I'm having a weird problem with a JSF application I'm currently working on. It seems like there are two parts of my programm which are colliding.
There are two parts:
the "banking" functionality
the mail functionality
The relevant part of the banking functionality (It's a fake bank just for this exercise):
String path = FacesContext.getCurrentInstance().getExternalContext() .getRealPath("/") + "/WEB-INF/sec/certs.jks";
ErrorHandler.trace(path);
System.setProperty("javax.net.ssl.trustStore", path);
Here it's setting the Trust Store with the certificate for the bank server.
The mail part looks like this:
Properties props = new Properties();
props.put("mail.smtp.auth", this.smtpServer.isAuthenticated());
props.put("mail.smtp.starttls.enable", this.smtpServer.isTls());
props.put("mail.smtp.host", this.smtpServer.getHostaddr());
props.put("mail.smtp.port", this.smtpServer.getPort());
props.put("mail.smtps.auth", "true");
props.put("mail.smtp.debug", "true");
final String username = this.smtpServer.getUsername();
final String password = this.smtpServer.getPassword();
Session session = Session.getDefaultInstance(props,
new javax.mail.Authenticator() {
#Override
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(username, password);
}
});
session.setDebug(true);
One way to reproduce the problem:
The problem I'm facing is that if I start the application and, for example, use the "change mail" functionality I'll get my notification mail immediately. No problem there. Then I'll try to buy a product thus triggering the bank functionality.
That's where the problem shows up:
Communication Error: javax.ws.rs.WebApplicationException: javax.xml.bind.MarshalException
- with linked exception:
[javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Another way to reproduce the problem:
Now let's say I restart my application and try to order something, this time it'll work but the mail functionality is broken with this error message:
DEBUG: setDebug: JavaMail version 1.4.7
DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtps,com.sun.mail.smtp.SMTPSSLTransport,Oracle]
DEBUG SMTP: useEhlo true, useAuth true
DEBUG SMTP: trying to connect to host "smtp.gmail.com", port 465, isSSL true
TRACE Error Could not connect to SMTP host: smtp.gmail.com, port: 465
Bottom line:
If I trigger bank and then mail -> mail not working
If I trigger mail and then bank -> bank not working
Anyone who could find a problem there?
Thank you!
Your "banking functionality" is changing the trust store. That new trust store needs to have the certificates necessary to validate the SSL connection with your mail server. You can initialize your trust store with all the CA certificates from the JDK default trust store, or you can add just the specific certificate for your mail server - see the InstallCert program. Finally, you can configure JavaMail to use a separate trust store, or change your banking functionality to use a trust store explicitly rather than overriding the default trust store; those are probably more complicated.
The problem was, that the mail functionality was working if there's no trustStore set (because it's using the system's default trustStore which is located in:
/Library/Java/JavaVirtualMachines/jdk1.7.0_25.jdk/Contents/Home/jre/lib/security/cacerts
on a Mac.
The banking functionality is using it's own certificate which was located in:
MyProject/.../WEB-INF/sec/certs.jks
Every time the JavaMail tried to authenticate to Google's SMTP server it tried to use the certs.jks trustStore even though I unset the trustStore property the banking functionality set in the mail method.
Fix:
At the beginning of the mail method:
String path = FacesContext.getCurrentInstance().getExternalContext()
.getRealPath("/")
+ "WEB-INF/sec/certs.jks";
System.setProperty("javax.net.ssl.trustStore", path);
Import the default cacerts keyStore into our own custom keyStore:
keytool -importkeystore -srckeystore certs.jks -destkeystore cacerts
Related
I've cloned https://github.com/ananay/passport-apple-example and replaced the config with this:
clientID: "com.myname.web",
teamID: "myteamid",
callbackURL: "https://myurldev.com/auth/apple/redirect",
keyID: "mykeyid",
privateKeyLocation: path.join(__dirname, "../apple-key.p8")
I've also added SSL certificate on my machine and starting the server with https, all works fine & is recognized by my browser. I'm also starting the app on port 443 and proxying using my hosts file myurl.dev.com -> 127.0.0.1.
