Jetty 9 - Enable OCSP Stapling for domain-validated certificate
I'm having some issues in enabling OCSP stapling in Jetty 9 and I really hope that someone can help me here...hopefully!
For my tests I purchased an SSL certificate from PositiveSSL (Comodo), which gave me a valid/trusted certificate. The domain in this example is "dev.mydomain.com", and it will simply point to my local ip (127.0.0.1).
I then transformed the provided certificate into the Java keystore format.
# Convert certificate to pkcs12
openssl pkcs12 -export -out dev.mydomain.com.pkcs12 -inkey dev.mydomain.com.key -in dev_mydomain_com.crt
# Create java keystore
keytool -importkeystore -srckeystore dev.mydomain.com.pkcs12 -srcstoretype pkcs12 -destkeystore dev.mydomain.com.keystore -deststoretype JKS
This is the simplified Java code I used for creating the Jetty server, activate the certificate, listen on the 443 port (https), and in theory activate OCSP:
Server _server = new Server(); // org.eclipse.jetty.server.Server
HttpConfiguration httpsConfig = new HttpConfiguration();
HttpConnectionFactory http1 = new HttpConnectionFactory(httpsConfig);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("dev.mydomain.com.keystore");
sslContextFactory.setKeyStorePassword("mypass");
sslContextFactory.setKeyManagerPassword("mypass");
// sslContextFactory.setValidateCerts(true); // tested
sslContextFactory.setEnableOCSP(true);
SslConnectionFactory ssl = new SslConnectionFactory(sslContextFactory, http1.getProtocol());
// SSL Connector
ServerConnector sslConnector = new ServerConnector(_server, ssl, http1);
sslConnector.setHost("127.0.0.1");
sslConnector.setPort(443);
_server.addConnector(sslConnector);
_server.start();
_server.join();
On Java VM startup I'm also enabling these system properties:
Security.setProperty("ocsp.enable", "true");
System.setProperty("jdk.tls.server.enableStatusRequestExtension", "true");
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
After several tries, I tried also importing the certificate chain into the keystore, but it didn't make any difference on the outcome.
keytool -import -trustcacerts -alias ca -file COMODORSAAddTrustCA.crt -keystore dev.mydomain.com.keystore
keytool -import -trustcacerts -alias dv -file COMODORSADomainValidationSecureServerCA.crt -keystore dev.mydomain.com.keystore
keytool -import -trustcacerts -alias te -file AddTrustExternalCARoot.crt -keystore dev.mydomain.com.keystore
To test whether OCSP was correctly enabled I used a tool called sslyze, but whatever I tried to do the response for OCSP was always negative:
OCSP Stapling - NOT SUPPORTED - Server did not send back an OCSP response
Here is the full output of sslyze:
C:\Tools\sslyze-1_4_1>sslyze --certinfo dev.mydomain.com:443
AVAILABLE PLUGINS
-----------------
OpenSslCipherSuitesPlugin
RobotPlugin
CertificateInfoPlugin
FallbackScsvPlugin
SessionRenegotiationPlugin
HeartbleedPlugin
CompressionPlugin
OpenSslCcsInjectionPlugin
SessionResumptionPlugin
HttpHeadersPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
dev.mydomain.com:443 => 127.0.0.1
SCAN RESULTS FOR DEV.MYDOMAIN.COM:443 - 127.0.0.1
------------------------------------------------
* Certificate Information:
Content
SHA1 Fingerprint: 7c398c59bac3a231efc9823c6958a7bc711bfc0e
Common Name: dev.mydomain.com
Issuer: COMODO RSA Domain Validation Secure Server CA
Serial Number: 103185809289011988533713848804380317148
Not Before: 2018-04-18 00:00:00
Not After: 2019-04-18 23:59:59
Signature Algorithm: sha256
Public Key Algorithm: RSA
Key Size: 2048
Exponent: 65537 (0x10001)
DNS Subject Alternative Names: ['dev.mydomain.com', 'www.dev.mydomain.com']
Trust
Hostname Validation: OK - Certificate matches dev.mydomain.com
Android CA Store (8.1.0_r9): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
iOS CA Store (11): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
macOS CA Store (High Sierra): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Mozilla CA Store (2018-01-14): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Windows CA Store (2018-02-09): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: dev.mydomain.com
Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more
OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
SCAN COMPLETED IN 0.78 S
------------------------
Sorry for the long post, but I tried to provide as much details as possible!
