An App (Java Buildpack) using the CF Java Client Library to login to CF and connect to another App a CloudFoundryException: 403 Access token denied is thrown (see stacktrace below).
The same setup runs on Pivotal Web Services.
The App setup was also fine on the former Nova Swisscom App Cloud. Once the current Swisscom App Cloud was going live the App using the CF Java Client Lib on the Nova App Cloud stopped working with the same Exception.
Maybe that's related with the Swisscom App Cloud integration of the Passport login service which is causing the OAuth token problems.
While still wanting to use the CF Java Lib within a Java-App is there a different way to login to CF and connect to another App?
Stacktrace:
2015-10-23T19:26:03.41+0200 [App/0] OUT org.cloudfoundry.client.lib.CloudFoundryException: 403 Access token denied.
2015-10-23T19:26:03.41+0200 [App/0] OUT at org.cloudfoundry.client.lib.oauth2.OauthClient.createToken(OauthClient.java:114) ~[cloudfoundry-client-lib-1.1.3.jar!/:na]
2015-10-23T19:26:03.41+0200 [App/0] OUT at org.cloudfoundry.client.lib.oauth2.OauthClient.init(OauthClient.java:70) ~[cloudfoundry-client-lib-1.1.3.jar!/:na]
2015-10-23T19:26:03.41+0200 [App/0] OUT at org.cloudfoundry.client.lib.rest.CloudControllerClientImpl.initialize(CloudControllerClientImpl.java:187) ~[cloudfoundry-client-lib-1.1.3.jar!/:na]
2015-10-23T19:26:03.41+0200 [App/0] OUT at org.cloudfoundry.client.lib.rest.CloudControllerClientImpl.<init>(CloudControllerClientImpl.java:163) ~[cloudfoundry-client-lib-1.1.3.jar!/:na]
2015-10-23T19:26:03.41+0200 [App/0] OUT at org.cloudfoundry.client.lib.rest.CloudControllerClientImpl.<init>(CloudControllerClientImpl.java:172) ~[cloudfoundry-client-lib-1.1.3.jar!/:na]
2015-10-23T19:26:03.41+0200 [App/0] OUT at org.cloudfoundry.client.lib.rest.CloudControllerClientFactory.newCloudController(CloudControllerClientFactory.java:78) ~[cloudfoundry-client-lib-1.1.3.jar!/:na]
2015-10-23T19:26:03.41+0200 [App/0] OUT at org.cloudfoundry.client.lib.CloudFoundryClient.<init>(CloudFoundryClient.java:164) ~[cloudfoundry-client-lib-1.1.3.jar!/:na]
swisscom dev here;
We fixed this issue with an update this morning - authentication with your Swisscom Passeport account should now be working from inside the Appcloud.
Related
I'm attempting to use a JWKS endpoint to supply a public key for verifying a JWT signature. In my application.properties, I've set the following:
mp.jwt.verify.publickey.location = http://localhost:1080/jwks
It appears that this is indeed being used:
2019-08-17 18:02:28,593 DEBUG [io.sma.jwt.con.JWTAuthContextInfoProvider] (executor-thread-1) init, mpJwtPublicKey=NONE, mpJwtIssuer=NONE, mpJwtLocation=http://localhost:1080/jwks
2019-08-17 18:02:28,599 DEBUG [io.sma.jwt.aut.AbstractBearerTokenExtractor] (executor-thread-1) tokenHeaderName = Authorization
2019-08-17 18:02:28,643 DEBUG [io.qua.sma.jwt.run.aut.JwtIdentityManager] (executor-thread-1) verify, id=null, credential=io.quarkus.smallrye.jwt.runtime.auth.JWTCredential#780ca7ed
2019-08-17 18:02:28,719 DEBUG [io.sma.jwt.aut.pri.KeyLocationResolver] (executor-thread-1) Trying location as JWK(S)...
When attempting a request to an endpoint in this app, it crashes with:
2019-08-17 18:02:29,048 WARN [io.sma.jwt.aut.pri.DefaultJWTTokenParser] (executor-thread-1) Token is invalid: JWT (claims->{"identityType":"user","authorities":[],"accountId":"0812081208","userId":"ybx8912jq59","iat":1566086374,"exp":1566089974}) rejected due to invalid claims. Additional details: [[17] Unexpected exception thrown from validator org.jose4j.jwt.consumer.IssValidator: java.lang.NullPointerException at org.jose4j.jwt.consumer.IssValidator.expectedValue(IssValidator.java:72); org.jose4j.jwt.consumer.IssValidator.validate(IssValidator.java:59); ...omitted...]
2019-08-17 18:02:29,050 DEBUG [io.qua.sma.jwt.run.aut.JwtIdentityManager] (executor-thread-1) failed, id=null, credential=io.quarkus.smallrye.jwt.runtime.auth.JWTCredential#780ca7ed: org.wildfly.security.auth.server.RealmUnavailableException: Failed to verify token
at io.quarkus.smallrye.jwt.runtime.auth.MpJwtValidator.validateClaimsSet(MpJwtValidator.java:44)
The best I can understand from this stack trace, id=null might be a problem? I have nothing else to really go on here as I can confirm that this JWT is valid as I'm the one who generated it, and it can be validated via other apps.
