users@glassfish.java.net

GlassFish SSL ClientAuth and non-SUN security provider

From: <glassfish_at_javadesktop.org>
Date: Thu, 13 Sep 2007 16:58:08 PDT

Hi,

I just realized that a webapp configured for SSL client authentication stopped working once I deployed another webapp that registered the IAIK JCE provider.
The browser gets a "HTTP Status 401 - Cannot authenticate with the provided credentials". The server log says "Web login failed: iaik.asn1.structures.Name"
I assume this because the server tries to obtain the certificate's subject or issuer name and does not use the java.security.Principal interface...

Clemens

Here are the (security and webcontainer FINEST) logs:

Security checking request GET /SSLDemo/
 Calling hasUserDataPermission()
[Web-Security][ hasUserDataPermission ] Principal: null ContextPath: /SSLDemo
[Web-Security] request.getRequest().isSecure(): true
[Web-Security] [ hasResourcePermission ] Principal: null ContextPath: /SSLDemo
[Web-Security] Policy Context ID was: SSLDemo/SSLDemo
[Web-Security] Codesource with Web URL: file:/SSLDemo/SSLDemo
[Web-Security] Checking Web Permission with Principals : null
[Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /index.jsp GET)
JACC Policy Provider: PolicyWrapper.implies, context (SSLDemo/SSLDemo)- result was(false) permission ((javax.security.jacc.WebResourcePermission /index.jsp GET))
[Web-Security] hasResource isGranted: false
[Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /index.jsp GET)
 Calling authenticate()
Error getting client certs
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:345)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doPeerCertificateChain(SSLReadTask.java:322)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLProcessorTask.action(SSLProcessorTask.java:111)
        at org.apache.coyote.Request.action(Request.java:396)
        at org.apache.coyote.tomcat5.CoyoteRequest.populateSSLAttributes(CoyoteRequest.java:3596)
        at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:1154)
        at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:300)
        at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:128)
        at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1146)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:627)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:609)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
        at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
        at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:440)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:228)
        at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Error getting client certs
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:345)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doPeerCertificateChain(SSLReadTask.java:322)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLProcessorTask.action(SSLProcessorTask.java:140)
        at org.apache.coyote.Request.action(Request.java:394)
        at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:1132)
        at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:300)
        at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:131)
        at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1146)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:627)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:609)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
        at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:270)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
        at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
        at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:339)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:440)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:228)
        at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
        at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Cert #0 = Version: 3
Serial number: 211775325782551
Signature algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5)
Issuer: C=AT,L=XXX,O=XXX,OU=XXXXXX,CN=XXXXXXXXXXX
Valid not before: Mon Aug 27 12:34:27 CEST 2007
      not after: Thu Aug 27 12:34:27 CEST 2009
Subject: C=AT,L=XXX,O=XXX,OU=XXXXXX,CN=XXXXXXXXXXX
RSA public key (1024 bits):
public exponent: 10001
modulus: ca2d51f61bc23474978bf1abd84bd2c6a6fa6cf7b36c43e1f379e4766926465d67ca87b670871f3d2fb09532a2c92f97dc722943106fa45f5b48bb8b60a75254a4ab2cc7cd170105ddf9097e6b813d4086658d8f8b86af70d090c8a7f97e72535df79267824d42c8219da16ebe30606759688823a6b81796968b385f9d444c67
Certificate Fingerprint (MD5) : B4:BD:A1:09:AA:AD:9C:4C:40:9F:5F:78:B8:B1:4E:8B
Certificate Fingerprint (SHA-1): 4A:A7:B2:CF:15:1E:60:8A:4F:E0:27:92:E6:75:21:59:FF:B7:D6:75
Extensions: 6
Web login failed: iaik.asn1.structures.Name
 Failed authenticate() test
Got encoding: ISO-8859-1
realWrite(b, 0, 1171) org.apache.coyote.Response_at_498404
recycle()
recycle()
registerKey
[Message sent by forum member 'clemenso' (clemenso)]

http://forums.java.net/jive/thread.jspa?messageID=235341