users@grizzly.java.net

Re: SSL Layer and Principals

From: Oleksiy Stashok <Oleksiy.Stashok_at_Sun.COM>
Date: Thu, 20 Aug 2009 17:40:09 +0200

Hmm, not sure I understand the difference :)
The same code doesn't work with regular SSLReadFilter?
I mean this one:

> sslEngine = ((WorkerThread)
> Thread.currentThread()).getSSLEngine();
> session = sslEngine.getSession();
>
> say("certificates " + session.getLocalCertificates());
> say("certificates 0 " + session.getLocalCertificates()[0]);
> say("principal " + session.getLocalPrincipal());
>
> X509Certificate[] cert = (X509Certificate[])
> session.getLocalCertificates();
>
> Principal subject = cert[0].getSubjectDN();
>
> say("cert[0].getSubjectDN() " + subject);

?

Thanks.

WBR,
Alexey.


On Aug 20, 2009, at 17:28 , Alaska wrote:

>
> Hello Alexey,
>
> hier is my SSLFilter.
> I used the code from the link and modificated for my issue:
> http://osdir.com/ml/java.grizzly.user/2008-07/msg00211.html
>
> best regards,
> alaska
> +++++++++++++++++++++++++++=
>
>
> package GrizzlySSL;
>
>
> import java.security.Principal;
> import com.sun.grizzly.Context;
> import com.sun.grizzly.SSLSelectorHandler;
> import com.sun.grizzly.filter.SSLReadFilter;
> import com.sun.grizzly.util.WorkerThread;
> //import org.apache.log4j.Logger;
>
> import javax.net.ssl.SSLEngine;
> import javax.net.ssl.SSLSession;
> import java.io.IOException;
> import java.nio.channels.SelectionKey;
> import java.nio.channels.SocketChannel;
> import java.security.cert.X509Certificate;
> import java.util.logging.Logger;
>
> public class SSLFilter extends SSLReadFilter {
>
> public static Logger logger =
> Logger.getLogger(SSLFilter.class.getName());
>
> public SSLFilter() {
> super();
>
> }
>
> public boolean execute(Context context) throws IOException {
> WorkerThread workerThread = (WorkerThread)
> Thread.currentThread();
> SelectionKey selectionKey = context.getSelectionKey();
> SSLEngine sslEngine = workerThread.getSSLEngine();
> SSLSession session;
>
>
> super.execute(context);
> sslEngine = workerThread.getSSLEngine();
> session = sslEngine.getSession();
>
> Object obj =
> session.getValue(ClientConnectionHandler.class.getName());
> ClientConnectionHandler handler;
> if (obj == null || !(obj instanceof ClientConnectionHandler)) {
>
> SSLSelectorHandler selectorHandler = (SSLSelectorHandler)
> context.getSelectorHandler();
> handler = new ClientConnectionHandler(selectorHandler,
> selectionKey, (SocketChannel) selectionKey.channel(), sslEngine);
> session.putValue(ClientConnectionHandler.class.getName(),
> handler);
>
> } else {
> handler = (ClientConnectionHandler) obj;
> }
>
> sslEngine = ((WorkerThread)
> Thread.currentThread()).getSSLEngine();
> session = sslEngine.getSession();
>
> say("certificates " + session.getLocalCertificates());
> say("certificates 0 " + session.getLocalCertificates()[0]);
> say("principal " + session.getLocalPrincipal());
>
> X509Certificate[] cert = (X509Certificate[])
> session.getLocalCertificates();
>
> Principal subject = cert[0].getSubjectDN();
>
> say("cert[0].getSubjectDN() " + subject);
>
> return true;
>
> }
>
> private void say(String string) {
> // logger.info(string);
> System.out.println("SSLFilter "+string);
> }
> }
> ++++++++++++++++++++++++++++++++++++++++++++++
>
>
>
>
> Oleksiy Stashok wrote:
>>
>> Hi Alaska,
>>
>> you must share how you did that :))))
>> What is the diff with regular SSLReadFilter?
>>
>> Thanks.
>>
>> WBR,
>> Alexey.
>>
>> On Aug 20, 2009, at 16:45 , Alaska wrote:
>>
>>>
>>> Hello Alexey,
>>>
>>> it seems to work now!
>>> I made an own SSLFilter (extends SSLReadFilter) from where I can get
>>> the
>>> SSLEngine + Principals.
>>> Thank you very much for your support!
>>>
>>> best regards,
>>> alaska
>>>
>>>
>>>
>>>
>>> Alaska wrote:
>>>>
>>>> Hello Alexey,
>>>>
>>>> i"ve just checked it up, the flag is set...
>>>> however the error occurs...
>>>>
>>>> thank you,
>>>> alaska
>>>>
>>>>
>>>>
>>>>
>>>> Oleksiy Stashok wrote:
>>>>>
>>>>> Hi Alaska,
>>>>>
>>>>> I'm not big security expert :)
>>>>> Just guess, you need to set flag, that you require client
>>>>> authentication.
>>>>> sslReadFilter.setNeedClientAuth(true);
>>>>>
>>>>> WBR,
>>>>> Alexey.
>>>>>
>>>>>
>>>>> On Aug 20, 2009, at 13:00 , Alaska wrote:
>>>>>
>>>>>>
>>>>>> Hello Alexey,
>>>>>>
>>>>>> How can I get the principal from the client certificate?
>>>>>> i tried something like:
>>>>>>
>>>>>> SSLEngine engine = ((WorkerThread)
>>>>>> Thread.currentThread()).getSSLEngine();
>>>>>>
>>>>>> SSLSession session = engine.getSession();
>>>>>>
>>>>>> session.getPeerPrincipal();
>>>>>>
>>>>>> and I get the error:
>>>>>>
>>>>>>
>>>>>> run:
>>>>>> truststore file has been set
>>>>>> keystoreUrl file has been set
>>>>>> Aug 20, 2009 12:56:39 PM com.sun.grizzly.Controller start
>>>>>> INFO: Starting Grizzly Framework 1.9.18-M1 - Thu Aug 20 12:56:39
>>>>>> CEST 2009
>>>>>> startBuffer
>>>>>> startBuffer
>>>>>> request GET / HTTP/1.1
>>>>>> Host: localhost:1080
>>>>>>
>>>>>> Aug 20, 2009 12:56:45 PM com.sun.grizzly.DefaultProtocolChain
>>>>>> executeProtocolFilter
>>>>>> SEVERE: ProtocolChain exception
>>>>>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>>> postExecute RequestControllerFilter
>>>>>> at
>>>>>> com
>>>>>> .sun
>>>>>> .net
>>>>>> .ssl
>>>>>> .internal
>>>>>> .ssl.SSLSessionImpl.getPeerPrincipal(SSLSessionImpl.java:
>>>>>> 471)
>>>>>>
>>>>>> Thank you!
>>>>>> best regards,
>>>>>> alaska
>>>>>> --
>>>>>> View this message in context:
>>>>>> http://www.nabble.com/SSL-Layer-and-Principals-tp25059961p25059961.html
>>>>>> Sent from the Grizzly - Users mailing list archive at Nabble.com.
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>>>>>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>>>>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/SSL-Layer-and-Principals-tp25059961p25063517.html
>>> Sent from the Grizzly - Users mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/SSL-Layer-and-Principals-tp25059961p25064108.html
> Sent from the Grizzly - Users mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.