I have the same auth setup for facebook, google & microsoft and everything works fine.
I have:
Created a new APP identifier and enabled Sign in with Apple for it, named it: com.myname.dev
Created a new SERVICE identifier and enabled Sign in with apple, called it: com.myname.web
Added "https://myurldev.com/auth/apple/redirect" to the "Reply URLS" on the service identifier com.myname.web
Set my app identifier com.myname.dev as the main app identifier my service to be grouped with.
Created a private key and enabled sign in with apple, interface confirmed the presence of grouped ID com.myname.web bundled with com.myname.dev for which the key was created.
I have confirmed using console.log that the private key is indeed at the path being passed as parameter.
converted the .p8 file to base64 & then back to UTF-8 in an attempt to use the string for privateKeyString
successfully implemented Apple Oauth several times in the past using passport-apple
This time around, for some reason, auth simply doesn't work.
If I set the clientID as the APP identifier, not the service, I'm getting
invalid_request
Invalid web redirect url.
instead of invalid_client
Any advice on debugging this is highly appreciated. Thank you.
EDIT #1:
I have dug a bit deeper into the passport-apple package to figure out if anything goes against apple's docs around token generation, but the flow never reaches that part, indicating things go wrong on the actual configuration in Apple's console & what I'm trying to use for my project.
EDIT #2
2 of the app Ids I have created always throw "wrong redirect uri" because they're not service IDs so I can't configure redirect_uri, this will change if to "required" if I pass undefined as a redirect_uri.
One of the app ids throws only invalid client_id instead, regardless if I pass undefined or good value for redirect_uri.
EDIT #3
Went full vanilla through the OAuth code flow process and just created a url & redirected the user it, failing with this method is consistent with what is happening when using the passport-apple module.
const url = new URL("https://appleid.apple.com/auth/authorize");
url.searchParams.append("state", "fdbd287b1f");
url.searchParams.append("response_type", "code");
url.searchParams.append("scope", "name email");
url.searchParams.append("response_mode", "form_post");
url.searchParams.append(
"redirect_uri",
"https://raiseitupdev.com/auth/apple/redirect",
);
url.searchParams.append("client_id", "com.myname.web");
return res.redirect(url.toString());
[Creator of the library here.]
Did it stop working in development too? I feel this is a configuration error because the actual thing is working live on my website:
https://passport-apple.ananay.dev
Please follow up on this Github issue. Thanks!
https://github.com/ananay/passport-apple/issues/23
I'm currently trying to set up a website using Bolt CMS. For a simple contact form, I'm trying to use the "SimpleForms" extension. For this, it seems I have to set up a "mailoptions" field in "config.yml".
Now, for the mail host I use Zoho Mail. I have successfully made an account, verified my domain and so on. My current mailoptions values in the config look like this:
mailoptions:
transport: smtp
host: smtp.zoho.com
port: 465
username: ****
password: ****
auth_mode: null
encyption: null
senderMail: null
senderName: null
Notice, I've obviously just inserted some stars where the username and password is supposed to go :-)
Now, I'm not exactly sure what values are allowed for the last 4 fields. I have not for the life of me been able to find any documentation on this. However, if I simply try to send an email through a SimpleForms contact form with these settings, I get the following error:
Swift_TransportException:
Connection to smtp.zoho.com:465 Timed Out
Again, haven't been able to find much info on this problem. My initial guess is that it might have to do with me not properly setting the last 4 fields, however I just do not know what they are supposed to be :( All I know, from following a DigitalOcean tutorial (I use DigitalOcean as server host), is that the settings are supposed to be as follow:
SMTP Host: smtp.zoho.com
SMTP Port: 465
Use SSL Encryption: Yes, use SSL encryption
SMTP Authentication: Yes, use SMTP authentication
Email Address or Username: The email address that you set up in the previous step. In our example, the email address is "application#example.com"
Email Name: The name associated with the email address. In our example, the name of the email is "Application Mail"
Email Password: The password that you set when you created the application mail account
I have tried different values for auth_mode and encryption, such as:
auth_mode: smtp
encryption: ssl
However, this still gives me the same timeout error.
