[mitreid-connect] Help needed running the simple client.

Lachezar Dobrev l.dobrev at paladin.bulgarpress.com
Tue Feb 17 06:12:40 EST 2015


  OK. Progress (kind-of).

  I took a somewhat deeper look into that, and noticed something
awkward: the Apache HTTP Client expects Trusted Certificates Store and
Client Certificates Store to be declared in System Properties. Not only
that, but the PASSWORDS to both are expected to be specified in the
System Properties too. In plain text!

  Anyway. I excluded the http client from the dependencies of the
org.mitre:openid-connect-client and declared an explicit dependency to
org.apache.httpcomponents:httpclient at 4.4, and now I'm getting a bit further.

  Not I get 404 errors, because the OpenID-Connect client is looking for
   https://whatever.server.com/path/.well-known/webfinger
  And the servers are exposing
   https://whatever.server.com/path/.well-known/openid-configuration

  What am I missing here?
  I'm totally at a loss.

На 16.02.2015 в 20:12, Justin Richer написа:
> That’s very strange, then. It still looks like it’s a configuration
> problem with Glassfish’s SSL client setup that isn’t specific to the
> MITREid Connect code. The MITREid client shouldn’t be touching the SSL
> stores unless you’re pointing it at an HTTPS URL. I would try to dig
> more into Glassfish configuration to see if that’s really the issue.
> 
> The warning you got about non-HTTPS is just that — a warning, and it
> doesn’t cause an error unless you lock it down for a full production
> deployment. 
> 
>  — Justin Richer
>      http://bspk.io/
> 
> 
>> On Feb 16, 2015, at 12:23 PM, Lachezar Dobrev
>> <l.dobrev at paladin.bulgarpress.com
>> <mailto:l.dobrev at paladin.bulgarpress.com>> wrote:
>>
>>  No, not HTTPS, I'm trying the following:
>>  * user at mitreid.org <mailto:user at mitreid.org>
>>  * http://localhost:8080/openid-connect-server-webapp/
>>  * http://localhost:8080/my-openid-connect-provider/
>>
>>  I also tried:
>>  * https://demo.c2id.com/c2id
>>
>>  Same error.
>>
>>  This is my local development environment, not production.
>>
>>  For the http URLs I get a warning in the logs about https being
>> required (apologies, I did not save that message), but it seems to
>> continue forward and get the same result. Which is why I'm doubly puzzled.
>>
>> На 16.02.2015 в 19:07, Justin Richer написа:
>>> From the error logs below, it looks like you’re pointing to an HTTPS
>>> server
>>> URL that your client isn’t able to read. This appears to be happening
>>> from
>>> the Webfinger Issuer Service trying to do its lookup, which is what’s
>>> causing
>>> the “No issuer found” message. What URL are you entering in to the client
>>> application?
>>>
>>> If it’s a real deployment, you’ll need to have your server set up with a
>>> valid certificate that the client will trust. Without that, you’ll
>>> get SSL
>>> errors like the below as the client tries to connect. Note that simply
>>> having the cert trusted in your browser isn’t enough, as the client makes
>>> its own HTTPS connections directly to the server as well. It looks like
>>> you’re configuring the keystore/truststore below but you’ve got the wrong
>>> password or the file is corrupted. Can you open up the truststore with
>>> ‘keytool’ on the command line? Do the parameters there match what you’re
>>> passing to Glassfish’s configuration? (Apologies, I’m not immediately
>>> familiar with Glassfish enough to know how it’s put together).
>>>
>>> If it’s a test deployment or a development setup, we recommend deploying
>>> on plain HTTP and using HTTPS for production services. This side-steps
>>> the issues around SSL certificates that can be problematic in
>>> development.
>>> You’ll need to solve those for production, of course, but by then you’ll
>>> probably have a commercial certificate that’s already trusted in the
>>> trust
>>> store.
>>>
>>> — Justin
>>>
>>>
>>>> On Feb 16, 2015, at 11:55 AM, Lachezar Dobrev
>>>> <l.dobrev at paladin.bulgarpress.com
>>>> <mailto:l.dobrev at paladin.bulgarpress.com>> wrote:
>>>>
>>>> Hello all.
>>>>
>>>> I am (trying to) developing an OpenID-Connect provider.
>>>>
>>>> To try it I decided to use the MitreID-Connect example simple-web-app
>>>> client. The platform is a Glassfish-4 with OpenJDK 7.
>>>>
>>>> I fail in using it. No matter what I try I get a:
>>>>
>>>>> HTTP Status 401 - Authentication Failed: No issuer found.
>>>>
>>>> And the following stack trace:
>>>>
>>>>> 2015-02-16T18:53:22.462+0200|INFO: WARN :
>>>>> org.mitre.openid.connect.client.service.impl.WebfingerIssuerService
>>>>> - Issue fetching issuer for user input: user at mitreid.org
>>>>> <mailto:user at mitreid.org>
>>>>> com.google.common.util.concurrent.UncheckedExecutionException:
>>>>> org.apache.http.conn.ssl.SSLInitializationException: Failure
>>>>> initializing default system SSL context
>>>>> at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2258)
>>>>> at com.google.common.cache.LocalCache.get(LocalCache.java:3990)
>>>>> at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3994)
>>>>> at
>>>>> com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4878)
>>>>> at
>>>>> org.mitre.openid.connect.client.service.impl.WebfingerIssuerService.getIssuer(WebfingerIssuerService.java:89)
>>>>> at
>>>>> org.mitre.openid.connect.client.service.impl.HybridIssuerService.getIssuer(HybridIssuerService.java:48)
>>>>> at
>>>>> org.mitre.openid.connect.client.OIDCAuthenticationFilter.handleAuthorizationRequest(OIDCAuthenticationFilter.java:197)
>>>>> at
