Java Applet Constantly Asks for Authentication - applet
With have a ADF application on Weblogic 10 that has occasional access to a Java applet. The Java applet is loaded whenever it's needed and not loaded whenever it isn't. The applet is currently in the public_html/applet folder.
When we set the SSL configuration to requiring a client certificate, when the Java applet loads, it'll constantly ask for a client certificate:
Request Authentication
Identification required. Please select certificate to be used for authentication.
This is annoying to users and the Java Applet doesn't need authentication. Is there any way we can disable the authentication or remove the prompt?
Here's the embedded applet code:
Edit: Things I've already tried:
1) Setting the Applet up on HTTP instead of HTTPS; I get a warning about mixed content and still get the authentication pop-up.
2) Created a minimal applet that only types out "HELLO WORLD" in the console, still get the authentication pop-up
Here's the console window:
Java Plug-in 1.6.0_35
Using JRE version 1.6.0_35-b10 Java HotSpot(TM) Client VM
User home directory = C:\Users\mfan
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
basic: Added progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener#1df073d
basic: Plugin2ClassLoader.addURL parent called for https://192.168.130.99/app/applet/HelloWorld.jar
network: Cache entry not found [url: https://192.168.130.99/app/applet/HelloWorld.jar, version: null]
network: Connecting https://192.168.130.99/app/applet/HelloWorld.jar with proxy=DIRECT
network: Connecting http://192.168.130.99:443/ with proxy=DIRECT
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecacerts
security: Loaded SSL Root CA certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading Deployment SSL certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecerts
security: Loaded Deployment SSL certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment session certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
security: KeyUsage does not allow digital signatures
(and here's where the prompt comes up).
You said that your applet not requires client authentication so you can put your applet jars on http location. Then you have to specify the codebase parameter to this http location. For example if you put your jar as a resource on http://public.test/somewhere/myApplet.jar you can specify:
codebase = http://public.test/somewhere/
archive = myApplet.jar
However I think that this is probably a configuration issue, you can configure your web server to request a client certificate authentication optionally an not required on applet location.
Hope this helps,
EDIT:
You can put your webLogic behind a proxy (like apache http server), an configure proxy to require the client certificate only in a specific location. A configuration sample for apache http server case looks like:
##
## SSL Virtual Host Context
##
<VirtualHost myHost:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.key
SSLVerifyClient none
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
JkMount /myWeb loadBalancer
JkMount /myWeb/* loadBalancer
<Location /myWeb/login/certificateLoginLocation>
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCACertificateFile conf/trustedCA.cer
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule .* http://myHost/myWeb/accesForbbiden.htm
</Location>
</VirtualHost>
well, i not sure about weblogic, i am using jboss and i know that there is no way to do this.
so what we did is install an apache in front, served as reverse proxy
and the configuration look
Listen vgw_mgmt:443
<VirtualHost vgw_mgmt:443>
DocumentRoot /srv/www/
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2
SSLOptions +ExportCertData +StdEnvVars
SSLCertificateFile /etc/httpd/ssl/server-mgmt.pem
SSLCertificateKeyFile /etc/httpd/ssl/server-mgmt.key
SSLVerifyDepth 3
SSLCACertificateFile /etc/httpd/ssl/trustedca-mgmt.pem
SSLVerifyClient none
ProxyPass /webmgr/ ajp://webapps:8009/webmgr/
<Location /webmgr/>
SSLVerifyClient optional
</Location>
<Location /webmgr/javascript/>
SSLVerifyClient none
</Location>
</VirtualHost>
so, whenever user hit https : // pro xy /webmgr/, client authentication is prompt (the reason we use "optional" instead of "required", is because we want to display nice error page tell customer you need to provide cert to login)
and, my applet stored inside /webmgr/javascript/applet.jar
so when applet load
<applet archive="applet.jar" codebase="/webmgr/javascript/" name="jsapplet" id="jsapplet" code="myapps.mylittleprogram" height="1" width="1"></applet>
it will skipped the client authentication.
Since our application is on http and https, I just set the archive to http:// and it works fine now.