[EDIT]
So, I was able to find the actual documentation for the values (which is Swiftmailer related). My current settings looks like this:
mailoptions:
transport: smtp
host: smtp.zoho.com
port: 465
username: ****
password: ****
auth_mode: login
encyption: ssl
senderMail: **** (The same as the username email)
senderName: **** (The name of the email account holder)
I've also double checked the mail settings from Zoho's own website, HERE.
This all seems to be correct settings, however I am still getting the original timeout message :(
EDIT
Check the comment of the answer for my stupid mistake :)
Bolt just uses Swiftmailer via the Silex service provider. The Silex documentation page probably has the answers you're looking for… namely:
The following options can be set:
host: SMTP hostname, defaults to 'localhost'.
port: SMTP port, defaults to 25. username: SMTP username, defaults to an empty string.
password: SMTP password, defaults to an empty string.
encryption: SMTP encryption, defaults to null. Valid values are 'tls', 'ssl', or null (indicating no encryption).
auth_mode: SMTP authentication mode, defaults to null. Valid values are 'plain', 'login', 'cram-md5', or null.
For anyone having this problem, do check with your host if there is a security setting that disallows outgoing SMTP.
I'm new to security so some of the terms might be used incorrectly:
When I create a socket connection using SSL_connect, the server should send back the entire certificate chain so that the authenticity of the server can be verified.
For this to happen, the server needs to be configured accordingly.
If the server doesn't send back the entire certificate chain and the intermediate certificate isn't in the client certificate store, the authenticity can't be verified. This results in the behavior experienced here in which FireFox regards a website as unsafe.
I've also read that some browsers are able to attain the intermediate certificate automatically. However, OpenSSL doesn't behavior like this, at least by default.
I've also been told that some (maybe all) intermediate certificates have been installed in Windows certificate stores since some Windows update was rolled out a few years ago.
I would like to view the certificates returned by the server to verify that I'm getting back the entire certificate chain. Here's what I've tried:
I'm using SSLv3_method.
SSL_CTX_set_verify is set using SSL_VERIFY_NONE.
After SSL_connect I use SSL_get_peer_cert_chain to get access to the certificate chain.
Consider:
STACK_OF(X509)* certificateChain = SSL_get_peer_cert_chain(ssl);
while (char* stackCertificate = sk_pop(certificateChain))
{
X509* certificate = (X509*)stackCertificate;
}
Is this the correct way to get the certificate chain? Is my understanding of the situation correct? Is there perhaps a better way to do this?
Thank you for your time and contribution.
The following code snippet is based off code in s_client:
SSL* ssl = ...;
STACK_OF(X509)* certCollection = SSL_get_peer_cert_chain(ssl);
for (size_t i = 0; i < sk_X509_num(certCollection); i++)
{
X509* cert = sk_X509_value(certCollection, i);
...
}
As far as I understand, an SSL session must have been created otherwise SSL_get_peer_cert_chain will return null. Additionally I haven't found any evidence to contradict the list I noted in my question.
Perhaps an easier alternative would be to use the command line tool (downloaded from here):
openssl s_client -connect {server}:{port} -ssl3
I am trying to create a local workspace so I can map it to VisualStudio online account. Here is the command I am trying to run.
tf workspace -new -login:"Windows Live ID"\user,pass -collection:https://shaggyinjun.visualstudio.com/DefaultCollection
For some reason I am seeing an error. The command does have a domain/user,pass. What is this new username and password it is asking me for ?
Federated authentication to this server requires a username and password.
Apparantly this is issue is caused even when using java clients. Here is what Visual Studio Online has to say for it's questionable behavior.
