Wednesday, March 28, 2012

Client authentication with SSL certificates in Jetty in maven

Here is an example pom.xml fragment:

  <build>
    <plugins>
        <plugin>
            <groupId>org.mortbay.jetty</groupId>
            <artifactId>maven-jetty-plugin</artifactId>
            <configuration>
                <contextPath>/mycontext</contextPath>
                <scanIntervalSeconds>5</scanIntervalSeconds>
                <connectors>
                    <!--connector implementation="org.mortbay.jetty.nio.SelectChannelConnector">
                        <port>8080</port>
                        <maxIdleTime>60000</maxIdleTime>
                    </connector-->
                    <connector implementation="org.mortbay.jetty.security.SslSocketConnector">
                        <port>8443</port>
                        <maxIdleTime>60000</maxIdleTime>
                        <keystore>${project.basedir}/src/main/certificates/server1.jks</keystore>
                        <password>pass</password>
                        <keyPassword>pass</keyPassword>
                        <wantClientAuth>true</wantClientAuth><!-- deprecated! -->
                        <needClientAuth>false</needClientAuth><!-- deprecated! -->
                        <!-- http://stackoverflow.com/questions/8816874/avoid-use-of-deprecated-methods-in-org-eclipse-jetty-server-ssl-sslsocketconnect -->
                    </connector>
                </connectors>
            </configuration>
        </plugin>
    </plugins>
  </build>

Client authentication with SSL certificates in Tomcat

Place something like this in server.xml file:

      <Connector port="8443" 

           protocol="HTTP/1.1" 
           SSLEnabled="true"
           maxThreads="150" 

           scheme="https" 
           secure="true"
           sslProtocol="TLS"
           keystorePass="pass"
           keystoreFile="/data/miteff/someserver/server1.jks"
           truststoreFile="/data/miteff/eshop/MiteffRootCa.jks"
           truststorePass="pass"
           keyAlias="www.miteff.com"
           clientAuth="want"
           SSLVerifyClient="optional"
           SSLCACertificateFile="/data/miteff/someserver/MiteffRootCA.pem"
       />


Attention: clientAuth parameter, in Tomcat 6.0 can get value "want", so it accepts connections with and wothout certificates. The application could decide what to do with the two types of clients internally. Take attention Tomcat 6.0 COULD NOT understand option clientAuth="optional". I suppose it was valid sometime, but now it is not.

Tuesday, March 27, 2012

Checking certificate validity via CRL with openssl


openssl verify -crl_check -CAfile miteff-root-ca-c.crt -untrusted signer-ca-c3-chain.crt https-miteff.com.chain.crt

Thursday, March 22, 2012

maven webapp archetype


mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=my-webapp -DarchetypeArtifactId=maven-archetype-webapp

Wednesday, March 21, 2012

Test your bugfix skills

Here is a bug. Find it:

        BufferedReader reader = request.getReader();
        StringBuilder requestSB = new StringBuilder();
        String requestStr;
        String line;
       
        while ((line = reader.readLine()) != null) {
          requestSB.append( line );
          requestSB.append( '\n' );
        }
        requestStr = requestSB.toString();


In which situations this bug appears?

Getting HTTPS SSL certificates from HttpRequest in Java

Such an easy solution:

java.security.cert.X509Certificate cert[] =
(java.security.cert.X509Certificate[]) httpServletRequest.getAttribute
("javax.servlet.request.X509Certificate");


The result is the whole certificate chain.

The client could or could not send its certificate. A client certificate can be send in SSL version 3 and in TLS. You have to set an option to the web application server to want ant to accept client certificates. In jetty, the option is named wantClientAuth. Later I will extend the article with the name for Tomcat.

Monday, March 19, 2012

Adding external jar libraries to maven project

You have to add something like this in your pom.xml:
    <dependency>
        <groupId>com.xxx.yyy.messages</groupId>
        <artifactId>xxxyyyMessages2</artifactId>
        <version>2.0-SNAPSHOT</version>
        <scope>system</scope>
        <systemPath>${project.basedir}/../xxxyyyMessages2/target/xxxyyyMessages2-2.0-SNAPSHOT.jar</systemPath>
    </dependency>

Tuesday, March 13, 2012

Starting a java application with debug logs for SUN packages

First check which is the define for enabling debug for package you want to get logs from. This is an example for java.security (and some related packages to it):

java -Djava.security.debug=certpath ApplicationFromMiteffDotCom

Monday, March 12, 2012

Making jar with dependency jars incorporated with maven

I want to start my program from the clear console. Here is the code, which has to be placed in pom.xml:

Redirecting output in MS DOS

I need to redirect the error output to file also. This can be done with

command > certpath.txt 2>&1


For example:

java -Djava.security.debug=certpath -jar target\xxx-2.0-SNAPSHOT-jar-with-dependencies.jar > certpath.txt 2>&1

Friday, March 9, 2012

Checking certificate validity via OCSP with OpenSSL

The certificate have to had a OCSP definition.


openssl
OpenSSL>
OpenSSL> ocsp -issuer G:\temp\1\XXXRootCA.pem -cert G:\temp\1\XXXRootCA.pem -CAfile G:\temp\1\XXXRootCA.pem -url http://ocsp.myserver.com:80 -text


Note: add full path to the files

Debugging classes without sources

I have to debug some classes, which are not provided with source code in NetBeans.

I have to choose from these options:
1. Switch to Eclipse and use JD-Eclipse. Many people indicates that they use it without problems.
2. Decompile the sources and add them to IDE. In this case we have to an another problem - line numbers. From Java bytecode, IDE knows the lines, where the operations are placed in source code. If lines mismatch, the debugger jumps to wrong numbers - fail.

Sunday, March 4, 2012

Multiple vhosts with apache httpd

There are two major questions about that:
1. May an apache site has multiple https virtual hosts?
2. May an apache site has different certificates for different virtual hosts.

Answers: