Orbeon Forms community mailing list

SSL help

classic Classic list List threaded Threaded
6 messages Options
Colin Berry
Reply | Threaded
Open this post in threaded view
|

SSL help

Colin Berry
I've decided to use SSL with client authentication for my app and managed to install and test it with tomcat6 and orbeon dev-post-3.7.1-200907250028. Two problems remain.

The example apps which use [xf:submission replace="instance" method="post" .../] don't work. If I point my browser to http://localhost:8080/orbeon/xforms-sql-address-book (or instant translation) they work fine. Change to https://localhost:8443 and no joy. The other example apps seem ok. With security problems it is hard to know. Is this a feature or a bug?

With basic authentication I can get oxf:request-security to check my current user's role and return his username. If I can get my configuration right should oxf:request-security or a similar  processor continue to do this for me?  Can somebody point me at the documentation to help with that configuration?
Erik Bruchez
Reply | Threaded
Open this post in threaded view
|

Re: SSL help

Erik Bruchez
Administrator
Colin,

I may be wrong but I don't think we have ever tried client
certificates with Orbeon Forms. I am not sure what will show as the
username ("principal") provided by the Servlet API in this case.
Please let us know what you find out!

-Erik

On Thu, Jul 30, 2009 at 9:52 AM, Colin Berry<[hidden email]> wrote:

>
> I've decided to use SSL with client authentication for my app and managed to
> install and test it with tomcat6 and orbeon dev-post-3.7.1-200907250028. Two
> problems remain.
>
> The example apps which use [xf:submission replace="instance" method="post"
> .../] don't work. If I point my browser to
> http://localhost:8080/orbeon/xforms-sql-address-book (or instant
> translation) they work fine. Change to https://localhost:8443 and no joy.
> The other example apps seem ok. With security problems it is hard to know.
> Is this a feature or a bug?
>
> With basic authentication I can get oxf:request-security to check my current
> user's role and return his username. If I can get my configuration right
> should oxf:request-security or a similar  processor continue to do this for
> me?  Can somebody point me at the documentation to help with that
> configuration?
> --
> View this message in context: http://www.nabble.com/SSL-help-tp24742398p24742398.html
> Sent from the ObjectWeb OPS - Users mailing list archive at Nabble.com.
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws
>
>


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws
Alessandro Vernet
Reply | Threaded
Open this post in threaded view
|

Re: SSL help

Alessandro Vernet
Administrator
In reply to this post by Colin Berry
Colin,

Colin Berry wrote
I've decided to use SSL with client authentication for my app and managed to install and test it with tomcat6 and orbeon dev-post-3.7.1-200907250028. Two problems remain.

The example apps which use [xf:submission replace="instance" method="post" .../] don't work. If I point my browser to http://localhost:8080/orbeon/xforms-sql-address-book (or instant translation) they work fine. Change to https://localhost:8443 and no joy. The other example apps seem ok. With security problems it is hard to know. Is this a feature or a bug?

With basic authentication I can get oxf:request-security to check my current user's role and return his username. If I can get my configuration right should oxf:request-security or a similar  processor continue to do this for me?  Can somebody point me at the documentation to help with that configuration?
Just to clarify, in the SSL case, when it "doesn't work", is the request at least going through? Do you see the request arriving on the other side?

Alex
Colin Berry
Reply | Threaded
Open this post in threaded view
|

Re: SSL help

Colin Berry
Just to clarify, in the SSL case, when it "doesn't work", is the request at least going through? Do you see the request arriving on the other side?
It seems to get to the server in that if I change replace="instance" to replace="all" I get the right xml back. Does that answer your question? Is there a better way to check?

Colin Berry
Reply | Threaded
Open this post in threaded view
|

Re: SSL help

Colin Berry
Here is the debug output

2009-08-08 21:18:17,581 INFO  DatabaseImpl  - Collection /db/orbeon/xforms/cache not found
2009-08-08 21:18:19,576 INFO  ProcessorService  - /xforms-sql-address-book/ - Timing: 6935 - Cache hits for cache.main: 767, fault: 128, adds: 128, expiratio
ns: 0, success rate: 85%
2009-08-08 21:18:22,944 INFO  ProcessorService  - /xforms-server - Received request
2009-08-08 21:18:23,432 ERROR XFormsServer  - XForms - submission - xforms-submit-error throwable: sun.security.provider.certpath.SunCertPathBuilderException
: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
     
Alessandro Vernet
Reply | Threaded
Open this post in threaded view
|

Re: SSL help

Alessandro Vernet
Administrator
Hi Colin,

Colin Berry wrote
Here is the debug output

2009-08-08 21:18:17,581 INFO  DatabaseImpl  - Collection /db/orbeon/xforms/cache not found
2009-08-08 21:18:19,576 INFO  ProcessorService  - /xforms-sql-address-book/ - Timing: 6935 - Cache hits for cache.main: 767, fault: 128, adds: 128, expiratio
ns: 0, success rate: 85%
2009-08-08 21:18:22,944 INFO  ProcessorService  - /xforms-server - Received request
2009-08-08 21:18:23,432 ERROR XFormsServer  - XForms - submission - xforms-submit-error throwable: sun.security.provider.certpath.SunCertPathBuilderException
: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
I suspect that the server on which you the service is hosted uses a self-signed certificate, and that because of this the submission fails. I.e. when making the call, Java checks the certificate of the server, and because it is self-signed can't verify it is a legitimate certificate (hence the error message "unable to find valid certification path to requested target").

What you need to do is either use a "real" certificate (e.g. signed by Verisign), or add the certificate of your server to a "trust store" the Orbeon Forms server (the client, from the perspective of this HTTPS request). Then add the following -D parameters when starting the VM that runs Tomcat and Orbeon Forms:

-Djavax.net.ssl.trustStore=path/to/your/truststore -Djavax.net.ssl.trustStorePassword=your-password

Alex
Free forum by Nabble Edit this page