You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Carlos Guardiola <cg...@satec.es> on 2004/03/04 14:00:58 UTC
Client authentication and customized error pages
Hi everyone!
I'm using SSL client authentication in a tomcat 5.0.19. Everything goes
fine, but i need some help customizing error pages.
When a client want to use my application, the browser asks him to choose
a valid certificate, but perhaps he hasn't a valid one. If he doesn't
have a certificate, the client authentication can't be done, so my
application is never invoked. O.K.
So, the browser shows a "page not found error", wich isn't one of my
application's customized error pages (as my application have never been
invoked). How can i customize that error page, in order to show
something like "you need a valid certificate"?
I've created my own ErrorReportValve, used in the
"errorReportValveClass" directive of the Host in my tomcat's server.xml.
But it also seems not being invoked...
Any help will be useful, thanks in advice,
Carlos
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Client authentication and customized error pages
Posted by Bill Barker <wb...@wilshire.com>.
"Carlos Guardiola" <cg...@satec.es> wrote in message
news:20040318093051.C5B8910402E@mrproper.satec.es...
> (Hi everyone! Here i'm again, asking for some help about https
> authentication and custom error pages.)
>
> Dear Mr. Bill Barker,
>
> We've used "clientAuth=want" as you suggested; and now we've managed to
> "know" that a client tried to access the application without a valid
> certificate. That's is OK, and we thank you very much.
>
> But when we try to launch an customized error page, a new error happens.
It
> seems that the conection with the remote browser is broken. Who closed it?
> When? How? The point is that we can't return our error page...
When checking for CLIENT-CERT authentication, Tomcat converts the
clientAuth="want" to clientAuth="true". The result is that JSSE drops the
connection when no cert is sent.
I've just committed a patch to leave the clientAuth alone when "want" is
specified. The result is that the socket will remain open even if the
client refuses to send a cert, and so an error page can be sent back.
>
> I've seen that Mr. Alain Baucant has been working with the same problem.
> Maybe he could help us.
>
> Thanks in advice,
>
> Carlos Guardiola
>
>
> PS-
>
> We've got the stacktrace in our catalina.out; it's quite large, i think
i'm
> gonna send you a shorter one ;-)
>
> ADVERTENCIA: Exception getting SSL Cert
> java.net.SocketException: Socket Closed
> at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177)
> at java.net.Socket.setSoTimeout(Socket.java:924)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA6275)
> at
>
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup
> port.java:137)
> at
>
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1
> 05)
> at
>
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupp
> ort.java:163)
> at
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1082)
> (....)
> (Sysdate) org.apache.tomcat.util.net.jsse.JSSE14Support
synchronousHandshake
> INFO: SSL Error getting client Certs
> javax.net.ssl.SSLProtocolException: handshake alert: no_certificate
> at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
> at java.io.InputStream.read(InputStream.java:89)
> at
>
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup
> port.java:126)
> at
>
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1
> 05)
> (....)
> (Sysdate) org.apache.coyote.http11.Http11Processor action
> ADVERTENCIA: Exception getting SSL Cert
> javax.net.ssl.SSLProtocolException: handshake alert: no_certificate
> at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
> at java.io.InputStream.read(InputStream.java:89)
> at
>
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup
> port.java:126)
> (....)
>
> Here is the access log; it seems that it's trying to get the "Error 400"
> page...
>
> (client IP) - - [(Sysdate)] "GET /(app. directory)/ HTTP/1.1" 400 45
>
>
>
> -----Mensaje original-----
> De: news [mailto:news@sea.gmane.org] En nombre de Bill Barker
> Enviado el: viernes, 05 de marzo de 2004 3:20
> Para: tomcat-user@jakarta.apache.org
> Asunto: Re: Client authentication and customized error pages
>
> Using clientAuth="true", the error happens too early to be able to invoke
an
> error-page. You might try using clientAuth="want" instead. In this case,
> the user still gets prompted for a cert, but the request continues if she
> hits "cancel". It is then the responsibility of your webapp to handle the
> case where there is no cert sent.
>
> "Carlos Guardiola" <cg...@satec.es> wrote in message
> news:001501c401e8$bcdb8500$5e20a4d5@tsatec.int...
> >
> > Hi everyone!
> > I'm using SSL client authentication in a tomcat 5.0.19. Everything goes
> > fine, but i need some help customizing error pages.
> >
> > When a client want to use my application, the browser asks him to choose
> > a valid certificate, but perhaps he hasn't a valid one. If he doesn't
> > have a certificate, the client authentication can't be done, so my
> > application is never invoked. O.K.
> >
> > So, the browser shows a "page not found error", wich isn't one of my
> > application's customized error pages (as my application have never been
> > invoked). How can i customize that error page, in order to show
> > something like "you need a valid certificate"?