Thank you! Yuvi
See also questions close to this topic
-
Returning values from @Bean methods
What happens to the object I return from an @Bean method? Is there anyway to retrieve this object from another class?
-
Having Problem With Click Listener in Java
I'm making a chess-like game in java and I'm having an issue with the click events. The
mouseClicked
function isn't responding to my clicks on the window and for no apparent reason.I have already tried a few things such as changing class names and using different functions but nothing has worked.
package main.game.com; import java.awt.event.MouseAdapter; import java.awt.event.MouseEvent; public class ClickEvent extends MouseAdapter { public void mouseClicked(MouseEvent e) { System.out.println("hello"); } }
package main.game.com; import java.awt.Canvas; public class Main extends Canvas { private static final long serialVersionUID = 1673528055664762143L; private static final int WIDTH = 416, HEIGHT = 439; public Main() { Window window = new Window(WIDTH, HEIGHT, "DARRAGH", this); this.addMouseListener(new ClickEvent()); }
package main.game.com; import java.awt.Canvas; import java.awt.Dimension; import javax.swing.JFrame; public class Window extends Canvas { private static final long serialVersionUID = 6733885629776844621L; public Window(int width, int height, String title, Main main) { JFrame frame = new JFrame(title); frame.setPreferredSize(new Dimension(width, height)); frame.setMaximumSize(new Dimension(width, height)); frame.setMinimumSize(new Dimension(width, height)); frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); frame.setResizable(false); frame.add(main); frame.setVisible(true); main.start(); } }
The first set of code is my
mouseAdapter
library and the second is the first part of my main class containing theclickListener
. -
JDBC choose NIC to use based on local ip address?
I'm using the PostgreSQL JDBC Driver on a machine that has multiple network cards. Only one of them has a stable connection. Is there anyway to tell JDBC to use that NIC by giving it the IP address of the NIC?
-
curl command works but C program fails NSS: client certificate not found (nickname not specified)
there are a number of similar posts but I am trying to understand a little more than what those offer. My curl commandline works fine and am able to talk to the server and get the data I want. The command looks like
curl -v --tlsv1.2 --cert ./service_cert.pem --key ./service_private.key "https://myserver"
But when I try to run my C program and examine the http client object I see this
errorBuffer = "NSS: client certificate not found (nickname not specified)
reading further I realized I have libcurl built with NSS which doesn't support reading cert from a flat file ( .pem)
How is then command line curl utility able to read the pem file ?
-
How to set up email https tracking links with php and apache?
I have a saas that sends out emails in the name of my customers and I am trying to set up https for the email tracking links (I'm using php and apache), but I have yet to come up with a practical solution. I know how to generate tracking links and do the redirects to the original urls after logging the link clicks, I just don't know how to implement https on those tracking links.
One possible solution could be, to do what a lot of email services providers do for tracking links: I would ask of every customer to create a CNAME record pointing from their domain to my domain (tracking.mycustomersdomain.com -> tracking.mysaasdomain.com). I could then use a php library to dynamically generate a letsencrypt certificate for their subdomain (tracking.mycustomersdomain.com) and would also be able to verify the subdomain for the certificate because the certificate would reside on my own server. The problem is, I'd still need to enable the certificate in the apache vhosts file and restart the apache service, so my server could start encrypting the tracking links with the appropriate certificate (but from what I've been able to research so far, this can't be done neither directly from php nor from .htaccess files, plus, frequent restarts would likely disrupt the operations on a live site).
So this brings me right to my two-part question...
