I have a web app with the applet to visit the cxf ws server.
When I init the the connection to the cxf ws,there are so many dirty messages(about 1000 lines,and cost about 2 minutes to init) such as:
network: Connecting \http://localhost:8080/WebUI/DYVCenterVNCClient.jar with proxy=DIRECT
network: Connecting \http://localhost:8080/WebUI/DYVCenterVNCClient.jar and cookie "JSESSIONID=F7DF490E4E7137857494B453667A079E"
network: Connecting \http://localhost:8080/WebUI/DYVCenterVNCClient.jar with proxy=DIRECT
network: Connecting \http://localhost:8080/WebUI/DYVCenterVNCClient.jar and cookie "JSESSIONID=F7DF490E4E7137857494B453667A079E"
the html applet config is:
<object type="application/x-java-applet"
name="TestApplet" width="446" height="291">
<param name="codebase" value="." />
<param name="code" value="com.vnc.CompatibilityApplet" />
<param name="archive" value="DYVCenterVNCClient.jar" />
<PARAM NAME="cache_archive" VALUE="DYVCenterVNCClient.jar">
<PARAM NAME="cache_version" VALUE="0.0.0.1">
<PARAM name="codebase_lookup" value="false">
<param name="scriptable" value="true" />
<param name="mayscript" value="true" />
<param name="background-color" value="#ffffff" />
<param name="border-color" value="#8c8cad" />
</object>
and I found those message being printed out when call the cxf class ClientProxyFactoryBean's method create().
so how can I solve those problem,I also googing and found the similar problem with link:
http://cxf.547215.n5.nabble.com/CXF-based-applet-initialization-worries-td550944.html
but there is no answers
thanks everyone.
Well,at last I found this url
Applet downloading server copy of jars already cached tell us that the URLConnection's defaultUsecaches is been updated with false.
So even if the plugin itself is set to "use cache", the urlconnection will not use the cache.
I search the method setDefaultUseCaches(false) in cxf src ,at last I found that the JDKBugHacks's method doHacks() will set the defaultUseCache to false.And seems that the jdk's bug which confuse me.
finally I solve my problem with change the defaultUsecaches after the new ClientProxyFactoryBean.
try{
URL url = new URL("any valid url is ok");
URLConnection urlConnection = url.openConnection();
urlConnection.setDefaultUseCaches(true);
}catch(Exception e){
//;
}
Related
I'm using sustainsys.saml2.httpmodule. I would like to run some code to log the logout from an IDP initiated single log out. The user also does not seem to be logged out (IsAuthenticated is still true) after an IDP initiated single log out even though https://stubidp.sustainsys.com/Logout gives me a success result.
I can't seem to find anyone else needing the same functionality or having the same issues. My Sustainsys config is below.
<sustainsys.saml2 entityId="http://localhost:53758/Saml2"
returnUrl="http://localhost:53758/Common/Pages/Saml2Login.aspx"
authenticateRequestSigningBehavior="IfIdpWantAuthnRequestsSigned"
validateCertificates="false"
publicOrigin ="http://localhost:53758/">
<nameIdPolicy allowCreate="false" format="Unspecified"/>
<metadata cacheDuration="PT1440M" wantAssertionsSigned="true">
<organization name="ab" displayName="ab" url="https://www.example.com/" language="en" />
<contactPerson type="Technical" email="a#b.com" />
<requestedAttributes>
<add friendlyName ="Some Name" name="urn:someName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" />
</requestedAttributes>
</metadata>
<identityProviders>
<add entityId="https://stubidp.sustainsys.com/Metadata"
signOnUrl="https://stubidp.sustainsys.com"
logoutUrl="https://stubidp.sustainsys.com/Logout"
allowUnsolicitedAuthnResponse="true"
binding="HttpRedirect"
wantAuthnRequestsSigned="true">
<signingCertificate storeName="CertificateAuthority" storeLocation="CurrentUser"
findValue="cdf7090a433561a843b51198b0ba6456" x509FindType="FindBySerialNumber" />
</add>
</identityProviders>
<serviceCertificates>
<add storeName="CertificateAuthority" storeLocation="CurrentUser" findValue="2cfe21cb930c19a341e9e30a07a3c123" x509FindType="FindBySerialNumber" />
</serviceCertificates>
</sustainsys.saml2>
You can use the LogoutCommandResultCreated notification. It will get called both when the redirect to the Idp is about to happen as well as after the response has been received from the Idp.
I have read through NWebSec's documentation to try and resolve the problem.
