fangshuoshirounet / openid-server

Automatically exported from code.google.com/p/openid-server
BSD 3-Clause "New" or "Revised" License
1 stars 0 forks source link

Https Configuration #31

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
how to configure https settings???
i want that my domain name should be like https://domainname.com
and identification url should be like http://username.domainname.com

how i can achieve this? kindly help me...

i'm working on localhost, 
in this url : https://mydomain.com:8443/domain-configurator, after logged in, 
it gives a UI for domain configuration,

it is showing,
OpenID Identifier pattern in base settings,
https://username.:8443/ ,
i dont want to use https:// in Identifier pattern, n just want use domain 
pattern like https://username.:8443/
 i entered https.endpoint.enabled = true;
but my client is not getting list openid's.

Original issue reported on code.google.com by adeelam...@gmail.com on 7 Oct 2011 at 8:18

GoogleCodeExporter commented 8 years ago
Access http://username.mydomain.com:8443/ with your browser such as firefox,  
what you get in HTML code?

Original comment by zhoushu...@gmail.com on 8 Oct 2011 at 3:13

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
many thanks for your quick reply

i'm getting this html code : 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" 
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<link rel="openid.server" href="https://mydomain.com:8443/server" />
<link rel="openid2.provider" href="https://mydomain.com:8443/server" />
<title>Identity Endpoint For 03325872705</title>
</head>
<body>
<h3>OpenID Identity Page</h3>
<p>This is the identity page for the user <strong>03325872705</strong>.
</p>
<p>For more information, please visit <a
    href="https://mydomain.com:8443/">https://mydomain.com:8443/</a></p>

</body>
</html>

and  my domain configuration parameters are
domain name : mydomain.com
domain type : 1 
https.endpoint.enabled : true
https.identifier.enabled : false

Thanks and Regards, 

Original comment by adeelam...@gmail.com on 8 Oct 2011 at 5:33

GoogleCodeExporter commented 8 years ago
waiting your response ,

Thanks and Regards,

Original comment by adeelam...@gmail.com on 8 Oct 2011 at 5:39

GoogleCodeExporter commented 8 years ago
The html code of the identifier page looks good:
the OP Endpoint URL is httpS.

What's the matter you encountered then?

Original comment by zhoushu...@gmail.com on 8 Oct 2011 at 12:42

GoogleCodeExporter commented 8 years ago
thanks for your reply,
actually i want that domain should be like https://mydomain.com:8443
and identifier should be like http://username.mydomain.com:8080

how to configure this?

Original comment by adeelam...@gmail.com on 8 Oct 2011 at 12:47

GoogleCodeExporter commented 8 years ago
like in live demo : 

domain is working on https protocol,
and identifier is http based,

like domain is : https://openid.org.cn/home
and my identifier is : http://adeelamin.openid.org.cn/

i want to implement this... 

Original comment by adeelam...@gmail.com on 8 Oct 2011 at 12:55

GoogleCodeExporter commented 8 years ago
I think you current configuration and what you get are correct:

1. when you access httpS://mydomain.com:8443/home the identifier displayed on 
the page is http://username.mydomain.com:8443/ (not httpS)

2. and when you access http://username.mydomain.com:8443/ (not httpS), in the 
html code the openid.server url is httpS://mydomain.com:8443/

these two parameters: https.endpoint.enabled, https.identifier.enabled do NOT 
mean redirecting, for example: if you set https.endpoint.enabled=true, when you 
visit http://mydomain.com:8443/ (not httpS), it will not redirect to httpS.

Original comment by zhoushu...@gmail.com on 8 Oct 2011 at 3:16

GoogleCodeExporter commented 8 years ago
thanks for your reply,
but i'm facing issue, when i try to client interaction with server, client is 
not getting information about my identifier, i'm using openid4java v0.95 api, 
it is nt properly interacting with https server, 

when i used http setting, everything was working fine, now i've configured 
server with https protocol, its not working , even same client application 
working fine with this server http://openid.org.cn/

Original comment by adeelam...@gmail.com on 8 Oct 2011 at 6:11

GoogleCodeExporter commented 8 years ago
You should provide more information about the issue, such as the error 
log/stack trace of you client application.
I guess the issue is caused by your https certificate configuration miss, that 
is to say the JDK of the client does not trust your server's https certificate.

Original comment by zhoushu...@gmail.com on 8 Oct 2011 at 6:21

GoogleCodeExporter commented 8 years ago
openid server configuration with SSL
i'd entered these lines in openid server web.xml
<security-constraint>
        <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

and i'm getting this error at client end : 

org.openid4java.discovery.yadis.YadisException: 0x704: I/O transport error: 
    at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:432)
    at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:229)
    at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:221)
    at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:179)
    at org.openid4java.discovery.Discovery.discover(Discovery.java:134)
    at org.openid4java.discovery.Discovery.discover(Discovery.java:114)
    at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:527)
    at org.apache.jsp.consumer_005fredirect_jsp._jspService(consumer_005fredirect_jsp.java:100)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:386)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
    at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
    at java.io.BufferedOutputStream.flush(Unknown Source)
    at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:827)
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1525)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1975)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
    at org.openid4java.util.HttpCache.head(HttpCache.java:296)
    at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:360)
    ... 25 more
Caused by: sun.security.validator.ValidatorException: PKIX path building 
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 45 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable 
to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 51 more

Original comment by adeelam...@gmail.com on 8 Oct 2011 at 6:36

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
one thing more, my openid server is running on https protocol, i accessed 
http://username.mydomain.com:8080/ with browser such as firefox , it 
automatically redirect to https://username.domainname.com:8443, i want that my 
identifier pattern should be like this  http://username.domainname.com:8080, 
and if i enter this identifier http://username.mydomain.com:8080/, it shouldn't 
be redirected to https://username.domainname.com:8443

Original comment by adeelam...@gmail.com on 8 Oct 2011 at 6:54

GoogleCodeExporter commented 8 years ago
>Caused by: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

as I guessed, this problem is caused by your https certificate.

I am not sure the reason of the 8080/8443 redirecting problem, but you may take 
a look at the following section of your tomcat's server.xml:

    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1" 
               connectionTimeout="20000" 
               redirectPort="8443" />

Original comment by zhoushu...@gmail.com on 9 Oct 2011 at 2:43

GoogleCodeExporter commented 8 years ago
thanks alot dear,
i will check this , 

Original comment by adeelam...@gmail.com on 9 Oct 2011 at 7:22