>>>>> org.mitre.openid.connect.client.OIDCAuthenticationFilter.attemptAuthentication(OIDCAuthenticationFilter.java:176)
>>>>> at
>>>>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
>>>>> at
>>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>>>>> at
>>>>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
>>>>> at
>>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>>>>> at
>>>>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>> at
>>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>>>>> at
>>>>> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
>>>>> at
>>>>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
>>>>> at
>>>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
>>>>> at
>>>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
>>>>> at
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
>>>>> at
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>>>>> at
>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
>>>>> at
>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
>>>>> at
>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
>>>>> at
>>>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
>>>>> at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
>>>>> at
>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
>>>>> at
>>>>> org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415)
>>>>> at
>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282)
>>>>> at
>>>>> com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
>>>>> at
>>>>> com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
>>>>> at
>>>>> org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201)
>>>>> at
>>>>> org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175)
>>>>> at
>>>>> org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
>>>>> at
>>>>> org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
>>>>> at
>>>>> org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
>>>>> at
>>>>> org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
>>>>> at
>>>>> org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
>>>>> at
>>>>> org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
>>>>> at
>>>>> org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
>>>>> at
>>>>> org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)
>>>>> at
>>>>> org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
>>>>> at
>>>>> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
>>>>> at
>>>>> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
>>>>> at
>>>>> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
>>>>> at
>>>>> org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
>>>>> at
>>>>> org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>> Caused by: org.apache.http.conn.ssl.SSLInitializationException:
>>>>> Failure initializing default system SSL context
>>>>> at
>>>>> org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:368)
>>>>> at
>>>>> org.apache.http.conn.ssl.SSLSocketFactory.getSystemSocketFactory(SSLSocketFactory.java:204)
>>>>> at
>>>>> org.apache.http.impl.conn.SchemeRegistryFactory.createSystemDefault(SchemeRegistryFactory.java:82)
>>>>> at
>>>>> org.apache.http.impl.client.SystemDefaultHttpClient.createClientConnectionManager(SystemDefaultHttpClient.java:118)
>>>>> at
>>>>> org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:466)
>>>>> at
>>>>> org.apache.http.impl.client.AbstractHttpClient.createHttpContext(AbstractHttpClient.java:286)
>>>>> at
>>>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:851)
>>>>> at
>>>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
>>>>> at
>>>>> org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:88)
>>>>> at
>>>>> org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:46)
>>>>> at
>>>>> org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:49)
>>>>> at
>>>>> org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:488)
>>>>> at
>>>>> org.springframework.web.client.RestTemplate.execute(RestTemplate.java:465)
>>>>> at
>>>>> org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:236)
>>>>> at
>>>>> org.mitre.openid.connect.client.service.impl.WebfingerIssuerService$WebfingerIssuerFetcher.load(WebfingerIssuerService.java:207)
>>>>> at
>>>>> org.mitre.openid.connect.client.service.impl.WebfingerIssuerService$WebfingerIssuerFetcher.load(WebfingerIssuerService.java:174)
>>>>> at
>>>>> com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3589)
>>>>> at
>>>>> com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2374)
>>>>> at
>>>>> com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2337)
>>>>> at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2252)
>>>>> ... 46 more
>>>>> Caused by: java.io.IOException: Keystore was tampered with, or
>>>>> password was incorrect
>>>>> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
>>>>> at
>>>>> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
>>>>> at java.security.KeyStore.load(KeyStore.java:1214)
>>>>> at
>>>>> org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:281)
>>>>> at
>>>>> org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:366)
>>>>> ... 65 more
>>>>> Caused by: java.security.UnrecoverableKeyException: Password
>>>>> verification failed
>>>>> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
>>>>> ... 69 more
>>>>> 2015-02-16T18:53:22.462+0200|INFO: ERROR:
>>>>> org.mitre.openid.connect.client.OIDCAuthenticationFilter - Null
>>>>> issuer response returned from service.
> 

-- 
Lachezar Dobrev
Senior Software Developer
Team Alpha, Bulgarpress LTD.


More information about the mitreid-connect mailing list