search

OpenIotOrg / openiot

The Open Source Project for the Internet of Things
461 stars 189 forks source link

SecurityIntegration: security management web-app fails on login #75

Closed hylkevds closed 10 years ago

hylkevds commented 10 years ago

Oops! something went wrong!

From the stack-trace it seems it doesn't like my certificate... The first webpage linked to in the wiki isn't much help, since the java file it links to gives a 404 and the second is way to complicated.

14:11:58,755 ERROR [stderr] (http--127.0.0.1-8080-7) org.apache.shiro.authc.AuthenticationException: org.pac4j.core.exception.TechnicalException: org.scribe.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service.
14:11:58,757 ERROR [stderr] (http--127.0.0.1-8080-7)    at io.buji.pac4j.ClientRealm.doGetAuthenticationInfo(ClientRealm.java:81)
14:11:58,757 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
14:11:58,757 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
14:11:58,758 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
14:11:58,758 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
14:11:58,759 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
14:11:58,759 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
14:11:58,760 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
14:11:58,760 ERROR [stderr] (http--127.0.0.1-8080-7)    at io.buji.pac4j.ClientFilter.onAccessDenied(ClientFilter.java:96)
14:11:58,761 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)
14:11:58,761 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
14:11:58,762 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
14:11:58,762 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
14:11:58,762 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
14:11:58,763 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
14:11:58,763 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
14:11:58,764 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
14:11:58,764 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
14:11:58,765 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
14:11:58,765 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
14:11:58,765 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
14:11:58,766 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
14:11:58,766 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
14:11:58,767 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
14:11:58,767 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
14:11:58,768 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
14:11:58,768 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
14:11:58,768 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
14:11:58,769 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
14:11:58,769 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
14:11:58,769 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
14:11:58,769 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
14:11:58,770 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
14:11:58,770 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
14:11:58,770 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
14:11:58,771 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
14:11:58,771 ERROR [stderr] (http--127.0.0.1-8080-7)    at java.lang.Thread.run(Thread.java:744)
14:11:58,772 ERROR [stderr] (http--127.0.0.1-8080-7) Caused by: org.pac4j.core.exception.TechnicalException: org.scribe.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service.
14:11:58,772 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.pac4j.oauth.client.BaseOAuthClient.retrieveUserProfile(BaseOAuthClient.java:166)
14:11:58,773 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.pac4j.oauth.client.BaseOAuthClient.retrieveUserProfile(BaseOAuthClient.java:44)
14:11:58,773 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:147)
14:11:58,774 ERROR [stderr] (http--127.0.0.1-8080-7)    at io.buji.pac4j.ClientRealm.internalGetAuthenticationInfo(ClientRealm.java:109)
14:11:58,774 ERROR [stderr] (http--127.0.0.1-8080-7)    at io.buji.pac4j.ClientRealm.doGetAuthenticationInfo(ClientRealm.java:79)
14:11:58,774 ERROR [stderr] (http--127.0.0.1-8080-7)    ... 36 more
14:11:58,775 ERROR [stderr] (http--127.0.0.1-8080-7) Caused by: org.scribe.exceptions.OAuthConnectionException: There was a problem while creating a connection to the remote service.
14:11:58,775 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.scribe.model.ProxyRequest.send(ProxyRequest.java:85)
14:11:58,776 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.scribe.model.ProxyOAuthRequest.send(ProxyOAuthRequest.java:49)
14:11:58,776 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.scribe.oauth.ExtendedOAuth20ServiceImpl.getAccessToken(ExtendedOAuth20ServiceImpl.java:54)
14:11:58,777 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.pac4j.oauth.client.BaseOAuth20Client.getAccessToken(BaseOAuth20Client.java:106)
14:11:58,777 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.pac4j.oauth.client.BaseOAuthClient.retrieveUserProfile(BaseOAuthClient.java:163)
14:11:58,778 ERROR [stderr] (http--127.0.0.1-8080-7)    ... 40 more
14:11:58,778 ERROR [stderr] (http--127.0.0.1-8080-7) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
14:11:58,779 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
14:11:58,780 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
14:11:58,780 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
14:11:58,780 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
14:11:58,781 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
14:11:58,781 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
14:11:58,782 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
14:11:58,782 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
14:11:58,782 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
14:11:58,783 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
14:11:58,783 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
14:11:58,784 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
14:11:58,784 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
14:11:58,785 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
14:11:58,785 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)
14:11:58,786 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
14:11:58,786 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.scribe.model.ProxyRequest.addBody(ProxyRequest.java:141)
14:11:58,787 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.scribe.model.ProxyRequest.doSend(ProxyRequest.java:123)
14:11:58,787 ERROR [stderr] (http--127.0.0.1-8080-7)    at org.scribe.model.ProxyRequest.send(ProxyRequest.java:83)
14:11:58,787 ERROR [stderr] (http--127.0.0.1-8080-7)    ... 44 more
14:11:58,788 ERROR [stderr] (http--127.0.0.1-8080-7) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
14:11:58,789 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
14:11:58,789 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
14:11:58,789 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.validator.Validator.validate(Validator.java:260)
14:11:58,790 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
14:11:58,790 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
14:11:58,791 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
14:11:58,791 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
14:11:58,792 ERROR [stderr] (http--127.0.0.1-8080-7)    ... 58 more
14:11:58,792 ERROR [stderr] (http--127.0.0.1-8080-7) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
14:11:58,793 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
14:11:58,793 ERROR [stderr] (http--127.0.0.1-8080-7)    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
14:11:58,794 ERROR [stderr] (http--127.0.0.1-8080-7)    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
14:11:58,794 ERROR [stderr] (http--127.0.0.1-8080-7)    ... 64 more
mdii commented 10 years ago