Can I programatically enable a just-generated certificate for a given customer domain without (manually) restarting apache?
Is there a better / best practice alternative to what I've described above to secure the tracking links in the emails I send out?
-
How to fix 'unsecured response' from PHP SOAP server over SSL
WCF client initiate secure connection to SOAP server through WSDL. Log show that WS-security autorisation was fine, and SOAP server correctly respond, but client drops connection because response was unsecure. Since I don't have access to client environment I need help to fix that issue on server side. What additional headers should I add to response?
Server have certificate, client have a key.
<wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken"> <wsp:ExactlyOne> <wsp:All> <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/> </wsp:Policy> </sp:SupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
Request header:
<?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <s:Header> <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <u:Timestamp u:Id="_0"> <u:Created>2019-02-14T18:30:07.568Z</u:Created> <u:Expires>2019-02-14T18:35:07.568Z</u:Expires> </u:Timestamp> <o:UsernameToken u:Id="xxx" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <o:Username>user</o:Username> <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">xxx</o:Password> <o:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">xxx</o:Nonce> <u:Created>2019-02-14T18:30:07.568Z</u:Created> </o:UsernameToken> </o:Security> </s:Header> <s:Body> <isSystemListening xmlns="urn:xxx"/> </s:Body> </s:Envelope>
Response header:
<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PasswordDigest" xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary" xmlns:ns5="urn:xxx"> <SOAP-ENV:Header> <ns1:Security SOAP-ENV:mustUnderstand="1" SOAP-ENV:actor="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <ns1:Timestamp> <Created>2019-02-14T18:30:07Z</Created> <Expires>2019-02-14T18:35:07Z</Expires> </ns1:Timestamp> <ns2:UsernameToken> <ns2:Username xsi:type="ns1:string">user</ns2:Username> <ns1:Password xsi:type="ns3:string">xxx</ns1:Password> <ns1:Nonce xsi:type="ns4:string">xxx</ns1:Nonce> <ns2:Created xsi:type="ns1:string">2019-02-14T18:30:07.568Z</ns2:Created> </ns2:UsernameToken> </ns1:Security> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns5:isSystemListeningResponse> <isUp>true</isUp> </ns5:isSystemListeningResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Whatever client get error
Communications error occurred: Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.
-
Client wants to me to send them a "certificate" to authenticate with their webservice
The IT department of my client wants me to send them a "certificate", so my PHP application can authorize itself to read data from their web service.
At first I haven't thought much about it, since I regularly use ssh keys to establish a secure connection with my servers. But unfortunately I'm completely confused right now.
What do they actually want from me?
-
can individual apple developer account invite other people to access Certificates, IDs, Provisions?
my friend bought apple developer account about couple days ago and invited me to become a developer of his account. After he invited me, I can access to appstore connect page but I can't access to Certificate, IDs, Provisions page. Can you guys tell me how to access that page, please.
I tried to invite other developer to my company account and I can check to the checkbox "access to Certificates, IDs, Profiles..." but in individual account this checkbox is gray. grayout
-
How to connect Jenkins and Gieta
I have the problem, that I want to establish a CI/CD Pipeline between my Gitea Repo and Jenkins. So far I created a webhook with the Gitea API to Jenkins. Unfortunatly, when I try to send test packages from Gitea to Jenkins, I get the x509 Error, saying that the Certificates are not valid
Delivery: Post https://*************/jenkins: x509: certificate is valid for xxxxxxxxxxxxx, not yyyyyyyyyyyyyyyy
On the other Hand I cant add my gitea Server in the Jenkins web UI. If I try to do so, I receive an error saying that The connection cannot be established because:
Could not communicate with server: HTTP 403/Forbidden
I am quite desperate by now. I already tried to add Certs to the machine Jenkins is running on, to eliminate the x509 error, but it didnt help. Also if I try to add instead of my server the official try.gitea.io Server, it actually works. But I nedd my server in the config, so it´s not optional to use the official one.
Thanks in advance.
