Recently, I was testing transport level security (SSL) on Oracle's Container for Java (also part of OAS - Oracle Application Server).
My setting was: I had one web service bound to a secure site I had configured in its own xml and included in server.xml, which run on the standard 443 port (port choice is irrelevant to the problem anyway). It was all running fine until I decided to set needs-client-auth to "true" on the ssl-config tag in the secure web site configuration. What this setting does is requesting the client to also send a certificate to the server (apart from the one the server presents to the client since this is http + ssl). This is even if you don't configure client-cert authentication as the auth-method in the login-config tag of the web service's web.xml descriptor file. In fact, the problem I faced happens even if no authentication options (no login-config tag) are configured for the web service at all.
So I went ahead and enabled needs-client-auth, created my keystore (a JKS - Java Key Store - in this case) and certificates, imported the client certificate in my browser, accessed https://myserver which asked for the client certificate to present, selected the one I had imported and the welcome page for OC4J was shown. So far, so good.
After that, I accessed the test page for the web service I had deployed. The test page is an automatically generated page which allows you to input the arguments and call the web service. I entered some test values in the input fields... and where I usually got the SOAP response envelope I got either:
SSL Error: Received fatal alert: bad_certificate
or:
java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Software caused connection abort: recv failed
along with the following message in the console:
WARNING IOException in ServerSocketAcceptHandler$AcceptHandlerHorse:run
I then looked into the log.xml file and found this stack trace for the IOException:
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:188)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1256)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:159)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)
at oracle.oc4j.network.ServerSocketAcceptHandler.doSSLHandShaking(ServerSocketAcceptHandler.java:245)
at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:867)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:298)
at java.lang.Thread.run(Thread.java:619)
notice the "null cert chain" part.
So, what was going on?
I also had an OC4J 10.1.2 installation, so I decided to give that one a try. I configured a similar secure web site, the same keystore in the secure web site's xml as I had used for the newer OC4J version, and deployed practically the same web service (accounting for minor differences as required by each OC4J version). Same thing, went to the test page... and it worked.
So I started thinking about what was going on. First, I noticed that the IOException and null cert chain were also logged when I chose to cancel the client certificate window in my browser (thus not presenting any certificate to the server) or when the server presented a certificate for which I had not added trust in my browser options (I was using my own CA - Certificate Authority), even for the welcome page at https://myserver. So somehow this was sounding like the client certificate was not really being sent.
Then, I looked into each OC4J web service test page code. OC4J 10.1.2 used a GET on the web service, while OC4J 10.1.3 presents a seemingly more elaborate interface which uses a POST. In essence, the test page in the newer version appears to be a complete rewrite.
Recapping, same keystore, same certificates... same web service. Variable: in general, the OC4J version; specifically: the web service test page. From that, I suspected the web service test page itself - I needed a different interface to check I was right.
Enter soapUI, http://www.soapui.org/ which offers an open source version that can be downloaded for free. Inside soapUI, go to File -> Preferences and configure your KeyStore (I tested JKS and PKCS12) and KeyStore Password, then create a New soapUI Project from the web service's WSDL. Try a request and... it works!
Take out the KeyStore from the settings and you'll see the web service complains it did not receive the certificate - as expected. Configure client-cert auth-method in the web service if desired - works as well.
In conclusion, something's fishy about the newer version web service's test page, it seems client certificates are lost in the way. But, since it works from a different interface, the server is correctly configured!
My suggestion: if you run into this problem, try soapUI to see if you configured things right.
Sunday, August 29, 2010
Eclipse Helios+ does not allow to overload methods changing just the return type
So far, many of us have found we can not overload methods which, when type erasure is applied, have the same signature. For example, the following:
import java.util.List;
public class MethodDuplicateDemo {
public int useAList(List<Integer> list) {
return list.size();
}
public int useAList(List<String> list) {
return list.size();
}
}
will not compile, giving these errors:
Method useAList(List<Integer>) has the same erasure useAList(List<e>) as another method in type MethodDuplicateDemo
Method useAList(List<String>) has the same erasure useAList(List<e>) as another method in type MethodDuplicateDemo
However, many were also used to being able to write:
import java.util.List;
public class MethodDuplicateDemo {
public int useAList(List<Integer> list) {
return list.size();
}
public String useAList(List<String> list) {
return list.toString();
}
}
(notice that one of the methods returns an int, while the other returns a String)
Well, the latter example will compile using javac (1.6), and will work on Eclipse up to version 3.5 (Galileo), but it does not compile on Eclipse Helios (3.6).
