search

researchstudio-sat / webofneeds

Finding people to cooperate with. Protocol, not platform. Decentralized. Linked Data. Open Source.
http://researchstudio-sat.github.io/webofneeds/
Apache License 2.0
62 stars 20 forks source link

Node not working on tomcat 8.5.x #2836

Closed fkleedorfer closed 5 years ago

fkleedorfer commented 5 years ago

The setup guide works for tomcat 8.0.x, but that version has reached end of life.

If you try it with tomcat 8.5.x, it seems the server does not ask for a client certificate, so the client does not send one, which then causes the following exception on the node (server):

Mär 20, 2019 11:37:28 AM org.apache.catalina.core.StandardWrapperValve invoke
SCHWERWIEGEND: Servlet.service() for servlet [linkedDataPageServlet] in context with path [/won] threw exception
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: Client certificate attribute is null! Check if you are behind a proxy server that takes care about the client authentication already. If so, set the property 'client.authentication.behind.proxy' to true and make sure the proxy sets the HTTP header 'X-Client-Certificate' appropriately to the sent client certificate
    at won.node.springsecurity.ReverseProxyCompatibleX509AuthenticationFilter.extractClientCertificate(ReverseProxyCompatibleX509AuthenticationFilter.java:109)
    at won.node.springsecurity.ReverseProxyCompatibleX509AuthenticationFilter.getPreAuthenticatedPrincipal(ReverseProxyCompatibleX509AuthenticationFilter.java:48)
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:164)
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:118)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

The client (owner) logs the following exception:

20.3.19 13:56:08.334 [Thread-78] INFO  w.o.m.OwnerWonMessageSenderJMSBased - Could not register with default won node https://localhost:8443/won/resource. Try again later. - exception: class org.springframework.web.client.HttpServerErrorException, message: 500 
20.3.19 13:56:08.335 [Thread-78] DEBUG w.o.m.OwnerWonMessageSenderJMSBased - Stacktrace of cause: 
org.springframework.web.client.HttpServerErrorException: 500 
    at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:89) ~[spring-web-4.3.18.RELEASE.jar:4.3.18.RELEASE]
    at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:708) ~[spring-web-4.3.18.RELEASE.jar:4.3.18.RELEASE]
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:661) ~[spring-web-4.3.18.RELEASE.jar:4.3.18.RELEASE]
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:621) ~[spring-web-4.3.18.RELEASE.jar:4.3.18.RELEASE]
    at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:539) ~[spring-web-4.3.18.RELEASE.jar:4.3.18.RELEASE]
    at won.cryptography.service.RegistrationRestClientHttps.register(RegistrationRestClientHttps.java:82) ~[classes/:na]
    at won.owner.messaging.OwnerProtocolCommunicationServiceImpl.register(OwnerProtocolCommunicationServiceImpl.java:132) ~[classes/:na]
    at won.owner.messaging.OwnerWonMessageSenderJMSBased$1.run(OwnerWonMessageSenderJMSBased.java:151) ~[classes/:na]
fkleedorfer commented 5 years ago

So the tomcat's server.xml schema has changed. tomcat 8.5 needs this Connector config:

    <Connector 
        port="8443"
        protocol="org.apache.coyote.http11.Http11AprProtocol"
        SSLEnabled="true"
        maxThreads="200"
        compressibleMimeType="text/html, text/xml, text/plain, text/css, text/javascript, application/javascript, application/x-font-ttf, image/svg+xml, text/turtle, application/rdf+xml, application/x-turtle, text/rdf+n3, application/json, application/trig, application/ld+json, application/n-quads"
        compression="on" 
        disableUploadTimeout="true" 
        enableLookups="true"
        maxPostSize="5242880000" 
        maxSpareThreads="75"
        minSpareThreads="5"  
        scheme="https"
        secure="true">
        <SSLHostConfig 
            certificateVerification="optionalNoCA"
            certificateVerificationDepth="2"
            protocols="all">
            <Certificate certificateKeyFile="c:/DATA/DEV/workspace/webofneeds/webofneeds/certs/won-server-certs/t-key.pem"
                         certificateFile="c:/DATA/DEV/workspace/webofneeds/webofneeds/certs/won-server-certs/t-cert.pem"
                         certificateKeyPassword="changeit"/>
        </SSLHostConfig>    
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />   
    </Connector>
fkleedorfer commented 5 years ago

The nice thing about this bug is that now we can use tomcat 8.5 and HTTP/2.0. I'll have a look at tomcat 9.0 now and then update the config and possibly also the tomcat docker containers