-
Async support must be enabled on a servlet and for all filters involved in async request processing
I read enough questions with answers on stackoverflow and no one helped me. I tried to insert
<async-supported> true</async-supported>
everywhere but it doesn't help me, I also tried to annotate my custom filter with
@Async
annotations without any results . I'm usingjetty 9.3.9.v20160517
, Java servlet dependency<dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>4.0.1</version> <scope>provided</scope> </dependency>
Plus I have a spring websocket configuration connected, everything works fine, but when I try to establish a connection to the server via the frontend using SockJS and Stomp, on the server I get this error : IMAGE FROM GOOGLE CHROME AND JAVA EXCEPTION
Caused by: org.springframework.web.socket.sockjs.SockJsTransportFailureException: Failed to open session; nested exception is java.lang.IllegalArgumentException: Async support must be enabled on a servlet and for all filters involved in async request processing. This is done in Java code using the Servlet API or by adding "<async-supported>true</async-supported>" to servlet and filter declarations in web.xml. Also you must use a Servlet 3.0+ container at org.springframework.web.socket.sockjs.transport.session.AbstractHttpSockJsSession.handleInitialRequest (AbstractHttpSockJsSession.java:221) at org.springframework.web.socket.sockjs.transport.handler.AbstractHttpSendingTransportHandler.handleRequestInternal (AbstractHttpSendingTransportHandler.java:75) at org.springframework.web.socket.sockjs.transport.handler.JsonpPollingTransportHandler.handleRequestInternal (JsonpPollingTransportHandler.java:87) at org.springframework.web.socket.sockjs.transport.handler.AbstractHttpSendingTransportHandler.handleRequest (AbstractHttpSendingTransportHandler.java:65) at org.springframework.web.socket.sockjs.transport.TransportHandlingSockJsService.handleTransportRequest (TransportHandlingSockJsService.java:314) at org.springframework.web.socket.sockjs.support.AbstractSockJsService.handleRequest (AbstractSockJsService.java:433) at org.springframework.web.socket.sockjs.support.SockJsHttpRequestHandler.handleRequest (SockJsHttpRequestHandler.java:132) at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle (HttpRequestHandlerAdapter.java:51) at org.springframework.web.servlet.DispatcherServlet.doDispatch (DispatcherServlet.java:967) at org.springframework.web.servlet.DispatcherServlet.doService (DispatcherServlet.java:901) at org.springframework.web.servlet.FrameworkServlet.processRequest (FrameworkServlet.java:970) at org.springframework.web.servlet.FrameworkServlet.doGet (FrameworkServlet.java:861) at javax.servlet.http.HttpServlet.service (HttpServlet.java:687) at org.springframework.web.servlet.FrameworkServlet.service (FrameworkServlet.java:846) at javax.servlet.http.HttpServlet.service (HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle (ServletHolder.java:845) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1689) at tnt.dom2.filter.HttpStatusFilter.doFilter (HttpStatusFilter.java:24) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at tnt.dom2.user.filter.UserActivityFilter.doFilter (UserActivityFilter.java:25) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at finch.portal.v3.web.controller.RequestHolderImpl.doFilter (RequestHolderImpl.java:48) at finch.portal.v3.web.controller.RequestHolderFilter.doFilter (RequestHolderFilter.java:25) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:316) at tnt.dom2.admin.AdminConfirmFilter.doFilter_aroundBody0 (AdminConfirmFilter.java:70) at tnt.dom2.admin.AdminConfirmFilter$AjcClosure1.run (AdminConfirmFilter.java:1) at org.springframework.scheduling.aspectj.AbstractAsyncExecutionAspect.ajc$around$org_springframework_scheduling_aspectj_AbstractAsyncExecutionAspect$1$6c004c3eproceed (AbstractAsyncExecutionAspect.aj:63) at org.springframework.scheduling.aspectj.AbstractAsyncExecutionAspect.ajc$around$org_springframework_scheduling_aspectj_AbstractAsyncExecutionAspect$1$6c004c3e (AbstractAsyncExecutionAspect.aj:68) at tnt.dom2.admin.AdminConfirmFilter.doFilter (AdminConfirmFilter.java:48) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke (FilterSecurityInterceptor.java:126) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter (FilterSecurityInterceptor.java:90) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter (ExceptionTranslationFilter.java:114) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.session.SessionManagementFilter.doFilter (SessionManagementFilter.java:122) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter (AnonymousAuthenticationFilter.java:111) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter (RememberMeAuthenticationFilter.java:149) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter (SecurityContextHolderAwareRequestFilter.java:169) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter (RequestCacheAwareFilter.java:48) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter (AbstractAuthenticationProcessingFilter.java:205) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter (LogoutFilter.java:120) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal (HeaderWriterFilter.java:64) at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter (SecurityContextPersistenceFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal (WebAsyncManagerIntegrationFilter.java:53) at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.FilterChainProxy.doFilterInternal (FilterChainProxy.java:213) at org.springframework.security.web.FilterChainProxy.doFilter (FilterChainProxy.java:176) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate (DelegatingFilterProxy.java:347) at org.springframework.web.filter.DelegatingFilterProxy.doFilter (DelegatingFilterProxy.java:263) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal (OpenSessionInViewFilter.java:151) at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal (CharacterEncodingFilter.java:197) at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1668) at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter (WebSocketUpgradeFilter.java:225) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at org.eclipse.jetty.servlet.ServletHandler.doHandle (ServletHandler.java:581) at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle (SecurityHandler.java:548) at org.eclipse.jetty.server.session.SessionHandler.doHandle (SessionHandler.java:226) at org.eclipse.jetty.server.handler.ContextHandler.doHandle (ContextHandler.java:1174) at org.eclipse.jetty.servlet.ServletHandler.doScope (ServletHandler.java:511) at org.eclipse.jetty.server.session.SessionHandler.doScope (SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope (ContextHandler.java:1106) at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle (ContextHandlerCollection.java:213) at org.eclipse.jetty.server.handler.HandlerCollection.handle (HandlerCollection.java:119) at org.eclipse.jetty.server.handler.HandlerWrapper.handle (HandlerWrapper.java:134) at org.eclipse.jetty.server.Server.handle (Server.java:524) at org.eclipse.jetty.server.HttpChannel.handle (HttpChannel.java:319) at org.eclipse.jetty.server.HttpConnection.onFillable (HttpConnection.java:253) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded (AbstractConnection.java:273) at org.eclipse.jetty.io.FillInterest.fillable (FillInterest.java:95) at org.eclipse.jetty.io.SelectChannelEndPoint$2.run (SelectChannelEndPoint.java:93) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume (ExecuteProduceConsume.java:303) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume (ExecuteProduceConsume.java:148) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run (ExecuteProduceConsume.java:136) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob (QueuedThreadPool.java:671) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run (QueuedThreadPool.java:589) at java.lang.Thread.run (Thread.java:748) Caused by: java.lang.IllegalArgumentException: Async support must be enabled on a servlet and for all filters involved in async request processing. This is done in Java code using the Servlet API or by adding "<async-supported>true</async-supported>" to servlet and filter declarations in web.xml. Also you must use a Servlet 3.0+ container at org.springframework.util.Assert.isTrue (Assert.java:92) at org.springframework.http.server.ServletServerHttpAsyncRequestControl.<init> (ServletServerHttpAsyncRequestControl.java:58) at org.springframework.http.server.ServletServerHttpRequest.getAsyncRequestControl (ServletServerHttpRequest.java:210) at org.springframework.web.socket.sockjs.transport.session.AbstractHttpSockJsSession.handleInitialRequest (AbstractHttpSockJsSession.java:210) at org.springframework.web.socket.sockjs.transport.handler.AbstractHttpSendingTransportHandler.handleRequestInternal (AbstractHttpSendingTransportHandler.java:75) at org.springframework.web.socket.sockjs.transport.handler.JsonpPollingTransportHandler.handleRequestInternal (JsonpPollingTransportHandler.java:87) at org.springframework.web.socket.sockjs.transport.handler.AbstractHttpSendingTransportHandler.handleRequest (AbstractHttpSendingTransportHandler.java:65) at