The reason: starting with Helios, Eclipse implements a java 7 restriction by which the return type should not be considered when deciding if the methods are duplicates. Even though this works with the java 6 compiler from the Sun JDK, it was implemented for all compliance levels in Eclipse. This is documented in https://bugs.eclipse.org/bugs/show_bug.cgi?id=289247 and https://bugs.eclipse.org/bugs/show_bug.cgi?id=273862 .
So, time to start changing the code where it relies on the return types being different for compilation ;-)
import java.util.List;
public class MethodDuplicateDemo {
public int useAList(List<Integer> list) {
return list.size();
}
public int useAList(List<String> list) {
return list.size();
}
}
will not compile, giving these errors:
Method useAList(List<Integer>) has the same erasure useAList(List<e>) as another method in type MethodDuplicateDemo
Method useAList(List<String>) has the same erasure useAList(List<e>) as another method in type MethodDuplicateDemo
However, many were also used to being able to write:
import java.util.List;
public class MethodDuplicateDemo {
public int useAList(List<Integer> list) {
return list.size();
}
public String useAList(List<String> list) {
return list.toString();
}
}
(notice that one of the methods returns an int, while the other returns a String)
Well, the latter example will compile using javac (1.6), and will work on Eclipse up to version 3.5 (Galileo), but it does not compile on Eclipse Helios (3.6).
The reason: starting with Helios, Eclipse implements a java 7 restriction by which the return type should not be considered when deciding if the methods are duplicates. Even though this works with the java 6 compiler from the Sun JDK, it was implemented for all compliance levels in Eclipse. This is documented in https://bugs.eclipse.org/bugs/show_bug.cgi?id=289247 and https://bugs.eclipse.org/bugs/show_bug.cgi?id=273862 .
So, time to start changing the code where it relies on the return types being different for compilation ;-)
Saturday, August 28, 2010
Eclipse code name to numeric version conversion
This is a very brief post which will not be surprising, but I wanted to have the name to number relationship of the different Eclipse versions handy:
Helios 3.6
Galileo 3.5
Ganymede 3.4
Europa 3.3
Callisto 3.2
Previous Eclipse 3.1 and 3.0 versions had no code names, while next 3.7 release is known under code name Indigo.
Helios 3.6
Galileo 3.5
Ganymede 3.4
Europa 3.3
Callisto 3.2
Previous Eclipse 3.1 and 3.0 versions had no code names, while next 3.7 release is known under code name Indigo.
Eclipse Ant tasks codepage issues
If you are using Ant to build your projects, you can take advantage of Eclipse's Ant view and configure your build.xml file(s) in there, so you can quickly launch its goals.
I recently had to use this view for a project in which the source files contained international characters. The build was failing in my newest version of Eclipse, although it worked in a previous version.
After looking into the issue, it turns out the codepage used in the Ant launcher is inherited from different places depending on the version of Eclipse. In order to check which codepage is being used, right click on the build file in the Ant view and choose Run As -> Ant Build... , then in the Common tab you can see both the Default - inherited encoding and Other encodings. The problem was I needed Cp1252 and it was not appearing in the list of Other encodings, while the Default - inherited encoding was UTF-8. Also, this list did not allow me to type in my own desired encoding. I tried selecting ISO-8859-1 as the encoding in this window, and the build succeeded, however ISO-8859-1 is not equivalent to Cp1252 as explained in http://en.wikipedia.org/wiki/Windows-1252.
So I needed to figure out where the Default encoding was being inherited from and get it to be Cp1252. In my previous versions, it was being inherited from the General -> Workspace preferences (accessed from Windows -> Preferences in the IDE), which I had correctly set to Cp1252 (as taken from my System settings). However, in my later version it was being inherited from the Content Types, Text -> XML -> Ant Buildfile, build.xml, which was indeed set to UTF-8 for default encoding, unless I set a specific encoding for the file, by right clicking on it, selecting Properties and changing the encoding in the resource tab.
At a glance, the following is a summary of the different places where the encoding can be set in Eclipse:
My personal recommendation, if you encounter this problem, is to change the encoding for the build.xml file you need to run, by editing its individual properties.
I recently had to use this view for a project in which the source files contained international characters. The build was failing in my newest version of Eclipse, although it worked in a previous version.