Alternate authentication credentials
Some applications that work outside the browser (including Team Explorer Everywhere
command line client and the git-tf utility) require basic authentication credentials.
Other applications do not properly handle using an e-mail address for the user name
during authentication.
To work with these applications, you need to enable alternate credentials, set a
password, and optionally set a secondary user name not in the form of an e-mail address. > Please note that alternate credentials cannot be used to sign in to the service from a web
browser or outside of these applications.
Here is another question that I posted and was shot down. Just documenting here for future reference
I am able to login using my Visual Studio online credentials via the CLC, but When I try to do the same with a java program, I get an Authentication exception. Is there anything special that needs to be done for Java and / or Visual Studio Online ?
Java Code
public static final String NATIVE_LIBS_SYSTEM_PROPERTY = "com.microsoft.tfs.jni.native.base-directory";
public void connect() {
System.setProperty(NATIVE_LIBS_SYSTEM_PROPERTY, TFS_NATIVE_LIBS_HOME);
Credentials credentials = new UsernamePasswordCredentials("Windows Live ID\\user", "password");
TFSConnection connection = null;
try {
connection = new TFSConfigurationServer(new URI("https://shaggyinjun.visualstudio.com/DefaultCollection"), credentials);
connection.authenticate();
} catch (URISyntaxException ex) {
Exceptions.printStackTrace(ex);
}
}
}
Exception
com.microsoft.tfs.core.ws.runtime.exceptions.UnauthorizedException: Authorization failure connecting to 'https://shaggyinjun.visualstudio.com/DefaultCollection/TeamFoundation/Administration/v3.0/LocationService.asmx' (authenticating as Windows Live ID\user)
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequestInternal(SOAPService.java:709)
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequest(SOAPService.java:473)
at ms.ws._LocationWebServiceSoap12Service.connect(_LocationWebServiceSoap12Service.java:384)
at com.microsoft.tfs.core.clients.framework.location.internal.LocationWebServiceProxy.connect(LocationWebServiceProxy.java:70)
Caused: com.microsoft.tfs.core.exceptions.TFSUnauthorizedException: Access denied connecting to TFS server https://shaggyinjun.visualstudio.com/ (authenticating as Windows Live ID\venkatram.akkineni#gmail.com)
at com.microsoft.tfs.core.exceptions.mappers.TECoreExceptionMapper.map(TECoreExceptionMapper.java:75)
at com.microsoft.tfs.core.exceptions.mappers.LocationExceptionMapper.map(LocationExceptionMapper.java:32)
at com.microsoft.tfs.core.clients.framework.location.internal.LocationWebServiceProxy.connect(LocationWebServiceProxy.java:76)
at com.microsoft.tfs.core.clients.framework.location.LocationService.connect(LocationService.java:754)
at com.microsoft.tfs.core.clients.framework.location.LocationService.authenticate(LocationService.java:928)
at com.microsoft.tfs.core.TFSConnection.authenticate(TFSConnection.java:748)
at org.netbeans.modules.libswrapper.Installer.restored(Installer.java:54)
at org.netbeans.core.startup.NbInstaller.loadCode(NbInstaller.java:471)
[catch] at org.netbeans.core.startup.NbInstaller.loadImpl(NbInstaller.java:394)
at org.netbeans.core.startup.NbInstaller.access$000(NbInstaller.java:105)
at org.netbeans.core.startup.NbInstaller$1.run(NbInstaller.java:346)
at org.openide.filesystems.FileUtil$2.run(FileUtil.java:447)
at org.openide.filesystems.EventControl.runAtomicAction(EventControl.java:127)
at org.openide.filesystems.FileSystem.runAtomicAction(FileSystem.java:609)
at org.openide.filesystems.FileUtil.runAtomicAction(FileUtil.java:431)
at org.openide.filesystems.FileUtil.runAtomicAction(FileUtil.java:451)
at org.netbeans.core.startup.NbInstaller.load(NbInstaller.java:343)
at org.netbeans.ModuleManager.enable(ModuleManager.java:1194)
at org.netbeans.ModuleManager.enable(ModuleManager.java:1017)
at org.netbeans.core.startup.ModuleList.installNew(ModuleList.java:340)
at org.netbeans.core.startup.ModuleList.access$2400(ModuleList.java:118)
at org.netbeans.core.startup.ModuleList$Listener.stepEnable(ModuleList.java:1409)
at org.netbeans.core.startup.ModuleList$Listener.access$1400(ModuleList.java:1007)
at org.netbeans.core.startup.ModuleList$Listener$1.run(ModuleList.java:1231)
at org.openide.filesystems.EventControl.runAtomicAction(EventControl.java:127)
at org.openide.filesystems.FileSystem.runAtomicAction(FileSystem.java:609)
at org.netbeans.core.startup.ModuleList$Listener.run(ModuleList.java:1207)
at org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:1423)
at org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:2033)
If you're connecting to visualstudio.com from the cross-platform command line client, you need to set up and use "alternate credentials".