Normally, the solution in the first link should fix the issue. Here is the content of InstallCert.java:

import java.io.*;
import java.net.URL;

import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class InstallCert {

    public static void main(String[] args) throws Exception {
    String host;
    int port;
    char[] passphrase;
    if ((args.length == 1) || (args.length == 2)) {
        String[] c = args[0].split(":");
        host = c[0];
        port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
        String p = (args.length == 1) ? "changeit" : args[1];
        passphrase = p.toCharArray();
    } else {
        System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
        return;
    }

    File file = new File("jssecacerts");
    if (file.isFile() == false) {
        char SEP = File.separatorChar;
        File dir = new File(System.getProperty("java.home") + SEP
            + "lib" + SEP + "security");
        file = new File(dir, "jssecacerts");
        if (file.isFile() == false) {
        file = new File(dir, "cacerts");
        }
    }
    System.out.println("Loading KeyStore " + file + "...");
    InputStream in = new FileInputStream(file);
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(in, passphrase);
    in.close();

    SSLContext context = SSLContext.getInstance("TLS");
    TrustManagerFactory tmf =
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ks);
    X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
    SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
    context.init(null, new TrustManager[] {tm}, null);
    SSLSocketFactory factory = context.getSocketFactory();

    System.out.println("Opening connection to " + host + ":" + port + "...");
    SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
    socket.setSoTimeout(10000);
    try {
        System.out.println("Starting SSL handshake...");
        socket.startHandshake();
        socket.close();
        System.out.println();
        System.out.println("No errors, certificate is already trusted");
    } catch (SSLException e) {
        System.out.println();
        e.printStackTrace(System.out);
    }

    X509Certificate[] chain = tm.chain;
    if (chain == null) {
        System.out.println("Could not obtain server certificate chain");
        return;
    }

    BufferedReader reader =
        new BufferedReader(new InputStreamReader(System.in));

    System.out.println();
    System.out.println("Server sent " + chain.length + " certificate(s):");
    System.out.println();
    MessageDigest sha1 = MessageDigest.getInstance("SHA1");
    MessageDigest md5 = MessageDigest.getInstance("MD5");
    for (int i = 0; i < chain.length; i++) {
        X509Certificate cert = chain[i];
        System.out.println
            (" " + (i + 1) + " Subject " + cert.getSubjectDN());
        System.out.println("   Issuer  " + cert.getIssuerDN());
        sha1.update(cert.getEncoded());
        System.out.println("   sha1    " + toHexString(sha1.digest()));
        md5.update(cert.getEncoded());
        System.out.println("   md5     " + toHexString(md5.digest()));
        System.out.println();
    }

    System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
    String line = reader.readLine().trim();
    int k;
    try {
        k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
    } catch (NumberFormatException e) {
        System.out.println("KeyStore not changed");
        return;
    }

    X509Certificate cert = chain[k];
    String alias = host + "-" + (k + 1);
    ks.setCertificateEntry(alias, cert);

    OutputStream out = new FileOutputStream("jssecacerts");
    ks.store(out, passphrase);
    out.close();

    System.out.println();
    System.out.println(cert);
    System.out.println();
    System.out.println
        ("Added certificate to keystore 'jssecacerts' using alias '"
        + alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
    StringBuilder sb = new StringBuilder(bytes.length * 3);
    for (int b : bytes) {
        b &= 0xff;
        sb.append(HEXDIGITS[b >> 4]);
        sb.append(HEXDIGITS[b & 15]);
        sb.append(' ');
    }
    return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

    private final X509TrustManager tm;
    private X509Certificate[] chain;

    SavingTrustManager(X509TrustManager tm) {
        this.tm = tm;
    }

    public X509Certificate[] getAcceptedIssuers() {
        throw new UnsupportedOperationException();
    }

    public void checkClientTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        throw new UnsupportedOperationException();
    }

    public void checkServerTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        this.chain = chain;
        tm.checkServerTrusted(chain, authType);
    }
    }

}
hylkevds commented 10 years ago

We can't expect users to know what to do with that file. This needs a proper step-by-step guide, just like the one for generating the certificate.

I actually managed to find how to do it, and it's just one command, so I added that command to the certificate-generation howto. I don't know whether it also works on windows...

mdii commented 10 years ago

Great solution! If the solution you have provioded fixes the problem, then the step-by-step guide is already complete.