Robert
Reputation: 303
Disable hostname verifier in servlet with CAS
I have CAS deployed on a virtual machine (in jboss) and I'm trying to use cas login in a servlet, but using SAML protocol in filters for Authentication and Validation, I get javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
In the future I'll receive a proper certificate, but until then I want to disable this hostname verifier, for testing. I know I should @Override some code, but I don't know how and where to do this in my servlet which connects to CAS through filters that are in web.xml. Currently my servlet just Overrides doGET method to print something that I should receive from CAS. Can someone help me, please?
Thank you in advance.
UPDATE: This is the exact error that I see in logs
ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/casuser].[cas]] (http-localhost-127.0.0.1-8080-1) Servlet.service() for servlet cas threw exception: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:275) [cas-client-core-3.3.3.jar:3.3.3]
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:200) [cas-client-core-3.3.3.jar:3.3.3]
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:206) [cas-client-core-3.3.3.jar:3.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:100) [cas-client-core-3.3.3.jar:3.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:489) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) [jsse.jar:1.7.0_79]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) [jsse.jar:1.7.0_79]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) [jsse.jar:1.7.0_79]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) [jsse.jar:1.7.0_79]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) [jsse.jar:1.7.0_79]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901) [jsse.jar:1.7.0_79]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:837) [jsse.jar:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) [jsse.jar:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) [jsse.jar:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359) [jsse.jar:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343) [jsse.jar:1.7.0_79]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) [rt.jar:1.7.0_79]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) [rt.jar:1.7.0_79]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1092) [rt.jar:1.7.0_79]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) [rt.jar:1.7.0_79]
at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:259) [cas-client-core-3.3.3.jar:3.3.3]
... 19 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142) [rt.jar:1.7.0_79]
at sun.security.util.HostnameChecker.match(HostnameChecker.java:91) [rt.jar:1.7.0_79]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347) [jsse.jar:1.7.0_79]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203) [jsse.jar:1.7.0_79]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) [jsse.jar:1.7.0_79]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) [jsse.jar:1.7.0_79]
... 31 more
Upvotes: 1
Views: 916
Answers (1)
eakyurek
Reputation: 124
You should set p:cookieSecure="false" for the ticketGrantingTicketCookieGenerator.
https://wiki.jasig.org/display/CASUM/Securing+Your+New+CAS+Server
Upvotes: 1
Related Questions
- Java SSL: how to disable hostname verification
- How to programmatically disable certificate hostname verification in Java LDAP JNDI LDAP API?
- HttpsURLConnections Default Hostname Verifier
- Disabling hostname verification
- Certificate hostname verification in java - subject alternative names
- How to disable Hostname verification in jboss
- Ignore SSL Certificate in a Servlet
- How to disable common name check in SSLContext in java?
- Trust not trusted certificates and skip hostname verification
- Disable hostname checking for SSL connections?