Skip to main content

Javascript: Redirect to external system and automatically authenticate SSL

Note: using basic authentication on external system.
This leaves you open to XSS attacks SO TAKE NOTE, it is not for production code without modification.

This little bit of javascript although insecure (but you can work with this) can give you single sign on like behaviour (if the site you are calling is using Basic Auth) using the XMLHttpRequest object.
For the ADF stuff deployed on weblogic using the same realm this is not really a problem.

function createRequest() {
  if (typeof XMLHttpRequest != 'undefined') {
    return new XMLHttpRequest();
  }
  try {
    return new ActiveXObject("Msxml2.XMLHTTP");
  }
  catch (e) {
    try {
      return new ActiveXObject("Microsoft.XMLHTTP");
    }
    catch (e) {
    }
  }
  return false;
}

function performRedirect() {
  xmlhttp = createRequest();
  xmlhttp.open("GET", "https://server/url_to_call", false, "username", "password");
  xmlhttp.onreadystatechange = function () {
    if (xmlhttp.readyState == 4) {
      document.location.href = 'https://server/url_to_call';
    }
  }
  xmlhttp.send(null);
}

My notes to self during this process (stupidly trying to do this sever side but hey well):

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP
athBuilderException: unable to find valid certification path to requested target






    SSLContext ctx = SSLContext.getInstance("TLS");
    ctx.init(new KeyManager[0], new TrustManager[] { new DefaultTrustManager() }, new SecureRandom());
    SSLContext.setDefault(ctx);

401: This indicates that you have not logged in

  • Create a new inner class for a custom authenticator and set the default before invoking the URL
import java.net.Authenticator;
import java.net.PasswordAuthentication;

private static class CustomAuthenticator extends Authenticator {
  protected PasswordAuthentication getPasswordAuthentication() {
    return new PasswordAuthentication("w3676021", "richard01".toCharArray());
  }
}


Authenticator.setDefault(new CustomAuthenticator());  

OR:
  •  Just add a username password request property
String val = (new StringBuffer(username).append(":").append(password)).toString();
byte[] base = val.getBytes();
String authorizationString = "Basic " + new String(new Base64().encode(base));
uc.setRequestProperty("Authorization", authorizationString);



java.io.IOException: HTTPS hostname wrong:  should be
HostnameVerifier hv = new HostnameVerifier() {
   public boolean verify(String urlHostName, SSLSession session) {
     System.out.println("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost());
     return true;
  }
 };
HttpsURLConnection.setDefaultHostnameVerifier(hv);
OR on the console 
Env --> Servers --> SSL Hostname Verification: none
OR on startup -Dweblogic.security.SSL.ignoreHostnameVerification=true

The certificate chain received from server - ip contained a V3 CA certificate which was missing the basic constraints extension


  • Add the following properties to startup

-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off  -Dweblogic.webservice.client.ssl.strictcertchecking=false


Certificate chain received from was not trusted causing SSL handshake failure

  • Only way I found for this was to correctly add you cert to the correct file see:
http://vbandaru.wordpress.com/2010/11/15/ssl-handshake-failure-in-weblogic-server/


Labels:

Comments

Post a Comment

Popular posts from this blog

ADF Encountered deferred syntax #{ in template text.

OracleJSP error: oracle.jsp.parse.JspParseException:  Error: Encountered deferred syntax #{ in template text.  If intended as a literal, escape it or set directive  deferredSyntaxAllowedAsLiteral This normally happens when you have some tag lib dependancy problems but this was  not the case for me... My problem: For some reason my model project had web stuff in it(public html etc)  so I had to remove the public html stuff from my project and manually edit the Model.jpr project file and remove the tag lib entries at the bottom o the file. Go figure.    
3 comments
Read more

JBO-25013: TooManyObjectsException

oracle.jbo.TooManyObjectsException: JBO-25013: Too many objects match the primary key oracle.jbo.Key[Key null ]. Ok so for you it may be trying to insert a duplicate record this should explain your problem (also check trigger they could be the cause.) NOTE: You can also try to create a new duplicate EO if you have a page with two VO's using the same EO. This could sort your problems. For me I needed to add a launch listener on my LOV and clear the cache of my vo. LOV <af:inputListOfValues id="NameId" popupTitle="#{bindings.Name.hints.label}" value="#{bindings.RolName1.inputValue}" label="#{bindings.RolName1.hints.label}" model="#{bindings.RolName1.listOfValuesModel}" required="#{bindings.RolName1.hints.mandatory}" columns="#{bindings.RolName1.hints.displayWidth}" shortDesc="#{bindings.RolName1.hints.tooltip}" launchPopupListener="#{backingBeanScope.backingBean.launchPop
Post a Comment
Read more

MANIFEST.MF merge JDeveloper for an executable jar

Goto your project > properties. Then click on deployment in the menu. Edit or add a jar deployment profile. Fill in the details under jar options (select Include manifest and give it a main class name) Also remember that the merge functionality only works with a BLANK line at the end of the merge file. REALLY this caught me. My merge file contents: Class-Path: commons-codec-1.3.jar [...empty line here CRLF...]
1 comment
Read more