SSLHandshakeException when try connect LDAP
Scott Battaglia
scott.battaglia at gmail.com
Mon Jan 14 19:56:34 EST 2008
Sarah,
Is it a commercially signed certificate? If not, make sure its in the JVM's
cacerts file so that it can trust it. Also, make sure your LDAP server is
accepting SSL connections.
-Scott
On Jan 14, 2008 6:41 AM, Sara_Abasi <abasi86 at gmail.com> wrote:
>
> Hi
> i`m newbie in LDAP with SLL.
> My problem is, i connect in server LDAP from my web application and do the
> authentication by LDAP with SSL.
> when i enter user name and password throws this exception:
>
> 2008-01-14 15:04:52,074 ERROR
> [org.apache.catalina.core.ContainerBase
> .[Catalina].[localhost].[/cas].[cas]]
> - <Servlet.service() for servlet cas threw exception>
> java.io.EOFException: SSL peer shut down incorrectly
> at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java
> :333)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
> :723)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1030)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java
> :622)
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java
> :59)
> at java.io.BufferedOutputStream.flushBuffer(
> BufferedOutputStream.java:65)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java
> :123)
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:390)
> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java
> :175)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(
> LdapCtxFactory.java:193)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java
> :136)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
> at javax.naming.spi.NamingManager.getInitialContext(
> NamingManager.java:667)
> at javax.naming.InitialContext.getDefaultInitCtx(
> InitialContext.java:247)
> at javax.naming.InitialContext.init(InitialContext.java:223)
> at javax.naming.ldap.InitialLdapContext.<init>(
> InitialLdapContext.java:134)
> at
> org.springframework.ldap.support.LdapContextSource.getDirContextInstance(
> LdapContextSource.java:59)
> at
> org.springframework.ldap.support.AbstractContextSource.createContext(
> AbstractContextSource.java:193)
> at
> org.springframework.ldap.support.AbstractContextSource.getReadOnlyContext(
> AbstractContextSource.java:104)
> at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java
> :263)
> at org.springframework.ldap.LdapTemplate.search(LdapTemplate.java
> :314)
> at
>
> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal
> (BindLdapAuthenticationHandler.java:70)
> at
>
> org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.authenticate
> (AbstractUsernamePasswordAuthenticationHandler.java:58)
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:79)
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket(
> CentralAuthenticationServiceImpl.java:282)
> at
> org.jasig.cas.web.flow.AuthenticationViaFormAction.submit(
> AuthenticationViaFormAction.java:116)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java
> :39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at
> org.springframework.webflow.util.DispatchMethodInvoker.invoke(
> DispatchMethodInvoker.java:103)
> at
> org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java
> :136)
> at
> org.springframework.webflow.action.AbstractAction.execute(
> AbstractAction.java:203)
> at
> org.springframework.webflow.engine.AnnotatedAction.execute(
> AnnotatedAction.java:142)
> at
> org.springframework.webflow.engine.ActionExecutor.execute(
> ActionExecutor.java:61)
> at
> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java
> :180)
> at org.springframework.webflow.engine.State.enter(State.java:200)
> at
> org.springframework.webflow.engine.Transition.execute(Transition.java:229)
> at
> org.springframework.webflow.engine.TransitionableState.onEvent(
> TransitionableState.java:112)
> at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> at
>
> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> (RequestControlContextImpl.java:207)
> at
> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java
> :185)
> at org.springframework.webflow.engine.State.enter(State.java:200)
> at
> org.springframework.webflow.engine.Transition.execute(Transition.java:229)
> at
> org.springframework.webflow.engine.TransitionableState.onEvent(
> TransitionableState.java:112)
> at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> at
>
> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> (RequestControlContextImpl.java:207)
> at
> org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent(
> FlowExecutionImpl.java:214)
> at
> org.springframework.webflow.executor.FlowExecutorImpl.resume(
> FlowExecutorImpl.java:238)
> at
>
> org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest
> (FlowRequestHandler.java:115)
> at
>
> org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal
> (FlowController.java:170)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
> at
> org.springframework.web.servlet.DispatcherServlet.doService(
> DispatcherServlet.java:754)
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
> at
> org.springframework.web.servlet.FrameworkServlet.doPost(
> FrameworkServlet.java:364)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> at
> org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:269)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:188)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:210)
> at
> org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:174)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> :127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> :117)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:108)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> :151)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
> at
>
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection
> (Http11BaseProtocol.java:665)
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
> PoolTcpEndpoint.java:528)
> at
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
> LeaderFollowerWorkerThread.java:81)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> ThreadPool.java:685)
> at java.lang.Thread.run(Thread.java:595)
>
> this is my deployConfigContext.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
> "http://www.springframework.org/dtd/spring-beans.dtd">
> <!--
> | deployerConfigContext.xml centralizes into one file some of the
> declarative configuration that
> | all CAS deployers will need to modify.
> |
> | This file declares some of the Spring-managed JavaBeans that make
> up a
> CAS deployment.
> | The beans declared in this file are instantiated at context
> initialization time by the Spring
> | ContextLoaderListener declared in web.xml. It finds this file
> because
> this
> | file is among those declared in the context parameter
> "contextConfigLocation".
> |
> | By far the most common change you will need to make in this file
> is to
> change the last bean
> | declaration to replace the default
> SimpleTestUsernamePasswordAuthenticationHandler with
> | one implementing your approach for authenticating usernames and
> passwords.
