Skip to main content

Client Authentication Help!!

8 replies [Last post]
fdlcruz
Offline
Joined: 2004-08-23

This is actually a 2-part error so please bear with me.

Trying to get a custom 403 to display on the site when client authentication is invalid or missing.

I tried this on my web.xml

CERTREALM

*.jsp
DELETE
GET
POST
PUT

tomcat

CLIENT-CERT
CERTREALM

403
/403.htmli

my problem is i get this error them moment I hit a jsp page.
java.net.SocketException: SSL Cert handshake timeout
at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:107)
at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:73)
at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:131)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.action(ProcessorTask.java:1040)
at org.apache.coyote.Request.action(Request.java:376)
at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:1012)
at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:282)
at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:118)
at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1030)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:627)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:557)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:73)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:182)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
at com.sun.enterprise.web.VirtualServerPipeline.invoke(VirtualServerPipeline.java:120)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:536)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:231)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.invokeAdapter(ProcessorTask.java:667)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.processBlocked(ProcessorTask.java:607)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:842)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.doTask(ProcessorTask.java:436)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252)
at com.sun.enterprise.web.connector.grizzly.WorkerThread.run(WorkerThread.java:75)
|#]

Also, I dont know if I have the error-page set up correctly.

Please help!

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
swchan2
Offline
Joined: 2005-03-29

In web.xml, CLIENT-CERT is specified. Do you have a private key certificate installed in your browser?

fdlcruz
Offline
Joined: 2004-08-23

Yep. A client cert is installed. In fact, if I turn on client-cert on the server level instead of the application level, things seem to work.

jfarcand
Offline
Joined: 2003-06-10

If you try with GlassFish v2 build 18, does it makes a difference? b18 use NIO non blocking and I'm curious to see what exception you will get (might work as well).

-- Jeanfrancois

fdlcruz
Offline
Joined: 2004-08-23

Cant seem to find build 18 anywhere on the site. Can you give me a link?

Thanks!

fdlcruz
Offline
Joined: 2004-08-23

Nevermind...I found it. I'll let you know if that works.

fdlcruz
Offline
Joined: 2004-08-23

No dice. Here is the stack trace.

[#|2006-09-20T15:02:21.442-0400|WARNING|sun-appserver-pe9.1|javax.enterprise.system.container.web|_ThreadID=11;_ThreadName=httpSSLWorkerThread-50443-0;_RequestID=239f169e-a1c2-44a0-8c20-6dab05591279;|WEB0785: Exception getting SSL Cert
java.io.IOException: Handshake failed
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doPeerCertificateChain(SSLReadTask.java:286)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLProcessorTask.action(SSLProcessorTask.java:127)
at org.apache.coyote.Request.action(Request.java:378)
at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:1117)
at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:282)
at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:118)
at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1030)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:637)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:73)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:182)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
at com.sun.enterprise.web.VirtualServerPipeline.invoke(VirtualServerPipeline.java:120)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:239)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:618)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.processNonBlocked(DefaultProcessorTask.java:549)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:789)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:328)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:369)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:219)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:93)
|#]

jfarcand
Offline
Joined: 2003-06-10

Does your application works normally outside GlassFish?

fdlcruz
Offline
Joined: 2004-08-23

Without the CLIENT-CERT. It works perfectly fine. I switched the realm name around and got this:

[#|2006-09-20T15:15:38.286-0400|WARNING|sun-appserver-pe9.1|javax.enterprise.system.container.web|_ThreadID=11;_ThreadName=httpSSLWorkerThread-50443-1;_RequestID=209da98f-1e68-493c-af61-5180a0b0cd57;|WEB0785: Exception getting SSL Cert
java.io.IOException: Unwrap error: BUFFER_OVERFLOW
at com.sun.enterprise.web.connector.grizzly.ssl.SSLUtils.reallocate(SSLUtils.java:258)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLUtils.doHandshake(SSLUtils.java:340)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doHandshake(SSLReadTask.java:247)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doPeerCertificateChain(SSLReadTask.java:285)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLProcessorTask.action(SSLProcessorTask.java:127)
at org.apache.coyote.Request.action(Request.java:378)
at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:1117)
at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:282)
at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:118)
at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1030)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:637)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:73)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:182)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
at com.sun.enterprise.web.VirtualServerPipeline.invoke(VirtualServerPipeline.java:120)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:239)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:618)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.processNonBlocked(DefaultProcessorTask.java:549)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:789)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:328)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:369)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:219)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:93)
|#]