I do not have access to add other fields/values to this JWT as I don't own the auth system. Is there any way I can get around this?
The NPE from IssValidator suggests you are probably running into this https://bitbucket.org/b_c/jose4j/issues/135/issvalidator-throws-nullpointerexception which means your token needs an issuer iss claim or the JWT consumer needs to not be set to require an iss claim via not using any of the setExpectedIssuer[s] methods on the builder.
Is there a way to configure the Eureka client to use a different keystore\truststore than the spring-boot embedded tomcat? OR is there a way to disable cert validation in SBA server?
I have a situation where I have a cluster of spring-boot based microservices across several VMs. All of the microservices, including backend management like SBA and Eureka server are secured using HTTPS and the typical spring-boot SSL certificate configuration. For these services I am using a self-signed CA to generate certificates for each machine. One exception to this is the "gateway" service which serves the api through to our web client. This service is configured with a certificate signed by a real CA, as it is the only publicly accessible service
Getting to the point, my "gateway" service is unable to connect to SBA server, I see a scroll of SSL-related errors complaining about the hostname of the client not matching any alt names in its certificate. This is because it is presenting its public cert to SBA which does not match the internal host name that the request is originating from.
My services are using Netflix Eureka and service discovery.
EDIT: Adding stacktrace from SBA Server:
2019-02-06 21:34:30 [reactor-http-epoll-3] ERROR r.n.http.client.HttpClientConnect - [id: 0x5844260b, L:/172.17.0.5:40928 - R:myhost.mydomain.com/172.xxx.xxx.xxx:443] The connection observed an error
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:382)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:335)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1460)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365)
... 19 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching myhost.mydomain.com found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
... 27 common frames omitted
EDIT: Upon further inspection, I have the sequence of this issue wrong. The SSL error is not occurring when the gateway tries to register with SBA, it actually registers fine, the SSL error is occurring when SBA tries to reach back to actuator on the gateway.
So I guess the updated question is a bit more complicated: Is there a way to configure actuator with a different keystore/truststore. Furthermore, is there a way to open up Actuator in Zuul only for connections on the backend like SBA and not for users on the public/client end?
I followed the documentation here: and here: Trying to integrate to a Personality Insights service via Android Java.
However, after the app runs, and using the correct username and password as mentioned in the guide... (the guide is not clear (2nd bullet point in "Before you begin") on which set of credentials to use - It says get the "service credentials" and credentials from the new service created - I tried with both and both fail with the same error below.)
Error:
12-11 01:49:56.201 29584-29632/? I/CredentialUtils: JNDI string lookups is not available. 12-11 01:49:56.269 29584-29632/? D/NetworkSecurityConfig: No Network Security Config specified, using platform default 12-11 01:49:56.723 29584-29632/? D/OkHttp: --> POST https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 http/1.1 (1297-byte body) 12-11 01:49:56.803 29584-29632/? D/OkHttp: <-- 401 Not Authorized https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 (78ms, unknown-length body) 12-11 01:49:56.863 29584-29632/? E/WatsonService: POST https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13, status: 401, error: Not Authorized 12-11 01:49:56.865 29584-29632/? E/ERROR: Unauthorized: Access is denied due to invalid credentials
com.ibm.watson.developer_cloud.service.exception.UnauthorizedException: Unauthorized: Access is denied due to invalid credentials at com.ibm.watson.developer_cloud.service.WatsonService.processServiceCall(WatsonService.java:492) at com.ibm.watson.developer_cloud.service.WatsonService$2.execute(WatsonService.java:254) at com.upen.personalityapp.MainActivity$RetrieveFeedTask.doInBackground(MainActivity.java:105) at com.upen.personalityapp.MainActivity$RetrieveFeedTask.doInBackground(MainActivity.java:87) at android.os.AsyncTask$2.call(AsyncTask.java:306) at java.util.concurrent.FutureTask.run(FutureTask.java:237) at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:244) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:761) 12-11 01:49:56.866 29584-29584/?
This is the code I am using; I am trying to pass a "text" input to the service.
service = new PersonalityInsights("2017-10-13");
service.setUsernameAndPassword("{myUsername}", "{myPassword}");
Profile profile = service.getProfile(text).execute();
System.out.println(profile);
return profile.toString();
I am using the com.ibm.watson.developer_cloud:personality-insights:3.8.0 dependency.
I tried connecting to the URL in the error (https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 ) via a browser. It prompts for a username/password combo. I entered my details from my IBM Cloud Lite service but it throws the HTTP Error 405. Is this how it's supposed to work on the browser?
For someone in the future;
Instead of service.setUsernameAndPassword(username, password);, I tried service.setUsernameAndPassword("username", "password"); and it worked.
I am facing an issue with SSO integration (cloud directory) with a Liberty for Java application.