> +-->
> <beans>
>
> <!--
> | This bean declares our AuthenticationManager. The
> CentralAuthenticationService service bean
> | declared in applicationContext.xml picks up this
> AuthenticationManager
> by reference to its id,
> | "authenticationManager". Most deployers will be able to
> use the default
> AuthenticationManager
> | implementation and so do not need to change the class of
> this bean. We
> include the whole
> | AuthenticationManager here in the userConfigContext.xmlso that you can
> see the things you will
> | need to change in context.
> +-->
> <bean id="authenticationManager"
> class="
> org.jasig.cas.authentication.AuthenticationManagerImpl">
> <!--
> | This is the List of
> CredentialToPrincipalResolvers that identify what
> Principal is trying to authenticate.
> | The AuthenticationManagerImpl considers them in
> order, finding a
> CredentialToPrincipalResolver which
> | supports the presented credentials.
> |
> | AuthenticationManagerImpl uses these resolvers
> for two purposes.
> First, it uses them to identify the Principal
> | attempting to authenticate to CAS /login . In
> the default
> configuration, it is the DefaultCredentialsToPrincipalResolver
> | that fills this role. If you are using some
> other kind of credentials
> than UsernamePasswordCredentials, you will need to replace
> | DefaultCredentialsToPrincipalResolver with a
> CredentialsToPrincipalResolver that supports the credentials you are
> | using.
> |
> | Second, AuthenticationManagerImpl uses these
> resolvers to identify a
> service requesting a proxy granting ticket.
> | In the default configuration, it is the
> HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
> | You will need to change this list if you are
> identifying services by
> something more or other than their callback URL.
> +-->
> <property name="credentialsToPrincipalResolvers">
> <list>
> <!--
> |
> UsernamePasswordCredentialsToPrincipalResolver supports the
> UsernamePasswordCredentials that we use for /login
> | by default and produces
> SimplePrincipal instances conveying the
> username from the credentials.
> |
> | If you've changed your
> LoginFormAction to use credentials other than
> UsernamePasswordCredentials then you will also
> | need to change this bean
> declaration (or add additional declarations)
> to declare a CredentialsToPrincipalResolver that supports the
> | Credentials you are using.
> +-->
> <bean
>
> class="
> org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver
> "
> />
> <!--
> |
> HttpBasedServiceCredentialsToPrincipalResolver supports
> HttpBasedCredentials. It supports the CAS 2.0 approach of
> | authenticating services by SSL
> callback, extracting the callback URL
> from the Credentials and representing it as a
> | SimpleService identified by that
> callback URL.
> |
> | If you are representing services
> by something more or other than an
> HTTPS URL whereat they are able to
> | receive a proxy callback, you
> will need to change this bean
> declaration (or add additional declarations).
> +-->
> <bean
>
> class="
> org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver
> "
> />
> </list>
> </property>
>
> <!--
> | Whereas CredentialsToPrincipalResolvers identify
> who it is some
> Credentials might authenticate,
> | AuthenticationHandlers actually authenticate
> credentials. Here we
> declare the AuthenticationHandlers that
> | authenticate the Principals that the
> CredentialsToPrincipalResolvers
> identified. CAS will try these handlers in turn
> | until it finds one that both supports the
> Credentials presented and
> succeeds in authenticating.
> +-->
> <property name="authenticationHandlers">
> <list>
> <!--
> | This is the authentication
> handler that authenticates services by
> means of callback via SSL, thereby validating
> | a server side SSL certificate.
> +-->
> <bean
>
> class="
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
> ">
> <property
> name="httpClient"
> ref="httpClient" />
> </bean>
>
> <!--
> | This is the authentication
> handler declaration that every CAS
> deployer will need to change before deploying CAS
> | into production. The default
> SimpleTestUsernamePasswordAuthenticationHandler authenticates
> UsernamePasswordCredentials
> | where the username equals the
> password. You will need to replace
> this with an AuthenticationHandler that implements your
> | local authentication strategy.
> You might accomplish this by coding a
> new such handler and declaring
> |
> edu.someschool.its.cas.MySpecialHandler here, or you might use one of
> the handlers provided in the adaptors modules.
> +-->
>
>
> <bean
> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
> <property name="filter"
> value="uid=%u" />
> <property name="searchBase"
> value="cn=Users,dc=z,dc=z" />
> <property name="contextSource"
> ref="contextSource" />
> <property name="ignorePartialResultException"
> value="yes" />
> </bean>
> </list>
> </property>
> </bean>
> <bean id="contextSource"
> class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
> <property name="password" value="{11111}"/>
> <property name="pooled" value="true" />
> <property name="urls">
> <list>
> <value>ldaps://irisad.net/</value>
> </list>
> </property>
> <property name="userName" value="{cn=aa,cn=Users,dc=z,dc=z}"/>
> <property name="baseEnvironmentProperties">
> <map>
> <entry>
> <key>
> <value>java.naming.security.protocol</value>
> </key>
> <value>ssl</value>
> </entry>
> <entry>
> <key>
> <value>java.naming.security.authentication</value>
> </key>
> <value>simple</value>
> </entry>
> <entry>
> <key>
> <value>java.naming.referral</value>
> </key>
> <value>follow</value>
> </entry>
> </map>
> </property>
> </bean>
> </beans>
>
> thanks.
> --
> View this message in context:
> http://www.nabble.com/SSLHandshakeException-when-try-connect-LDAP-tp14799522p14799522.html
> Sent from the CAS Users mailing list archive at Nabble.com.
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080114/1881f43f/attachment.html
More information about the cas
mailing list