Monday, January 16, 2012

Javascript: Redirect to external system and automatically authenticate SSL

Note: using basic authentication on external system.
This leaves you open to XSS attacks SO TAKE NOTE, it is not for production code without modification.

This little bit of javascript although insecure (but you can work with this) can give you single sign on like behaviour (if the site you are calling is using Basic Auth) using the XMLHttpRequest object.
For the ADF stuff deployed on weblogic using the same realm this is not really a problem.

function createRequest() {
  if (typeof XMLHttpRequest != 'undefined') {
    return new XMLHttpRequest();
  }
  try {
    return new ActiveXObject("Msxml2.XMLHTTP");
  }
  catch (e) {
    try {
      return new ActiveXObject("Microsoft.XMLHTTP");
    }
    catch (e) {
    }
  }
  return false;
}

function performRedirect() {
  xmlhttp = createRequest();
  xmlhttp.open("GET", "https://server/url_to_call", false, "username", "password");
  xmlhttp.onreadystatechange = function () {
    if (xmlhttp.readyState == 4) {
      document.location.href = 'https://server/url_to_call';
    }
  }
  xmlhttp.send(null);
}

My notes to self during this process (stupidly trying to do this sever side but hey well):

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP
athBuilderException: unable to find valid certification path to requested target







    SSLContext ctx = SSLContext.getInstance("TLS");
    ctx.init(new KeyManager[0], new TrustManager[] { new DefaultTrustManager() }, new SecureRandom());
    SSLContext.setDefault(ctx);

401: This indicates that you have not logged in

  • Create a new inner class for a custom authenticator and set the default before invoking the URL
import java.net.Authenticator;
import java.net.PasswordAuthentication;

private static class CustomAuthenticator extends Authenticator {
  protected PasswordAuthentication getPasswordAuthentication() {
    return new PasswordAuthentication("w3676021", "richard01".toCharArray());
  }
}


Authenticator.setDefault(new CustomAuthenticator());  

OR:
  •  Just add a username password request property
String val = (new StringBuffer(username).append(":").append(password)).toString();
byte[] base = val.getBytes();
String authorizationString = "Basic " + new String(new Base64().encode(base));
uc.setRequestProperty("Authorization", authorizationString);



java.io.IOException: HTTPS hostname wrong:  should be
HostnameVerifier hv = new HostnameVerifier() {
   public boolean verify(String urlHostName, SSLSession session) {
     System.out.println("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost());
     return true;
  }
 };
HttpsURLConnection.setDefaultHostnameVerifier(hv);
OR on the console 
Env --> Servers --> SSL Hostname Verification: none
OR on startup -Dweblogic.security.SSL.ignoreHostnameVerification=true

The certificate chain received from server - ip contained a V3 CA certificate which was missing the basic constraints extension


  • Add the following properties to startup

-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off  -Dweblogic.webservice.client.ssl.strictcertchecking=false


Certificate chain received from was not trusted causing SSL handshake failure

  • Only way I found for this was to correctly add you cert to the correct file see:
http://vbandaru.wordpress.com/2010/11/15/ssl-handshake-failure-in-weblogic-server/


No comments:

Post a Comment