I have Liberty application which is integrated with SSO service using Cloud directory. I have followed the steps mentioned here
When I access the homepage of the application, I am getting "Error 500: SRVE0295E: Error reported: 500 " error message. Logs aren't providing any useful information.
The steps that I followed are listed below
Created a simple Liberty for Java webapp, named SSODemo and deployed on Bluemix. I could access home page of the application
Created SSO service. Created Cloud directory and added a couple of users and saved
Added the following in web.xml file of SSODemo
SSODemoSecurity
Secured
/
/
/
/SSODemo/
GET
PUT
HEAD
TRACE
POST
DELETE
OPTIONS
TESTROLE
Copied ssodemo.war file to folder c:\deploy2bluemix\apps
Created server.xml file in c:\deploy2bluemix. Added role. server.xml would look as below
<featureManager>
<feature>jsp-2.2</feature>
<feature>localConnector-1.0</feature>
</featureManager>
<httpEndpoint httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>
<applicationMonitor updateTrigger="mbean"/>
<application type="war" id="SSODemo" name="SSODemo" location="SSODemo.war" context-root="/">
<application-bnd>
<security-role name="TESTROLE">
<special-subject type="ALL_AUTHENTICATED_USERS"/>
</security-role>
</application-bnd>
</application>
Pushed SSODemo app from c:\deploy2bluemix
Bound the SSO service created with SSODemo app
restaged SSODemo app
Saved the default details populated on Integrate tab of SSO Service
Now, when I launch SSODemo app, it asks for user id and password. On providing valid user id and password it throws "Error 500: SRVE0295E: Error reported: 500 " error message
Following is the log entry when the above error message is thrown
bmssodemo-mc.mybluemix.net - [10/02/2016:03:36:26 +0000] "GET /oidcclient/redirect/GIC5KC6sbK?scope=openid&code=lS9jAkiKSPmC8VNJw0NFULgqMkXEpP&state=f0hvnV7R4iSsUDwU5hzr HTTP/1.1" 500 0 42 "https://ssoq3-gikup9q8qk-cp16.iam.ibmcloud.com/idaas/mtfim/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:basicldapuser" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0" 192.155.237.118:32103 x_forwarded_for:"125.16.236.150" x_forwarded_proto:"https" vcap_request_id:4844e729-a9d6-4efb-579a-a5c6449db8ff response_time:0.227078783 app_id:7b8c1d84-2cb0-420a-8735-198ee50dcf62 x_global_transaction_id:"40112183"
Any guidance here to resolve the issue will be very helpful. Thank you.
Actually the Bluemix status page is reporting a notification opened on Feb 5th about an issue of SSO service with the liberty runtime.
Check on
https://developer.ibm.com/bluemix/support/#status
Liberty for Java runtime provided an urgent update for this issue today. I don't think you need the workaround now. Please give it a try.
i m working on a scenario 'connecting to Backend service with Simple SOAP binding' required to expose as a RESTful using WSO2 ESB and API manager .
Api Manager is a essential in my scenario so can't ignore it.
I Have configured both but facing some issues in Authentication .
below is the error log describing the problem.
[2015-10-06 18:10:59,721] ERROR - APIUtil Unauthorized client domain :null. Only
"[]" domains are authorized to access the API.
[2015-10-06 18:10:59,727] ERROR - AbstractKeyValidationHandler Error while valid
ating client domain
org.wso2.carbon.apimgt.api.APIManagementException: Unauthorized client domain :n
ull. Only "[]" domains are authorized to access the API.
at org.wso2.carbon.apimgt.impl.utils.APIUtil.checkClientDomainAuthorized
(APIUtil.java:3916)
at org.wso2.carbon.apimgt.keymgt.handlers.AbstractKeyValidationHandler.c
heckClientDomainAuthorized(AbstractKeyValidationHandler.java:92)
at org.wso2.carbon.apimgt.keymgt.handlers.AbstractKeyValidationHandler.v
alidateSubscription(AbstractKeyValidationHandler.java:73)
at org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService.validat
eKey(APIKeyValidationService.java:157)
at org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceI
mpl.validateKey(APIKeyValidationServiceImpl.java:131)
at org.wso2.carbon.apimgt.impl.generated.thrift.APIKeyValidationService$
Processor$validateKey.getResult(APIKeyValidationService.java:278)
at org.wso2.carbon.apimgt.impl.generated.thrift.APIKeyValidationService$
Processor$validateKey.getResult(APIKeyValidationService.java:266)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:32)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:34)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadP
oolServer.java:176)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[2015-10-06 18:10:59,749] ERROR - APIUtil Unauthorized client domain :null. Only
"[]" domains are authorized to access the API.
[2015-10-06 18:10:59,750] WARN - APIAuthenticationHandler API authentication fa
ilure due to Unclassified Authentication Failure
.
Please suggest me where i am doing wrong.
Note That i m using a simple publically available Soap service for scenario.
This is happen maybe because your token is expired. So set the below value on identity.xml
AccessTokenDefaultValidityPeriod to -1
and restart the server
for more information read
https://docs.wso2.com/display/AM190/Token+API#TokenAPI-Configuringthetokenexpirationtime