After looking into the issue, it turns out the codepage used in the Ant launcher is inherited from different places depending on the version of Eclipse. In order to check which codepage is being used, right click on the build file in the Ant view and choose Run As -> Ant Build... , then in the Common tab you can see both the Default - inherited encoding and Other encodings. The problem was I needed Cp1252 and it was not appearing in the list of Other encodings, while the Default - inherited encoding was UTF-8. Also, this list did not allow me to type in my own desired encoding. I tried selecting ISO-8859-1 as the encoding in this window, and the build succeeded, however ISO-8859-1 is not equivalent to Cp1252 as explained in http://en.wikipedia.org/wiki/Windows-1252.
So I needed to figure out where the Default encoding was being inherited from and get it to be Cp1252. In my previous versions, it was being inherited from the General -> Workspace preferences (accessed from Windows -> Preferences in the IDE), which I had correctly set to Cp1252 (as taken from my System settings). However, in my later version it was being inherited from the Content Types, Text -> XML -> Ant Buildfile, build.xml, which was indeed set to UTF-8 for default encoding, unless I set a specific encoding for the file, by right clicking on it, selecting Properties and changing the encoding in the resource tab.
At a glance, the following is a summary of the different places where the encoding can be set in Eclipse:
- The file itself: right click on the file, choose Properties, and inside the Resource page of the preferences select either the Default (determined from content) encoding or another encoding from the Other list. In this window, you can type an encoding not appearing in the same list.
- The General -> Workspace page in the preferences accessed from Windows -> Preferences in the IDE. The Default encoding is taken from the System properties, while other encodings can be selected from the Other list, which allows a different encoding to be typed in.
- The General -> Content Types page in the preferences accessed from Windows -> Preferences in the IDE. In this page, a default encoding can be chosen for each file type. The Ant Buildfile encoding appears under the Text -> XML node. You can type your own encoding in the text field.
- The buildfile in the Ant view, by right clicking on it and selecting Run As -> Ant Build... and going to the Common tab. In there, the Console Encoding can be selected to be either the Default - inherited or Other encoding, but the latter won't let you type in your own.
- The XML -> XML Files page in the preferences accessed from Windows -> Preferences in the IDE. I have not had to use this page and it will not let you type in a different encoding from the ones offered in the list.
My personal recommendation, if you encounter this problem, is to change the encoding for the build.xml file you need to run, by editing its individual properties.
Tuesday, August 17, 2010
My must-have Firefox add-ons
I've been meaning to compile a list of the software applications I install on every computer I happen to have to use for an extended period of time. Today, I decided to start by sharing which my favorite Firefox add-ons are - those I add the minute I have finished running the setup.
So here it goes:
Firebug
Essential for web development. It will allow you not only to inspect the source and styles of a page, but also to dynamically alter parts of it and see the results live! It even has a JavaScript debugger!
Install from: https://addons.mozilla.org/en-US/firefox/addon/1843/
More info at: http://getfirebug.com/
Web Developer
Another can't-do-without for web developers. You can enable or disable styles, images, delete specific cookies - very useful!
Install from: https://addons.mozilla.org/en-US/firefox/addon/60/
More info at: http://chrispederick.com/work/web-developer/
Tamper Data
Ever needed to analyse what's going on with a request? Tamper data will intercept communications and give you the info you are looking for!
Install from: https://addons.mozilla.org/en-US/firefox/addon/966/
More info at: http://tamperdata.mozdev.org/
FireShot
Need to share how a web site looks with a fellow developer? Quickly save what you've entered in a form or info the site has displayed back? FireShot will let you capture the visible browser area or even the whole page - with no need to take several shots and paste them together if it doesn't fit in one screen.
Install from: https://addons.mozilla.org/en-US/firefox/addon/5648/
More info at: http://screenshot-program.com/fireshot/
Windows only
Session Manager
You've reached the end of the day and you have 12 tabs open in one browser window... and 6 more in another one. Save your currently displayed tabs for tomorrow. Even more, organize your sessions by saving all the tabs you want to look into for each different topic. This add-on also includes the ability to recover a tab recently closed by accident.
Install from: https://addons.mozilla.org/en-US/firefox/addon/2324/
More info at: http://sessionmanager.mozdev.org/
Zotero
Much more than just favorites or bookmarks. Build your own library of useful sites - organized the way you like - and search by keyboards into the contents of the pages. Zotero will save snapshots of the sites you want to keep for future referece, along with they addresses. It will even let you add notes over the pages and show them in the same places when you come back to the snapshot. You can add tags, your own notes and, again, it's completely searchable! If you are using this for writing a paper, you can even export the bibliography. And, you can sync it with your library on the web so you can access it from different locations.
