Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/306.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java CAS-Pac4J-SSLHandshakeException_Java_Spring_Tomcat_Ssl_Cas - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java CAS-Pac4J-SSLHandshakeException

Java CAS-Pac4J-SSLHandshakeException

java spring tomcat ssl

Java CAS-Pac4J-SSLHandshakeException,java,spring,tomcat,ssl,cas,Java,Spring,Tomcat,Ssl,Cas,我尝试在通过IP地址访问的服务器上运行两个Java应用程序 第一个是部署到Tomcat实例的CAS服务器,Tomcat实例安装在上述服务器上。为了支持SSO,我需要运行HTTPS/SSL。这里一切正常–我可以毫无例外地通过HTTPS访问服务器 第二个是我的应用程序,配置为使用CAS服务器作为身份提供程序。它不需要HTTPS。应用程序在Spring嵌入式Tomcat上运行 当我打开应用程序的受保护部分时,我会重定向到CAS登录页面。提交登录表单后,我将重定向到应用程序(/callback)。正如您

我尝试在通过IP地址访问的服务器上运行两个Java应用程序

第一个是部署到Tomcat实例的CAS服务器,Tomcat实例安装在上述服务器上。为了支持SSO,我需要运行HTTPS/SSL。这里一切正常–我可以毫无例外地通过HTTPS访问服务器

第二个是我的应用程序,配置为使用CAS服务器作为身份提供程序。它不需要HTTPS。应用程序在Spring嵌入式Tomcat上运行

当我打开应用程序的受保护部分时,我会重定向到CAS登录页面。提交登录表单后,我将重定向到应用程序(/callback)。正如您所看到的,CAS服务器端的一切都正常—勾选已创建,用户已重定向。重定向到/回调后,我收到一个异常:

2015-12-20 13:14:10 ERROR CommonUtils:442 - java.security.cert.CertificateException: No subject alternative names present
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1469)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:837)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1035)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:431)
        at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
        at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
        at org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:320)
        at org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:83)
        at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
        at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:48)
        at org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:81)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:776)
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:705)
        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:858)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.sitemesh.webapp.contentfilter.ContentBufferingFilter.bufferAndPostProcess(ContentBufferingFilter.java:169)
        at org.sitemesh.webapp.contentfilter.ContentBufferingFilter.doFilter(ContentBufferingFilter.java:126)
        at org.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:120)
        at org.sitemesh.config.ConfigurableSiteMeshFilter.doFilter(ConfigurableSiteMeshFilter.java:163)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:673)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1526)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1482)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.cert.CertificateException: No subject alternative names present
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:91)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1451)
        ... 66 more
这两个应用程序在我使用“localhost”别名的个人计算机上都可以正常工作,我不需要任何证书

在服务器上:

  • Tomcat的证书:cn=localhost。添加到别名为“tomcat”的cacerts

  • 正在为应用程序创建证书,cn=localhost

    • 2.1

    2.2

    2.3

    我猜应用程序的别名有问题。我试图将此证书作为“localhost”和“我的服务器的主机名”添加到cacerts中。没有什么变化。服务器和我的开发人员环境之间的唯一区别是IP地址,而不是“localhost”别名

    你知道为什么这个解决方案不起作用吗

    编辑2015年1月9日

    我已经解决了这个问题。主要错误是从错误的密钥库创建和导入证书: 1.Tomcat被配置为使用/home/.keystore 2.我尝试使用/root/.keystore创建证书,并将创建的证书导入到cacerts

    在分析浏览器使用的证书时,我找到了解决方案——并没有任何关于IP的信息

    解决方案

  • 生成证书(Tomcat配置为使用/home/.keystore):

    $JAVA_HOME/bin/keytool–genkey–别名tomcat–keyalg RSA–keystore/HOME/.keystore–ext san=ip:{server_ip}

  • 将证书导出到文件:

    $JAVA_HOME/bin/keytool–导出–别名tomcat–file/HOME/tomcat.cer–keystore/HOME/.keystore

  • 向cacerts导入导出证书:

    $JAVA_HOME/bin/keytool–导入–别名tomcat–file/HOME/tomcat.cer–keystore/etc/ssl/certs/JAVA/cacerts

    • 现在一切都正常了。

    用来调用CAS服务器的url是什么?我指的是pac4j中的CasClient配置?

    用于调用CAS服务器的url是什么?我指的是您在pac4j中的CasClient配置?

    CAS服务器主机:
    https://:8443/CAS/login
    CAS服务器登录url:
    https://:8443/CAS/login?service=http://:8081/callback?client_name=CasClient
    应用程序主机:
    http://:8081
    我已经看到了一些关于这方面的问题,特别是:。我认为在使用keytool时需要此选项:-ext san=ip:I从cecerts删除旧证书,使用-ext san=ip:,创建新证书,导入到cacerts-没有任何更改。当我列出“-keystore/etc/ssl/certs/java/cacerts-list-v-alias tomcat”时,我看到SubjectAlternativeName[IPAddress:]。100%肯定地说,我重新启动了tomcat和应用程序实例。我应该为应用程序创建任何证书吗?CAS服务器主机:
    https://:8443/CAS/login
    CAS服务器登录url:
    https://:8443/CAS/login?service=http://:8081/callback?client\u name=CasClient
    应用程序主机:
    http://:8081
    我看到了一些关于这方面的问题,特别是:。我认为在使用keytool时需要此选项:-ext san=ip:I从cecerts删除旧证书,使用-ext san=ip:,创建新证书,导入到cacerts-没有任何更改。当我列出“-keystore/etc/ssl/certs/java/cacerts-list-v-alias tomcat”时,我看到SubjectAlternativeName[IPAddress:]。100%肯定地说,我重新启动了tomcat和应用程序实例。我应该为申请创建任何证书吗? 
    $JAVA_HOME/bin/keytool -genkey -alias communicator -keyalg RSA

    $JAVA_HOME/bin/keytool -export -alias communicator -file communicator.cer -keystore ~/.keystore

    $JAVA_HOME/bin/keytool -import -file /etc/ssl/certs/java/ communicator.cer -keypass changeit -keystore /etc/ssl/certs/java/cacerts -alias communicator

    $JAVA_HOME/bin/keytool –genkey –alias tomcat –keyalg RSA –keystore /home/.keystore –ext san=ip:{server_ip}

    $JAVA_HOME/bin/keytool –export –alias tomcat –file /home/tomcat.cer –keystore /home/.keystore

    $JAVA_HOME/bin/keytool –import –alias tomcat –file /home/tomcat.cer –keystore /etc/ssl/certs/java/cacerts