> >
> > I've created my own ErrorReportValve, used in the
> > "errorReportValveClass" directive of the Host in my tomcat's server.xml.
> > But it also seems not being invoked...
> >
> > Any help will be useful, thanks in advice,
> >
> > Carlos
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Client authentication and customized error pages
Posted by Carlos Guardiola <cg...@satec.es>.
(Hi everyone! Here i'm again, asking for some help about https
authentication and custom error pages.)
Dear Mr. Bill Barker,
We've used "clientAuth=want" as you suggested; and now we've managed to
"know" that a client tried to access the application without a valid
certificate. That's is OK, and we thank you very much.
But when we try to launch an customized error page, a new error happens. It
seems that the conection with the remote browser is broken. Who closed it?
When? How? The point is that we can't return our error page...
I've seen that Mr. Alain Baucant has been working with the same problem.
Maybe he could help us.
Thanks in advice,
Carlos Guardiola
PS-
We've got the stacktrace in our catalina.out; it's quite large, i think i'm
gonna send you a shorter one ;-)
ADVERTENCIA: Exception getting SSL Cert
java.net.SocketException: Socket Closed
at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177)
at java.net.Socket.setSoTimeout(Socket.java:924)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA6275)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup
port.java:137)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1
05)
at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupp
ort.java:163)
at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1082)
(....)
(Sysdate) org.apache.tomcat.util.net.jsse.JSSE14Support synchronousHandshake
INFO: SSL Error getting client Certs
javax.net.ssl.SSLProtocolException: handshake alert: no_certificate
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at java.io.InputStream.read(InputStream.java:89)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup
port.java:126)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1
05)
(....)
(Sysdate) org.apache.coyote.http11.Http11Processor action
ADVERTENCIA: Exception getting SSL Cert
javax.net.ssl.SSLProtocolException: handshake alert: no_certificate
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at java.io.InputStream.read(InputStream.java:89)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup
port.java:126)
(....)
Here is the access log; it seems that it's trying to get the "Error 400"
page...
(client IP) - - [(Sysdate)] "GET /(app. directory)/ HTTP/1.1" 400 45
-----Mensaje original-----
De: news [mailto:news@sea.gmane.org] En nombre de Bill Barker
Enviado el: viernes, 05 de marzo de 2004 3:20
Para: tomcat-user@jakarta.apache.org
Asunto: Re: Client authentication and customized error pages
Using clientAuth="true", the error happens too early to be able to invoke an
error-page. You might try using clientAuth="want" instead. In this case,
the user still gets prompted for a cert, but the request continues if she
hits "cancel". It is then the responsibility of your webapp to handle the
case where there is no cert sent.
"Carlos Guardiola" <cg...@satec.es> wrote in message
news:001501c401e8$bcdb8500$5e20a4d5@tsatec.int...
>
> Hi everyone!
> I'm using SSL client authentication in a tomcat 5.0.19. Everything goes
> fine, but i need some help customizing error pages.
>
> When a client want to use my application, the browser asks him to choose
> a valid certificate, but perhaps he hasn't a valid one. If he doesn't
> have a certificate, the client authentication can't be done, so my
> application is never invoked. O.K.
>
> So, the browser shows a "page not found error", wich isn't one of my
> application's customized error pages (as my application have never been
> invoked). How can i customize that error page, in order to show
> something like "you need a valid certificate"?
>
> I've created my own ErrorReportValve, used in the
> "errorReportValveClass" directive of the Host in my tomcat's server.xml.
> But it also seems not being invoked...
>
> Any help will be useful, thanks in advice,
>
> Carlos
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Client authentication and customized error pages
Posted by Bill Barker <wb...@wilshire.com>.
Using clientAuth="true", the error happens too early to be able to invoke an
error-page. You might try using clientAuth="want" instead. In this case,
the user still gets prompted for a cert, but the request continues if she
hits "cancel". It is then the responsibility of your webapp to handle the
case where there is no cert sent.
"Carlos Guardiola" <cg...@satec.es> wrote in message
news:001501c401e8$bcdb8500$5e20a4d5@tsatec.int...
>
> Hi everyone!
> I'm using SSL client authentication in a tomcat 5.0.19. Everything goes
> fine, but i need some help customizing error pages.
>
> When a client want to use my application, the browser asks him to choose
> a valid certificate, but perhaps he hasn't a valid one. If he doesn't
> have a certificate, the client authentication can't be done, so my
> application is never invoked. O.K.
>
> So, the browser shows a "page not found error", wich isn't one of my
> application's customized error pages (as my application have never been
> invoked). How can i customize that error page, in order to show
> something like "you need a valid certificate"?
>
> I've created my own ErrorReportValve, used in the
> "errorReportValveClass" directive of the Host in my tomcat's server.xml.
> But it also seems not being invoked...
>
> Any help will be useful, thanks in advice,
>
> Carlos
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org