_server.getContext() in your case). How did you do it? In addition, it's not the URL that needs to be in the DN (-dname), it's something like: CN=the.full.host.name,OU=SomeOrganizationalUnit,O=SomeOrganization,C=CountryTwoLetters In your case, that would be at least CN=localhost (or the actual name): that's what the hostname verifier will check. keytool -import -alias https://localhost:9873/appcontext/ -file serverCerFilePath -keystore C:\Java\jdk1.6.0_20\jre\lib\security\cacerts -storepass changeit Note that you don't have to change the JRE cacerts file unless you want that to be the default in any app that runs with this JRE.) It may have to be flagged with -trustcacerts too. I've used Simple as Server connector supporting the https protocol, while as client connector I've tried either the apache httpclient or the java.net extension, but I always get an exception thrown. In particular, using the code: String registerUri = https:localhost:9873/appcontext/ping; Not sure if it's a copy/paste mistake or if it's in your actual code, but there's https:localhost is missing // in the middle. P.S. I've not created any client certificate but on the server side I've set: SeriesParameter parameters = myApplication.getContext().getParameters(); parameters.add(wantClientAuthentication, true); which should mean that the client authentication is optional Due to the way Simple works at the moment, when you're using Simple, wantClientAuthentication is always set to true anyway. In addition these settings are not meant to be done on the application's connector, but on the server's connector (along with the keystore or SSLContext settings). Best wishes, Bruno. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2610430
