I'm having trouble getting the configuration right to get my CXF REST client to talk to my CXF server. I get the dreaded javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure. The strange thing is, this configuration worked when we were using CXF for SOAP. Any hints are appreciated.
Here is the server-side configuration:
<httpj:engine-factory bus="cxf">
<httpj:engine port="443">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password" file="cxf.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password" file="cxf.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</httpj:tlsServerParameters>
<httpj:sessionSupport>true</httpj:sessionSupport>
</httpj:engine>
</httpj:engine-factory>
<jaxrs:server id="restContainer" bus="cxf" address="/" >
<jaxrs:serviceBeans>
<ref bean="policyService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
And here is the client configuration:
<http:conduit name="*.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers
keyPassword="password">
<sec:keyStore type="JKS"
password="password"
file="cxf.jks" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS"
password="password"
file="cxf.jks" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:client AutoRedirect="true" ReceiveTimeout="0" Connection="Keep-Alive" />
</http:conduit>
This is the flavor of client I'm using:
MyRestApi api = JAXRSClientFactory.create(myRestUri, MyRestApi.class);
This all works fine in the clear, it's just SSL that's a problem.
to make sure you have the right settings you can hardcode it (temp.) like this:
System.setProperty("javax.net.ssl.keyStore", "/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", "/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.debug", "all");
then with the output check you can debug more...
Related
currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.
Client has given the below details:
entityid= urn:mace:incommon:xxx.edu
metadata URL for test environment is:
https://shibboleth-test.xxx.edu/idp/shibboleth
By using guidelines from Shibboleth site, below are the steps i followed.
Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
Installed Java with JCE
Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
Web Application with self signed certificate
attached my Shibboleth2.xml file
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
</ISAPI> </InProcess> <RequestMapper type="Native"> <RequestMap> <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root#localhost"
helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Problems I'm facing......
When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status
getting error no metadataprovider available.
Noticed Problems:
1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting
stopped and unable to start.if i remove it's is running.
2.Shibboleth Idp 3 deamon is getting stopped very frequently
When i run 'SC interrogate shibd_idp' in command prompt, results are
control service failed 1062
the service has not been started.
I donno what is wrong with my work.
Can any one please tell me what are the steps to be followed to accomplish this integration.
Thanks in advance,
Hema
There will be a tag in shibboleth2.xml called metadata provider, you will need to open that.
If you have done this but shill service is not getting started then you can check the log and give additional info in question.
Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag
<MetadataProvider type="XML" file="partner-metadata.xml"/>
All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.
We have a functioning application with multiple filter chain configuration. One of the first filter chains belongs to REST POST requests that requier no authentication:
...
<http pattern="/*.info**" entry-point-ref="infoEntryPoint" use-expressions="true" create-session="never">
<intercept-url pattern="/*.info" access="permitAll" />
</http>
<beans:bean id="infoEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<beans:property name="realmName" value="Info REST Realm" />
</beans:bean>...
It worked for GET and POST requests, but after upgrading to Spring Security 4, the POST requests are not captured by this filter chain, but the next filter chain captures them (and creates session and throws 403, doing right its job).
How could I fix it?
CSRF protection is switched on by default in Spring Security, it was switched off by default formerly. The following entry (inside the http tag) solved the problem:
<csrf disabled="true"/>
I tried to read a file and email through Mule. But it throws the following exception.
org.mule.api.transformer.TransformerException: Could not find a transformer to transform "SimpleDataType{type=javax.mail.internet.MimeMessage, mimeType='*/*'}" to "SimpleDataType{type=java.io.InputStream, mimeType='*/*'}".
at org.mule.registry.MuleRegistryHelper.lookupTransformer(MuleRegistryHelper.java:252)
at org.mule.DefaultMuleMessage.getPayload(DefaultMuleMessage.java:355)
at org.mule.DefaultMuleMessage.getPayload(DefaultMuleMessage.java:313)
+ 3 more (set debug level logging or '-Dmule.verbose.exceptions=true' for everything)
My mule file is as follows:
<flow name="Exception_HandlingFlow1" doc:name="Exception_HandlingFlow1">
<file:inbound-endpoint path="D:\WorkArea\COPA\In" responseTimeout="10000" doc:name="File Writer">
<file:file-to-string-transformer/>
</file:inbound-endpoint>
<component doc:name="Java" class="com.exhnlr.Handler.ExceptionHandler"/>
<smtps:outbound-endpoint host="192.168.131.139" responseTimeout="10000" doc:name="SMTP"
from="anbu1#bibs.com" subject="test" to="anbu1#bibs.com" user="anbu1" mimeType="text/plain">
<email:string-to-email-transformer/>
</smtps:outbound-endpoint>
</flow>
I have read a similiar link How to parse inbound e-mail when using Mule's IMAP transport?, but it didn't work for me.
Please help.
Add an <object-to-string-transformer /> after the file inbound endpoint.
I am trying to redirect Spring Security to a custom login page which GWT based. Here is my configuration:
<security:http pattern="/Main.html?#login" security="none" />
<security:http auto-config="true">
<security:form-login login-page='/Main.html?#login' />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
</security:http>
From the spring security debug logs - it seems that the framework drops everything after the "#". Does anyone know how to fix this?
Thanks.
There is no way to fix this. Spring security runs on server side, and data in url after hash are never sent to the server from browser. Normally you would make a separate page for login, outside of your primary GWT application.
I am consuming an secured service hosted over basicHttpBinding
I have to pass credentials to the service for authenticatioon
Here’s the config setting for the client
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
While calling the service, I am getting following exception message
An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
Message = "An invalid security token was provided (Bad UsernameToken Values)”
I not sure how to get it working I am curious if somebody can help me out or provide me any url where I could find the solution
When you create your MyServiceClient object you can set the username and password on the clientInstance.Credentials.UserName object.