Related
minio+KMS x509: certificate signed by unknown authority
I am trying to use minio as a local S3 server. I am following this article I downloaded key and cert files. I added the env parameters: set MINIO_KMS_KES_ENDPOINT=https://play.min.io:7373 set MINIO_KMS_KES_KEY_FILE=D:\KMS\root.key set MINIO_KMS_KES_CERT_FILE=D:\KMS\root.cert set MINIO_KMS_KES_KEY_NAME=my-minio-key I started minio server: D:\>minio.exe server D:\Photos It logs after sturt up: Endpoint: http://169.254.182.253:9000 http://169.254.47.198:9000 http://172.17.39.193:9000 http://192.168.0.191:9000 http://169.254.103.105:9000 http://169.254.209.102:9000 http://169.254.136.71:9000 http://127.0.0.1:9000 AccessKey: minioadmin SecretKey: minioadmin Browser Access: http://169.254.182.253:9000 http://169.254.47.198:9000 http://172.17.39.193:9000 http://192.168.0.191:9000 http://169.254.103.105:9000 http://169.254.209.102:9000 http://169.254.136.71:9000 http://127.0.0.1:9000 Command-line Access: https://docs.min.io/docs/minio-client-quickstart-guide $ mc.exe alias set myminio http://169.254.182.253:9000 minioadmin minioadmin Object API (Amazon S3 compatible): Go: https://docs.min.io/docs/golang-client-quickstart-guide Java: https://docs.min.io/docs/java-client-quickstart-guide Python: https://docs.min.io/docs/python-client-quickstart-guide JavaScript: https://docs.min.io/docs/javascript-client-quickstart-guide .NET: https://docs.min.io/docs/dotnet-client-quickstart-guide Detected default credentials 'minioadmin:minioadmin', please change the credentials immediately using 'MINIO_ACCESS_KEY' and 'MINIO_SECRET_KEY' I opened UI in browser: http://localhost:9000/minio/mybacket/ I tried to upload a jpg file and got an exception: <?xml version="1.0" encoding="UTF-8"?> <Error><Code>InternalError</Code><Message>We encountered an internal error, please try again.</Message><Key>Completed.jpg</Key><BucketName>mybacket</BucketName><Resource>/minio/upload/mybacket/Completed.jpg</Resource><RequestId>1634A6E5663C9D70</RequestId><HostId>4a46a947-6473-4d53-bbb3-a4f908d444ce</HostId></Error> And I got this exception in minio console: Error: Post "https://play.min.io:7373/v1/key/generate/my-minio-key": x509: certificate signed by unknown authority 3: cmd\api-errors.go:1961:cmd.toAPIErrorCode() 2: cmd\api-errors.go:1986:cmd.toAPIError() 1: cmd\web-handlers.go:1116:cmd.(*webAPIHandlers).Upload()
Most probably your OS trust store (containing the Root CA certificates) does not trust Let's Encrypt (the Let's Encrypt Authority X3 CA certificate). The server https://play.min.io:7373 serves a TLS certificates issued by Let's Encrypt. See: openssl s_client -showcerts -servername play.min.io -connect play.min.io:7373 Eventually, check your the root CA store of your windows machine. See: https://security.stackexchange.com/questions/48437/how-can-you-check-the-installed-certificate-authority-in-windows-7-8
mod_cluster widfly 9 and client certificate 2 way SSL
I have one problem when i am configuring 2 way SSL (client certificate) with mod_cluster on wildfly 9.0.2 -Direct connection on wildfly on port 8443 (like https://wildflyserver:8443/context) is working, -AJP connector connection between apache and wildfly and mod_cluster is not working -There is no HTTPS connector ? <mod-cluster-config advertise-socket="modcluster" proxies="mc-proxy1" advertise="false" connector="http-default"> <dynamic-load-provider> <load-metric type="cpu"/> </dynamic-load-provider> <ssl key-alias="aofweb" password="XXXXXX" certificate-key-file="${jboss.domain.config.dir}/keystoreWeb.jks" cipher-suite="ALL" protocol="TLSv1" ca-certificate-file="${jboss.domain.config.dir}/keystoreWeb.jks"/> </mod-cluster-config> -When i am using http redirect to https with web.xml configuration and redirect-socket binding the URL changes from https://apacheserver/context to https://wildflyserver:8443/context, if i had a directive preserveProxyhost it does'nt work too, anybody have a solution ?
i manage to do it , i configure "ajp" connection , in listener scheme https, in case of in httpd listener certificate-forwarding=true and redirection on https, in web.xml auth-method to CLIENT-CERT and transport-guarantee to CONFIDENTIAL, and then the most important in apache, client verification mandatory and forward cert data : SSLHonorCipherOrder on SSLVerifyClient require SSLVerifyDepth 10 #THE CA USED TO GENERATE CLIENT CERTIFICATE SSLCACertificateFile /etc/httpd/certs/cacert.pem SSLOptions +ExportCertData SSLOptions +StdEnvVars Require all granted tell me if you have problem : widlfy 9.0 apache 2.4 mod_proxy_ajp mod_ssl mod_proxy modcluster 1.3.1
why is keycloak removing the SSL in the redirect uri?
