Re: [eid-applet] Re: Authentication issues (Glassfish)

517 views
Skip to first unread message

Frank Cornelis

unread,
May 16, 2013, 12:39:30 AM5/16/13
to eid-a...@googlegroups.com
Hi,


The eID Trust Service comes with an XKMS2Client component to ease integration. Check out:
http://www.e-contract.be/maven2/be/fedict/eid-trust-service/eid-trust-service-sdk/1.0.1.RC5/eid-trust-service-sdk-1.0.1.RC5.zip

You can use the following endpoint:
http://www.e-contract.be/eid-trust-service-ws/xkms2


Kind Regards,
Frank.

On 05/15/2013 10:32 AM, yoer...@gmail.com wrote:
An update: I now use the 1.1.0.RC2 applet. I added the sessionid to the appletservice and now GlassFish gets the same error in Chrome as in IE and FF:
java.lang.SecurityException: authn service error: null     at be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:326)

The problem is similar to this one: https://groups.google.com/forum/?fromgroups=#!topic/eid-applet/KkGlZCU9JCA. So I guess its the validateCertificateChain that has issues? How do I implement the eID Trust Service?

Thanks!

Op dinsdag 14 mei 2013 16:04:22 UTC+2 schreef yoer...@gmail.com het volgende:
Hi,

I have been able to implement the identification part of the eID Applet using Glassfish through Netbeans, but I seem to be having some problems with the authentication part.

I can fill in my pin code, so I suppose my Bean is called correctly. After that the applet gives a Generic Error and Glassfish gives
 "WARNING: StandardWrapperValve[AppletAuthnServiceServlet]: PWC1406: Servlet.service() for servlet AppletAuthnServiceServlet threw exception.
java.lang.RuntimeException: expected a protocol start message
at be.fedict.eid.applet.shared.protocol.ProtocolStateMachine.checkRequestMessage(ProtocolStateMachine.java:121)
.... (see below)". 
What does this error refer to? Does it mean I'm missing something somewhere? A protocol start message somehow...

I read the developer's guide, but it does not give a lot of detail. I checked other posts here and the examples on the codes.google page, but I still can't seem to get there.

Beneath are my errors and relevant files. I hope someone can help me. Thanks!



My web.xml for the authentication:
<servlet> 
        <servlet-name>AppletAuthnServiceServlet</servlet-name> 
        <servlet-class>be.fedict.eid.applet.service.AppletServiceServlet</servlet-class> 
        <init-param> 
            <param-name>AuthenticationService</param-name>
            <param-value>java:global/eID/AuthenticationServiceBean</param-value>
        </init-param>
    </servlet>
    <servlet-mapping>
        <servlet-name>AppletAuthnServiceServlet</servlet-name>
        <url-pattern>/applet-service-authn</url-pattern>
    </servlet-mapping>


The AuthenticationServiceBean:
package isb.eid;
import javax.ejb.Stateless;
import be.fedict.eid.applet.service.spi.AuthenticationService;
import be.fedict.eid.applet.service.spi.CertificateSecurityException;
import be.fedict.eid.applet.service.spi.ExpiredCertificateSecurityException;
import be.fedict.eid.applet.service.spi.RevokedCertificateSecurityException;
import be.fedict.eid.applet.service.spi.TrustCertificateSecurityException;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@Stateless
public class AuthenticationServiceBean implements AuthenticationService {
    private static final Log LOG = LogFactory.getLog(AuthenticationServiceBean.class);

    @Override
    public void validateCertificateChain(List<X509Certificate> certificateChain) throws ExpiredCertificateSecurityException, RevokedCertificateSecurityException, TrustCertificateSecurityException, CertificateSecurityException, SecurityException {
        LOG.debug("validate certificate chain: " + certificateChain); 
        HttpServletRequest httpServletRequest; 
        try { 
            httpServletRequest = (HttpServletRequest) PolicyContext.getContext("javax.servlet.http.HttpServletRequest"); 
        }catch (PolicyContextException e) { 
            throw new RuntimeException("JACC error: " + e.getMessage()); 
        } 
        HttpSession httpSession = httpServletRequest.getSession(); 
        httpSession.setAttribute("AuthenticationCertificateChain", certificateChain); 
    }
}


authentication.jsp:
<script>
var attributes = {
code :'be.fedict.eid.applet.Applet.class',
                archive :'eid-applet-package-1.0.4.GA.jar',
width :600,
height :300
};
var parameters = {
TargetPage :'authn-result.jsp',
AppletService :'applet-service-authn',
BackgroundColor :'#ffffff',
Language : 'en'
};
deployJava.runApplet(attributes, parameters);
</script>


The Glassfish error:
WARNING: StandardWrapperValve[AppletAuthnServiceServlet]: PWC1406: Servlet.service() for servlet AppletAuthnServiceServlet threw exception
java.lang.RuntimeException: expected a protocol start message
at be.fedict.eid.applet.shared.protocol.ProtocolStateMachine.checkRequestMessage(ProtocolStateMachine.java:121)
at be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.java:299)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1550)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:722)