org.springframework.web.socket.sockjs.transport.TransportHandlingSockJsService.handleTransportRequest (TransportHandlingSockJsService.java:314) at javax.servlet.http.HttpServlet.service (HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle (ServletHolder.java:845) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1689) at tnt.dom2.filter.HttpStatusFilter.doFilter (HttpStatusFilter.java:24) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at tnt.dom2.user.filter.UserActivityFilter.doFilter (UserActivityFilter.java:25) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at finch.portal.v3.web.controller.RequestHolderImpl.doFilter (RequestHolderImpl.java:48) at finch.portal.v3.web.controller.RequestHolderFilter.doFilter (RequestHolderFilter.java:25) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:316) at tnt.dom2.admin.AdminConfirmFilter.doFilter_aroundBody0 (AdminConfirmFilter.java:70) at tnt.dom2.admin.AdminConfirmFilter$AjcClosure1.run (AdminConfirmFilter.java:1) at org.springframework.scheduling.aspectj.AbstractAsyncExecutionAspect.ajc$around$org_springframework_scheduling_aspectj_AbstractAsyncExecutionAspect$1$6c004c3eproceed (AbstractAsyncExecutionAspect.aj:63) at org.springframework.scheduling.aspectj.AbstractAsyncExecutionAspect.ajc$around$org_springframework_scheduling_aspectj_AbstractAsyncExecutionAspect$1$6c004c3e (AbstractAsyncExecutionAspect.aj:68) at tnt.dom2.admin.AdminConfirmFilter.doFilter (AdminConfirmFilter.java:48) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke (FilterSecurityInterceptor.java:126) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter (FilterSecurityInterceptor.java:90) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter (ExceptionTranslationFilter.java:114) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.session.SessionManagementFilter.doFilter (SessionManagementFilter.java:122) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter (AnonymousAuthenticationFilter.java:111) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter (RememberMeAuthenticationFilter.java:149) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter (SecurityContextHolderAwareRequestFilter.java:169) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter (RequestCacheAwareFilter.java:48) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter (AbstractAuthenticationProcessingFilter.java:205) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter (LogoutFilter.java:120) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal (HeaderWriterFilter.java:64) at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter (SecurityContextPersistenceFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal (WebAsyncManagerIntegrationFilter.java:53) at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:330) at org.springframework.security.web.FilterChainProxy.doFilterInternal (FilterChainProxy.java:213) at org.springframework.security.web.FilterChainProxy.doFilter (FilterChainProxy.java:176) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate (DelegatingFilterProxy.java:347) at org.springframework.web.filter.DelegatingFilterProxy.doFilter (DelegatingFilterProxy.java:263) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal (OpenSessionInViewFilter.java:151) at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal (CharacterEncodingFilter.java:197) at org.springframework.web.filter.OncePerRequestFilter.doFilter (OncePerRequestFilter.java:107) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1668) at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter (WebSocketUpgradeFilter.java:225) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter (ServletHandler.java:1676) at org.eclipse.jetty.servlet.ServletHandler.doHandle (ServletHandler.java:581) at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle (SecurityHandler.java:548) at org.eclipse.jetty.server.session.SessionHandler.doHandle (SessionHandler.java:226) at org.eclipse.jetty.server.handler.ContextHandler.doHandle (ContextHandler.java:1174) at org.eclipse.jetty.servlet.ServletHandler.doScope (ServletHandler.java:511) at org.eclipse.jetty.server.session.SessionHandler.doScope (SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope (ContextHandler.java:1106) at org.eclipse.jetty.server.handler.ScopedHandler.handle (ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle (ContextHandlerCollection.java:213) at org.eclipse.jetty.server.handler.HandlerCollection.handle (HandlerCollection.java:119) at org.eclipse.jetty.server.handler.HandlerWrapper.handle (HandlerWrapper.java:134) at org.eclipse.jetty.server.Server.handle (Server.java:524) at org.eclipse.jetty.server.HttpChannel.handle (HttpChannel.java:319) at org.eclipse.jetty.server.HttpConnection.onFillable (HttpConnection.java:253) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded (AbstractConnection.java:273) at org.eclipse.jetty.io.FillInterest.fillable (FillInterest.java:95) at org.eclipse.jetty.io.SelectChannelEndPoint$2.run (SelectChannelEndPoint.java:93) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume (ExecuteProduceConsume.java:303) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume (ExecuteProduceConsume.java:148) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run (ExecuteProduceConsume.java:136) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob (QueuedThreadPool.java:671) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run (QueuedThreadPool.java:589) at java.lang.Thread.run (Thread.java:748)
this is my web.xml :
<?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <session-config> <cookie-config> <max-age>1209600</max-age> </cookie-config> </session-config> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>classpath:log4j.properties</param-value> </context-param> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/spring-contexts/*Context.xml,</param-value> </context-param> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class> </listener> <filter> <display-name>springSecurityFilterChain</display-name> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <async-supported>true</async-supported> </filter> <filter> <filter-name>hvsf</filter-name> <filter-class> org.springframework.orm.hibernate4.support.OpenSessionInViewFilter </filter-class> <async-supported>true</async-supported> </filter> <filter> <filter-name>encodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>forceEncoding</param-name> <param-value>false</param-value> </init-param> </filter> <filter> <filter-name>requestHolderFilter</filter-name> <filter-class>finch.portal.v3.web.controller.RequestHolderFilter</filter-class> <async-supported>true</async-supported> </filter> <filter> <filter-name>userActivityFilter</filter-name> <filter-class>tnt.dom2.user.filter.UserActivityFilter</filter-class> <async-supported>true</async-supported> </filter> <filter> <filter-name>httpStatusFilter</filter-name> <filter-class>tnt.dom2.filter.HttpStatusFilter</filter-class> <async-supported>true</async-supported> </filter> <servlet> <servlet-name>default</servlet-name> <init-param> <param-name>useFileMappedBuffer</param-name> <param-value>false</param-value> </init-param> <async-supported>true</async-supported> </servlet> <servlet> <servlet-name>dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/spring-contexts/dispatcher-servlet.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> <async-supported>true</async-supported> </servlet> <filter-mapping> <filter-name>encodingFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>ASYNC</dispatcher> </filter-mapping> <filter-mapping> <filter-name>hvsf</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>ASYNC</dispatcher> </filter-mapping> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>ASYNC</dispatcher> </filter-mapping> <filter-mapping> <filter-name>requestHolderFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>ASYNC</dispatcher> </filter-mapping> <filter-mapping> <filter-name>userActivityFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>ASYNC</dispatcher> </filter-mapping> <filter-mapping> <filter-name>httpStatusFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>ASYNC</dispatcher> </filter-mapping> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>/media/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>/f/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>/dev/f/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>default</servlet-name> <url-pattern>/freeze/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>dispatcher</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <error-page> <error-code>404</error-code> <location>/404</location> </error-page> </web-app>
websocket configuration