You cannot use a Microsoft Account (Live ID) because - crazy as it sounds - that only works by supplying passwords to that web page and we cannot rely on a web browsers existence on many platforms.
I have an interesting issue I've been trying to resolve for a few days.
I'm currently working with an Windows Server 2003 machine that is running a standard instance of Active Directory.
The directory contains two domain components (DCs) that both house users that are going to be authorizing against the directory, via my application.
I'm using :
The IP address of the server as the host name
An SSL connection via port 3269
The GSS Negotiate Auth Mechanism
A BaseDN that is a parentDN of both DC's
The sAMAccountName as the login name
The problem is, I cannot successfully authorize any users from DC1, yet all of the ones who belong to DC2 are completely fine and work great. I get this error on DC1 :
8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid.
However, using Softerra's LDAP Broswer, I can connect in and authorize the same exact user without any issue, so I know the credentials are correct.
From what I can tell, both of these DC's are configured the same... I've browsed both of them for something, anything that is different... but have found nothing that really stands out.
I posted something months ago about this particular setup, and the code I'm using is in that thread as well.
Set callback for System.DirectoryServices.DirectoryEntry to handle self-signed SSL certificate?
Any help here would be much appreciated.
Thanks!
I was able to get this working, but for the life of me I cannot figure out why this was the case. Basically, this error...
8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid.
...was dead on. The issue was that users logging in under what I called DC2 needed to issue the bind with the domain AND sAMAccountName (Ex. LIB\JSmith), as opposed to DC1, which allowed just the sAMAccountName to be entered.
I figured the best way to make this programmatic was to use the principal binding account to query for the DN of the user. From that DN, using some crafty RegEx, I'm able to capture the domain they inherit from, and issue two separate binds.
SearchResultEntry ResultEntry = userResponse.Entries[0];
//Let's get the root domain of the user now using our DN RegEx and that search result
Regex RegexForBaseDN = new Regex(config.LdapAuth.LdapDnRegex);
Match match = RegexForBaseDN.Match(ResultEntry.DistinguishedName);
string domain = match.Groups[1].Value;
//Try binding the user with their domain\username
try
{
var thisUser = new NetworkCredential{
Domain = domain,
UserName = username,
Password = Pin
};
//If this goes well, we'll continue forward
ldapconn.Bind(thisUser);
}
//If that doesn't work, try biding them with the highest level domain
catch (LdapException ex)
{
if (ex.ErrorCode.Equals(LdapErrorCodes.LDAP_INVALID_CREDENTIALS))
{
var thisUserOnce = new NetworkCredential{
Domain = config.LdapAuth.LdapDomain,
UserName = username,
Password = Pin
};
//If this goes well, we'll continue forward
ldapconn.Bind(thisUserOnce);
}
}
It's not nearly as elegant as I would have wanted, but it does work for this particular scenario.
However, I'm still really interested in why the naming conventions are different depending on which DC the user inherit's from.