It truly is your own library of web documents.
Install from and get more info at: http://www.zotero.org/
DownThemAll!
I've covered content stored in the web which you want to organize and keep. But you'll also want to download files every now and them DownThemAll is an excellent download manager that will get the job done - you can get the files to your usual downloads directory with a single click, and you can tell the difference in speed.
Install from: https://addons.mozilla.org/en-US/firefox/addon/201/
More info at: http://www.downthemall.net/
Greasemonkey
Extend Firefox with custom scripts. I use this to get a virtual keyboard so I can avoid typing sensitive login information on public computers.
Install from: https://addons.mozilla.org/en-US/firefox/addon/748/
More info at: http://www.greasespot.net/
Virtual Keyboard Interface script: http://www.greywyvern.com/code/javascript/keyboard
Hudson Monitor
If you use Hudson as your continuous integration solution, this add-on will is a convenient way to know the state of your builds right from the status bar.
Install from: https://addons.mozilla.org/en-US/firefox/addon/7522/
More info at: http://wiki.hudson-ci.org/display/HUDSON/Firefox+Add-on+Build+Monitor
I hope these add-ons are as useful to you as they are to me. You are very welcome to let me know of any others!
So here it goes:
Firebug
Essential for web development. It will allow you not only to inspect the source and styles of a page, but also to dynamically alter parts of it and see the results live! It even has a JavaScript debugger!
Install from: https://addons.mozilla.org/en-US/firefox/addon/1843/
More info at: http://getfirebug.com/
Web Developer
Another can't-do-without for web developers. You can enable or disable styles, images, delete specific cookies - very useful!
Install from: https://addons.mozilla.org/en-US/firefox/addon/60/
More info at: http://chrispederick.com/work/web-developer/
Tamper Data
Ever needed to analyse what's going on with a request? Tamper data will intercept communications and give you the info you are looking for!
Install from: https://addons.mozilla.org/en-US/firefox/addon/966/
More info at: http://tamperdata.mozdev.org/
FireShot
Need to share how a web site looks with a fellow developer? Quickly save what you've entered in a form or info the site has displayed back? FireShot will let you capture the visible browser area or even the whole page - with no need to take several shots and paste them together if it doesn't fit in one screen.
Install from: https://addons.mozilla.org/en-US/firefox/addon/5648/
More info at: http://screenshot-program.com/fireshot/
Windows only
Session Manager
You've reached the end of the day and you have 12 tabs open in one browser window... and 6 more in another one. Save your currently displayed tabs for tomorrow. Even more, organize your sessions by saving all the tabs you want to look into for each different topic. This add-on also includes the ability to recover a tab recently closed by accident.
Install from: https://addons.mozilla.org/en-US/firefox/addon/2324/
More info at: http://sessionmanager.mozdev.org/
Zotero
Much more than just favorites or bookmarks. Build your own library of useful sites - organized the way you like - and search by keyboards into the contents of the pages. Zotero will save snapshots of the sites you want to keep for future referece, along with they addresses. It will even let you add notes over the pages and show them in the same places when you come back to the snapshot. You can add tags, your own notes and, again, it's completely searchable! If you are using this for writing a paper, you can even export the bibliography. And, you can sync it with your library on the web so you can access it from different locations.
It truly is your own library of web documents.
Install from and get more info at: http://www.zotero.org/
DownThemAll!
I've covered content stored in the web which you want to organize and keep. But you'll also want to download files every now and them DownThemAll is an excellent download manager that will get the job done - you can get the files to your usual downloads directory with a single click, and you can tell the difference in speed.
Install from: https://addons.mozilla.org/en-US/firefox/addon/201/
More info at: http://www.downthemall.net/
Greasemonkey
Extend Firefox with custom scripts. I use this to get a virtual keyboard so I can avoid typing sensitive login information on public computers.
Install from: https://addons.mozilla.org/en-US/firefox/addon/748/
More info at: http://www.greasespot.net/
Virtual Keyboard Interface script: http://www.greywyvern.com/code/javascript/keyboard
Hudson Monitor
If you use Hudson as your continuous integration solution, this add-on will is a convenient way to know the state of your builds right from the status bar.
Install from: https://addons.mozilla.org/en-US/firefox/addon/7522/
More info at: http://wiki.hudson-ci.org/display/HUDSON/Firefox+Add-on+Build+Monitor
I hope these add-ons are as useful to you as they are to me. You are very welcome to let me know of any others!
Subscribe to:
Comments (Atom)