[mitreid-connect] Help needed running the simple client.

Justin Richer jricher at mit.edu
Mon Feb 16 13:12:29 EST 2015 

That’s very strange, then. It still looks like it’s a configuration problem with Glassfish’s SSL client setup that isn’t specific to the MITREid Connect code. The MITREid client shouldn’t be touching the SSL stores unless you’re pointing it at an HTTPS URL. I would try to dig more into Glassfish configuration to see if that’s really the issue.

The warning you got about non-HTTPS is just that — a warning, and it doesn’t cause an error unless you lock it down for a full production deployment. 

 — Justin Richer
     http://bspk.io/ <http://bspk.io/>


> On Feb 16, 2015, at 12:23 PM, Lachezar Dobrev <l.dobrev at paladin.bulgarpress.com> wrote:
> 
>  No, not HTTPS, I'm trying the following:
>  * user at mitreid.org
>  * http://localhost:8080/openid-connect-server-webapp/
>  * http://localhost:8080/my-openid-connect-provider/
> 
>  I also tried:
>  * https://demo.c2id.com/c2id
> 
>  Same error.
> 
>  This is my local development environment, not production.
> 
>  For the http URLs I get a warning in the logs about https being
> required (apologies, I did not save that message), but it seems to
> continue forward and get the same result. Which is why I'm doubly puzzled.
> 
> На 16.02.2015 в 19:07, Justin Richer написа:
>> From the error logs below, it looks like you’re pointing to an HTTPS server
>> URL that your client isn’t able to read. This appears to be happening from
>> the Webfinger Issuer Service trying to do its lookup, which is what’s causing
>> the “No issuer found” message. What URL are you entering in to the client
>> application?
>> 
>> If it’s a real deployment, you’ll need to have your server set up with a
>> valid certificate that the client will trust. Without that, you’ll get SSL
>> errors like the below as the client tries to connect. Note that simply
>> having the cert trusted in your browser isn’t enough, as the client makes
>> its own HTTPS connections directly to the server as well. It looks like
>> you’re configuring the keystore/truststore below but you’ve got the wrong
>> password or the file is corrupted. Can you open up the truststore with
>> ‘keytool’ on the command line? Do the parameters there match what you’re
>> passing to Glassfish’s configuration? (Apologies, I’m not immediately
>> familiar with Glassfish enough to know how it’s put together).
>> 
>> If it’s a test deployment or a development setup, we recommend deploying
>> on plain HTTP and using HTTPS for production services. This side-steps
>> the issues around SSL certificates that can be problematic in development.
>> You’ll need to solve those for production, of course, but by then you’ll
>> probably have a commercial certificate that’s already trusted in the trust
>> store.
>> 
>> — Justin
>> 
>> 
>>> On Feb 16, 2015, at 11:55 AM, Lachezar Dobrev <l.dobrev at paladin.bulgarpress.com> wrote:
>>> 
>>> Hello all.
>>> 
>>> I am (trying to) developing an OpenID-Connect provider.
>>> 
>>> To try it I decided to use the MitreID-Connect example simple-web-app
>>> client. The platform is a Glassfish-4 with OpenJDK 7.
>>> 
>>> I fail in using it. No matter what I try I get a:
>>> 
>>>> HTTP Status 401 - Authentication Failed: No issuer found.
>>> 
>>> And the following stack trace:
>>> 
>>>> 2015-02-16T18:53:22.462+0200|INFO: WARN : org.mitre.openid.connect.client.service.impl.WebfingerIssuerService - Issue fetching issuer for user input: user at mitreid.org
>>>> com.google.common.util.concurrent.UncheckedExecutionException: org.apache.http.conn.ssl.SSLInitializationException: Failure initializing default system SSL context
>>>> 	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2258)
>>>> 	at com.google.common.cache.LocalCache.get(LocalCache.java:3990)
>>>> 	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3994)
>>>> 	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4878)
>>>> 	at org.mitre.openid.connect.client.service.impl.WebfingerIssuerService.getIssuer(WebfingerIssuerService.java:89)
>>>> 	at org.mitre.openid.connect.client.service.impl.HybridIssuerService.getIssuer(HybridIssuerService.java:48)
>>>> 	at org.mitre.openid.connect.client.OIDCAuthenticationFilter.handleAuthorizationRequest(OIDCAuthenticationFilter.java:197)
>>>> 	at org.mitre.openid.connect.client.OIDCAuthenticationFilter.attemptAuthentication(OIDCAuthenticationFilter.java:176)
>>>> 	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
>>>> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>>>> 	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
>>>> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>>>> 	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>>>> 	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
>>>> 	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
>>>> 	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
>>>> 	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
>>>> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
>>>> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>>>> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
>>>> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
>>>> 	at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
>>>> 	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
>>>> 	at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
>>>> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
>>>> 	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415)
>>>> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282)
>>>> 	at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
>>>> 	at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
>>>> 	at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201)
>>>> 	at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175)
>>>> 	at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
>>>> 	at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
>>>> 	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
>>>> 	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
>>>> 	at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
>>>> 	at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
>>>> 	at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
>>>> 	at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)
>>>> 	at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
>>>> 	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
>>>> 	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
>>>> 	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
>>>> 	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
>>>> 	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
>>>> 	at java.lang.Thread.run(Thread.java:745)
>>>> Caused by: org.apache.http.conn.ssl.SSLInitializationException: Failure initializing default system SSL context
>>>> 	at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:368)
>>>> 	at org.apache.http.conn.ssl.SSLSocketFactory.getSystemSocketFactory(SSLSocketFactory.java:204)
>>>> 	at org.apache.http.impl.conn.SchemeRegistryFactory.createSystemDefault(SchemeRegistryFactory.java:82)
>>>> 	at org.apache.http.impl.client.SystemDefaultHttpClient.createClientConnectionManager(SystemDefaultHttpClient.java:118)
>>>> 	at org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:466)
>>>> 	at org.apache.http.impl.client.AbstractHttpClient.createHttpContext(AbstractHttpClient.java:286)
>>>> 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:851)
>>>> 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
>>>> 	at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:88)
>>>> 	at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:46)
>>>> 	at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:49)
>>>> 	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:488)
>>>> 	at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:465)
>>>> 	at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:236)
>>>> 	at org.mitre.openid.connect.client.service.impl.WebfingerIssuerService$WebfingerIssuerFetcher.load(WebfingerIssuerService.java:207)
>>>> 	at org.mitre.openid.connect.client.service.impl.WebfingerIssuerService$WebfingerIssuerFetcher.load(WebfingerIssuerService.java:174)
>>>> 	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3589)
>>>> 	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2374)
>>>> 	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2337)
>>>> 	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2252)
>>>> 	... 46 more
>>>> Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
>>>> 	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
>>>> 	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
>>>> 	at java.security.KeyStore.load(KeyStore.java:1214)
>>>> 	at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:281)
>>>> 	at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:366)
>>>> 	... 65 more
>>>> Caused by: java.security.UnrecoverableKeyException: Password verification failed
>>>> 	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
>>>> 	... 69 more
>>>> 2015-02-16T18:53:22.462+0200|INFO: ERROR: org.mitre.openid.connect.client.OIDCAuthenticationFilter - Null issuer response returned from service.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150216/a8eceb73/attachment-0001.htm

More information about the mitreid-connect mailing list