Set the web.config to
<nwebsec>
<httpHeaderSecurityModule
xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd"
xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<redirectValidation enabled="false">
<allowSameHostRedirectsToHttps enabled="false"/>
<add allowedDestination="https://www.facebook.com/"/>
<add allowedDestination="http://www.nwebsec.com/"/>
<add allowedDestination="https://www.google.com/accounts/"/>
</redirectValidation>
<securityHttpHeaders>
<strict-Transport-Security max-age="365" includeSubdomains="true" httpsOnly="false" preload="true" />
</securityHttpHeaders>
</httpHeaderSecurityModule>
but I am still getting
A potentially dangerous redirect was detected. Add the destination to the whitelist in configuration if the redirect was intended. Offending redirect: https://www.facebook.com/dialog/oauth?response_type=code&
This came up in google before the answer, which is here: https://docs.nwebsec.com/en/latest/nwebsec/Redirect-validation.html
In summary you have to whitelist the URL which your login service refers to, like this:
app.UseRedirectValidation(opts =>
{
opts.AllowedDestinations( "https://www.facebook.com/dialog/oauth");
opts.AllowedDestinations("https://login.microsoftonline.com"); // Tested
});
I have just changed from signing jar files using a self-signed certificate to using a trusted certificate from Thawte. This works, but there are 2 issues. First, I now get the initial Java Console as before, but this is followed by a second one, then after a while (around 1 minute) the first one closes. Second, when I turn tracing on in the plugin, there are 463 connection requests to the thawte site (in the second console). This is shown as the following repeated over and over again:
security: Certificate validation succeeded using OCSP/CRL
security: Validate the certificate chain using CertPath API
security: SHA-256Certificate finger print: 250B4511AECDA826E699E0D46B4B4B5F4DFDB531AE1E4BE74E35D613F25E1722
security: SHA-256Certificate finger print: AF840CA2B9DFB776BF81AA94C401BC440C52E5C590C43607A13D6680D83E3349
security: SHA-256Certificate finger print: C99157DF28D28EBD87B8B041AACCF023CF1C9AD0D21FD7116149D7F96484FA51
security: SHA-256Certificate finger print: 3F9F27D583204B9E09C8A3D2066C4B57D3A2479C3693650880505698105DBCE9
security: The OCSP support is enabled
security: The CRL support is enabled
security: Failing over to CRLs: Certificate does not specify OCSP responder
network: Connecting http://ocsp.thawte.com/ with proxy=DIRECT
security: OCSP Response: GOOD
Is this triggered every time a class is loaded from the jar file? (I can't seem to turn on the tracing of class load/unload - the -XX:+TraceClassLoading option doesn't seem to work...)
I am just using an tag to load the applet - no JNLP or anything. (The same happens if I use ):
<object type="application/x-java-applet" width="100%" height="879" id="sfnApplet_1" codebase="java:com/deltascheme/sfn/client/SfnApplet.class">
<param name="MAYSCRIPT" value="true">
<param name="type" value="application/x-java-applet;version=1.5">
<param name="cache_option" value="Plugin">
<param name="java_codebase" value="/sfn85/Content">
<param name="cache_archive" value="client.jar,lzma.jar">
<param name="IMAGE" value="Images/appletSplash.jpg">
<param name="centerimage" value="true">
<param name="java_code" value="com/xxx/yyy/client/Applet.class">
<param name="codebase_lookup" value="false">
<param name="browserName" value="Netscape">
<param name="browserVersion" value="5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36">
<param name="java_arguments" value="-Djnlp.packEnabled=true -XX:+TraceClassLoading -Xmx512M">
</object>
Any help gratefully received (Thawte say it's not their fault and I should speak to Oracle. Hmmm...)
According to Microsoft's documentation, for static (i.e. HTML) content, web.config should read responseMode="File" for each error.
Currently, my web.config includes
<httpErrors errorMode="Custom">
<!-- remove statusCodes -->
<error statusCode="404" path="/error/404.html" responseMode="ExecuteURL" />
</httpErrors>
This returns the correct custom error page, but returns a 200 OK status code.
When I change "ExecuteURL" to "File", my server does return a 404, but the custom error page is not displayed. Instead, I get the message "The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
How is web.config supposed to read, to return a static file, but also a 404?
Edit: removed <customErrors> questions after learning that that tag is for IIS <= 6.0
I was figthing with exactly same problem pretty long time. Now I found out by accident that the problem is in the slash character.
this is working for me - no beginning slash and use \ instead of /
<error statusCode="404" path="Static\WebServer\PageNotFound.htm" responseMode="File" />
I'm having trouble getting the configuration right to get my CXF REST client to talk to my CXF server. I get the dreaded javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure. The strange thing is, this configuration worked when we were using CXF for SOAP. Any hints are appreciated.
Here is the server-side configuration:
<httpj:engine-factory bus="cxf">
<httpj:engine port="443">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password" file="cxf.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password" file="cxf.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</httpj:tlsServerParameters>
<httpj:sessionSupport>true</httpj:sessionSupport>
</httpj:engine>
</httpj:engine-factory>
<jaxrs:server id="restContainer" bus="cxf" address="/" >
<jaxrs:serviceBeans>
<ref bean="policyService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
And here is the client configuration:
<http:conduit name="*.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers
keyPassword="password">
<sec:keyStore type="JKS"
password="password"
file="cxf.jks" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS"
password="password"
file="cxf.jks" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:client AutoRedirect="true" ReceiveTimeout="0" Connection="Keep-Alive" />
</http:conduit>
This is the flavor of client I'm using:
MyRestApi api = JAXRSClientFactory.create(myRestUri, MyRestApi.class);
This all works fine in the clear, it's just SSL that's a problem.
to make sure you have the right settings you can hardcode it (temp.) like this:
System.setProperty("javax.net.ssl.keyStore", "/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", "/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.debug", "all");
then with the output check you can debug more...