@Configuration @EnableWebSocketMessageBroker public class WebSocketConfig implements WebSocketMessageBrokerConfigurer { @Autowired private ObjectMapper objectMapper; @Override public void configureMessageBroker(MessageBrokerRegistry config) { config.enableSimpleBroker("/topic"); config.setApplicationDestinationPrefixes("/app"); } @Override public void registerStompEndpoints(StompEndpointRegistry registry) { registry.addEndpoint("/gs-guide-websocket").setAllowedOrigins("*").withSockJS(); } @Override public void configureWebSocketTransport(WebSocketTransportRegistration webSocketTransportRegistration) { webSocketTransportRegistration.setSendTimeLimit(15 * 1000).setSendBufferSizeLimit(512 * 1024); } @Override public void configureClientOutboundChannel(ChannelRegistration channelRegistration) { channelRegistration.taskExecutor().corePoolSize(4).maxPoolSize(10); } @Override public boolean configureMessageConverters(List<MessageConverter> list) { DefaultContentTypeResolver resolver = new DefaultContentTypeResolver(); resolver.setDefaultMimeType(MimeTypeUtils.APPLICATION_JSON); MappingJackson2MessageConverter converter = new MappingJackson2MessageConverter(); converter.setObjectMapper(objectMapper); converter.setContentTypeResolver(resolver); list.add(converter); return false; } }
-
Handler error while trying to execute Jetty Server
I get error:
incompatible types: org.eclipse.jetty.servlet.ServletHandler cannot be converted to org.mortbay.jetty.Handler
While trying to run my below code. I'm new to Java and not sure why this is happening. Any ideas? (I'm using JDK 11 and the latest Jetty versions 9.3 and IDE IntelliJ)package newJetty; import newJetty.handler.PingHandler; import org.eclipse.jetty.servlet.ServletHandler; import org.mortbay.jetty.Handler; import org.mortbay.jetty.Server; /** * Hello world! * */ public class JettyServer { public static void main( String[] args ) throws Exception { Server server = new Server(8080); ServletHandler handler = new ServletHandler(); handler.addServletWithMapping(PingHandler.class, "/ping"); server.setHandler(handler); // server.start(); server.join(); } }
-
Detect half-open websockets with PING/PONG
I'm using Jetty 9.2.24 as a WebSocket server. I want to detect half-open connections, so that no more messages are sent over this connection and buffered instead.
I know PING/PONG frames are used for this, so I tried sending PINGs periodically and set a low maxIdleTimeout. I modified my client to NOT return a PONG to see if Jetty would regard this as a failed connection since the RFC-6455 spec dictates that the remote endpoint MUST respond with a PONG. Apparently Jetty does not detect missing PONGs or I am doing something wrong.
What is the best way to continue. Should I implement the PING/PONG timeouts myself by explicitly receiving all PONG messages and detect a timeout? I would think this would be responsibility of the underlying websocket managing framework.
-
Is it ok to return certificate status without OCSP(Online Certificate Status Protocol)
I created the certificate authority server using Node.js and some cryptographic library supporting RSA sign, verification and generating X.509. When I added the certificate revocation feature with Online Certificate Status Protocol(OCSP), I thought of why I have to send a request and receive a response with OCSP because only what I want to know is not OCSP Request/Response object but just certificate status(Good or revoked.)Does it make sense requesting not OCSP response object(.PEM or something else) but the certificate status value like HTTP status code(200: OK, 400: NOT FOUND)?
-
Java SSL OCSP checks fail to validate the entire chain of trust with Certificate does not specify OCSP responder
I have a Java application that recently moved to SSL and it has a problem when performing checks on all certificates in the chain of trust, but works fine when I set it to check the server certification only.
Checks are performed using OCSP only (cannot do CRL here).
So, if I'm setting in Java Control Panel the 'Perform TLS certification checks on' - 'All certificates in the chain of trust' , java application is saying that certification is untrusted with the following error message:
com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
In the same time, if I change to 'Perform TLS certification checks on' - 'Server certificate only' everything works fine, hence the certificate is valid.
My certificate has this chain: rootCA - intermediateCA - server
I checked the Authority Information Access value for all the 3 certificates and it looks that the root one does't have one set and implicitly it doesn't have an OCSP url where to check the validity, however I checked other certificates and looks like most of the rootCA doesn't have it.
Any idea what can be the problem or how I can continue to debug it?
Thanks!
-
Certificate Revocation check failing in Windows Server 2016
Command
certuil.exe -verify
fails with the error - 'Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)' in Windows server 2016. The error is not seen in 2012 \ 2008.
Any help would be appreciated.