The applet error:
eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.4.GA
Java version: 1.7.0_21
Java vendor: Oracle Corporation
OS: Windows 7
OS version: 6.1
OS arch: x86
Current time: Tue May 14 15:52:29 CEST 2013
ERROR: no session cookie detected!
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: false
pre-logoff: false
TLS session Id channel binding: false
server certificate channel binding: false
include identity: false
include certificates: false
include address: false
include photo: false
include integrity data: false
require secure smart card reader: false
no PKCS11: false
Detecting eID card...
PKCS#11 path: C:\WINDOWS\system32\beidpkcs11.dll
library description: Belgium eID PKCS#11 interface v2
manufacturer ID: Belgium Government
library version: 2.0
cryptoki version: 2.b
reader: Alcor Micro USB Smart Card Reader 0
Belgium eID card in slot: 0
Authenticating...
getting protection parameter
key alias: Root
key alias: CA
key alias: Authentication
key alias: Signature
sending message: AuthenticationDataMessage
current protocol state: AUTHENTICATE
SSL handshake finish cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
HTTP response code: 500
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>GlassFish Server Open Source Edition 3.1.2.2 - Error report</title><style type="text/css"><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><hr/><p><b>type</b> Exception report</p><p><b>message</b></p><p><b>description</b>The server encountered an internal error () that prevented it from fulfilling this request.</p><p><b>exception</b> <pre>java.lang.RuntimeException: expected a protocol start message</pre></p><p><b>note</b> <u>The full stack traces of the exception and its root causes are available in the GlassFish Server Open Source Edition 3.1.2.2 logs.</u></p><hr/><h3>GlassFish Server Open Source Edition 3.1.2.2</h3></body></html>
error: error sending message to service. HTTP status code: 500
error type: java.io.IOException
at be.fedict.eid.applet.Controller.sendMessage:227
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1291
at be.fedict.eid.applet.Controller.run:382
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Generic Error.
--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-applet+...@googlegroups.com.
To post to this group, send email to eid-a...@googlegroups.com.
Visit this group at http://groups.google.com/group/eid-applet?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Frank Cornelis

unread,
May 16, 2013, 7:59:45 AM5/16/13
to eid-a...@googlegroups.com
Hi Yoeri,


The eID Applet Service servlet lives within your WAR.
Where is your EJB3 AuthenticationService session bean located? Within an EJB JAR within an EAR?
If so, because eid-trust-service-client lives within the WAR, the EJB JAR cannot see it.
Move eid-trust-service-client one level up (in the EAR/libs) to fix this issue.


Kind Regards,
Frank.

On 05/16/2013 01:18 PM, yoer...@gmail.com wrote:
Ok thanks!

I now have a different issue: I get the same security exception, but it's preceded by "java.lang.ClassNotFoundException: be.fedict.trust.xkms2.XKMSServiceFactory".

I think it is some kind of Maven issue, as the eid-trust-service-client-1.0.1.RC5.jar was first not included in the generated WAR by NetBeans. After correcting the dependencies (scope was set on provided) the JAR is now included in the WAR (in WEB-INF/lib, just like the other dependencies). But I still get the same issue... As I know nothing about Maven, I don't know how I can get this to work. If I make validateCertificateChain empty everything works, so it's all about not finding the classfile.

Do I have to add it to "build" in pom.xml somehow? Or is this a manifest thing?


Pom.xml:
    <modelVersion>4.0.0</modelVersion>

    <groupId>ISB</groupId>
    <artifactId>eID</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>war</packaging>

    <name>eID</name>

    <repositories>
        <repository>
            <id>e-contract</id>
            <url>https://www.e-contract.be/maven2</url>
        </repository>
    </repositories>

    <properties>
        <endorsed.dir>${project.build.directory}/endorsed</endorsed.dir>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencies>
        <dependency>
            <groupId>javax</groupId>
            <artifactId>javaee-web-api</artifactId>
            <version>6.0</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>be-fedict-eid-applet</groupId>
            <artifactId>eid-applet-shared</artifactId>
            <version>1.1.0.RC2</version>
        </dependency>
        <dependency>
            <groupId>be.fedict.eid-applet</groupId>
            <artifactId>eid-applet-service</artifactId>
            <version>1.1.0.RC2</version>
        </dependency>
        <dependency>
            <groupId>be-fedict-eid-applet</groupId>
            <artifactId>eid-applet-service-spi</artifactId>
            <version>1.1.0.RC2</version>
        </dependency>
        <dependency>
            <groupId>be-fedict-eid-applet</groupId>
            <artifactId>eid-applet-package</artifactId>
            <version>1.1.0.RC2</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>be-fedict-eid-trust-service-client</groupId>
            <artifactId>eid-trust-service-client</artifactId>
            <version>1.0.1.RC5</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>2.3.2</version>
                <configuration>
                    <source>1.6</source>
                    <target>1.6</target>
                    <compilerArguments>
                        <endorseddirs>${endorsed.dir}</endorseddirs>
                    </compilerArguments>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-war-plugin</artifactId>
                <version>2.1.1</version>
                <configuration>
                    <failOnMissingWebXml>false</failOnMissingWebXml>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-dependency-plugin</artifactId>
                <version>2.1</version>
                <executions>
                    <execution>
                        <id>copy</id>
                        <phase>process-resources</phase>
                        <goals>
                            <goal>copy</goal>
                        </goals>
                        <configuration>
                            <artifactItems>
                                <artifactItem>
                                    <groupId>be-fedict-eid-applet</groupId>
                                    <artifactId>eid-applet-package</artifactId>
                                    <version>1.1.0.RC2</version>
                                    <type>jar</type>
                                    <outputDirectory>${project.build.directory}/${project.artifactID}</outputDirectory>
                                </artifactItem>
                            </artifactItems>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>