We have a simple requirement where: PS: https:/ === https:// When user hits https:/company_landing.company.com , they should be redirected to keycloak login page (at https:/ourcompany-keycloak.company.com). User enters his/her keycloak login credentials. Upon successful login to keycloak , they will be presented to the company_landing page. The trouble is : When User types - https:/company_landing.company.com Keycloak tries to bring up the landing page but gives 500 Internal server error and says "Incorrect redirect uri" and in the browser I see this: https:/ourcompany-keycloak.company.com/auth/realms/realm1/tokens/login?client_id=company_dev&state=aaaafffff-559d-4312-a8be-123412341234&redirect_uri=http%3A%2F%2Fcompany_landing.company.com%3A8081%2F%3Fauth_callback%3D1 If you observe the redirect uri above, I think the problem is that instead of https the redirect uri starts with http and http:/company-landing.company.com doesn't exist. Settings: keycloak settings: - Realm --> settings --> login : Require SSL = all Requests (tried with "external" also) Applications-->realm1-->settings-->Redirect URI = https://company_landing.company.com/* AWS load balancer: Port config: 443(https) forwarding to 8443 I am confused as to why it is stripping the SSL? The above works fine when testing on local environment(probably because its http://localhost) but this always gives an invalid redirect url when trying to access any link that is ssl encrypted. -mm
You have to add the following property in the proxy configuration json file, (by default proxy.json) as an application attribute (same level as "adapter-config"): "proxy-address-forwarding" : true, This configuration attribute is not documented, however present in the sources of the proxy configuration: https://github.com/keycloak/keycloak/blob/master/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyConfig.java
You don't need a certificate to be installed or use changes in adapter config. This needs to be done in your standalone.xml, standalone-ha or domain.xml (as the case may be) as documented in the Keycloak document reverse proxy section https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy Assuming that your reverse proxy doesn’t use port 8443 for SSL you also need to configure what port HTTPS traffic is redirected to. <subsystem xmlns="urn:jboss:domain:undertow:4.0"> ... <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/> ... </subsystem> Add the redirect-socket attribute to the http-listener element. The value should be proxy-https which points to a socket binding you also need to define. Then add a new socket-binding element to the socket-binding-group element: <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> ... <socket-binding name="proxy-https" port="443"/> ... </socket-binding-group>
Applet both signed and unsigned code warning
My applet is contained in an .asp page. When this .asp page and the applet hosted in a web site it shows the below warning message. when the same files hosted in a different web site it does not give the warning message. -Both web sites browsable with https. -I used ie9 and JRE 7u21 for the test. -Applet is signed. -In my jar files manifest Trusted-Only Attribute or Trusted-Library Attribute does not exists -java console of the one which shows securitiy warning, i see the below logs. Ignored exception: java.lang.ClassFormatError: Incompatible magic value 1013478509 in class file MyApplet security: blacklist: hasBeenModifiedSince 1369745951181 (we have 1366987061414) security: blacklist: hasBeenModifiedSince 1369641350695 (we have 1366987061414) security: blacklist: hasBeenModifiedSince 1369753585995 (we have 1366987061414) security: blacklist: hasBeenModifiedSince 1369742598198 (we have 1366987061414) security: blacklist: hasBeenModifiedSince 1369746010658 (we have 1366987061414) security: blacklist: hasBeenModifiedSince 1369406495590 (we have 1366987061414) security: blacklist: hasBeenModifiedSince 1369817989422 (we have 1366987061414) security: blacklist: hasBeenModifiedSince 1369749180050 (we have 1366987061414) security: blacklist: hasBeenModifiedSince 1369817157815 (we have 1366987061414) What might be the cause of this different behaviour? I know my question is too general but i need at least to have an idea for where to look.
Check for ECMAScript/JavaScript to Java calls from your website: this dialog is not only shown if the applet itself contains one or more unsigned files, but also if you try to use a technique called LiveConnect long time ago. While it is still okay to call ECMAScript/JavaScript from within Java it is not allowed to do it reverse.
Spring Security X.509 Preauth
I'm using Spring Security 2.x's Preauthentication with X.509 certificates. I get the certificateText via HttpServletRequest.getAttribute("CERTIFICATE"). Sometimes, the above call returns "" (empty). I believe it occurs when the HTTP session has expired. What would explain why HttpServletRequest.getAttribute("CERT") returns empty? EDIT In Kerberos, for example, the ticket is available in every HTTP request. Is the cert not always in X.509 HTTP requests?
Please access to certificate using this code: X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); Certificate is always populated to request after successful client certificate authentication. Ensure your support long certificate chain: Add the max_packet_size propery to the worker.properties file worker.ajp13w.max_packet_size=65536 Add the packetSize propery to the configuration of Ajp connector in the Tomcat configuration \conf\server.xml <Connector port="8089" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" packetSize="65536"/> Apache logs: http://httpd.apache.org/docs/2.2/logs.html#accesslog http://httpd.apache.org/docs/2.2/logs.html#errorlog http://httpd.apache.org/docs/2.2/mod/core.html#loglevel