</project>



Op donderdag 16 mei 2013 06:39:30 UTC+2 schreef Frank Cornelis het volgende:

Frank Cornelis

unread,
May 16, 2013, 9:03:34 AM5/16/13
to eid-a...@googlegroups.com
Hi Yoeri,


OK, so WEB-INF/classes can see WEB-INF/lib, but the other way around fails.
I'm afraid you'll need to construct an EAR file to resolve this scoping issue.


Kind Regards,
Frank.

On 05/16/2013 02:27 PM, yoer...@gmail.com wrote:
Hi Frank,

My AuthenticationServiceBean is in the default package of my Source Packages in NetBeans (7.3). If I look at my resulting WAR file, the class file is in WEB-INF/classes, while the dependencies are in WEB-INF/lib. Should these be somewhere else?

I added the classpath in pom.xml so that the jars are in the manifest, which worked but it didn't help.
<archive>
  <manifest>
    <addClasspath>true</addClasspath>
  </manifest>
</archive>


Thanks again for all the help, I think I'm close!

Op donderdag 16 mei 2013 13:59:45 UTC+2 schreef Frank Cornelis het volgende:

Frank Cornelis

unread,
May 17, 2013, 8:42:09 AM5/17/13
to yoer...@gmail.com, eid-a...@googlegroups.com
Hi Yoeri,


The eID Trust Service takes care of the entire certificate chain validation process. This includes CRL, OCSP, you name it.

Please use https instead of http when connecting to the e-contract.be eID Trust Service.


Kind Regards,
Frank.

On 05/17/2013 10:53 AM, yoer...@gmail.com wrote:
Still wrestling with this, but I have a questions about the certificates: do the following lines (in validateCertificateChain) do everything about the validation of the certificates? I don't know much about certificates, but does it do the connection with the OCSP server of the government? So does my server need something to be able to process OCSP requests?

XKMS2Client client = new XKMS2Client("http://www.e-contract.be/eid-trust-service-ws/xkms2");
client.validate(certificateChain);

Op donderdag 16 mei 2013 15:53:03 UTC+2 schreef yoer...@gmail.com het volgende:
So the only way to make this work is by having an external EAR file (containing the Bean) which is inside the original WAR file? Seems kind of messy :) I'll see what I can do!

Op donderdag 16 mei 2013 15:03:34 UTC+2 schreef Frank Cornelis het volgende:

Frank Cornelis

unread,
May 21, 2013, 5:35:29 AM5/21/13
to yoer...@gmail.com, eid-a...@googlegroups.com
Hi Yoeri,


Maybe try to include both eid-trust-service-client and eid-trust-service-ws?

The reason why eid-trust-service-ws is not part of eid-trust-service-client, is that eid-trust-service-ws is used by both the client and the web service implementation as it contains the JAX-WS compiled WSDL.


Kind Regards,
Frank.


On 05/21/2013 11:31 AM, yoer...@gmail.com wrote:
Ok thanks!

I was actually wrong, eid-trust-service-client-1.0.1.RC5 is included, as the error is:
"java.lang.NoClassDefFoundError: be/fedict/trust/xkms2/XKMSServiceFactory
at be.fedict.trust.client.XKMS2Client.<init>(XKMS2Client.java:129)
...."

So XKMS2Client can't find XKMSServiceFactory, which the jar indeed doesn't have. Is there a jar that contains both these classes? And everything else that XKMS2Client needs (https://code.google.com/p/eid-trust-service/source/browse/trunk/eid-trust-service-client/src/main/java/be/fedict/trust/client/XKMS2Client.java?r=313). I found eid-trust-service-xkms2-ws in http://www.e-contract.be/maven2/be/fedict/eid-trust-service/, but this doesn't have XKMS2Client. Or am I missing a piece of information?


Op vrijdag 17 mei 2013 14:42:09 UTC+2 schreef Frank Cornelis het volgende:
Reply all
Reply to author
Forward
0 new messages