Note: using basic authentication on external system.
This leaves you open to XSS attacks SO TAKE NOTE, it is not for production code without modification.
This little bit of javascript although insecure (but you can work with this) can give you single sign on like behaviour (if the site you are calling is using Basic Auth) using the XMLHttpRequest object.
For the ADF stuff deployed on weblogic using the same realm this is not really a problem.
function createRequest() {
if (typeof XMLHttpRequest != 'undefined') {
return new XMLHttpRequest();
}
try {
return new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e) {
try {
return new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e) {
}
}
return false;
}
function performRedirect() {
xmlhttp = createRequest();
xmlhttp.open("GET", "https://server/url_to_call", false, "username", "password");
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4) {
document.location.href = 'https://server/url_to_call';
}
}
xmlhttp.send(null);
}
My notes to self during this process (stupidly trying to do this sever side but hey well):
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP
athBuilderException: unable to find valid certification path to requested target
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(new KeyManager[0], new TrustManager[] { new DefaultTrustManager() }, new SecureRandom());
SSLContext.setDefault(ctx);
401: This indicates that you have not logged in
import java.net.PasswordAuthentication;
private static class CustomAuthenticator extends Authenticator {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("w3676021", "richard01".toCharArray());
}
}
Authenticator.setDefault(new CustomAuthenticator());
OR:
byte[] base = val.getBytes();
String authorizationString = "Basic " + new String(new Base64().encode(base));
uc.setRequestProperty("Authorization", authorizationString);
java.io.IOException: HTTPS hostname wrong: should be
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName, SSLSession session) {
System.out.println("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost());
return true;
}
};
HttpsURLConnection.setDefaultHostnameVerifier(hv);
OR on the console
Env --> Servers --> SSL Hostname Verification: none
OR on startup -Dweblogic.security.SSL.ignoreHostnameVerification=true
The certificate chain received from server - ip contained a V3 CA certificate which was missing the basic constraints extension
-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off -Dweblogic.webservice.client.ssl.strictcertchecking=false
Certificate chain received from was not trusted causing SSL handshake failure
This leaves you open to XSS attacks SO TAKE NOTE, it is not for production code without modification.
This little bit of javascript although insecure (but you can work with this) can give you single sign on like behaviour (if the site you are calling is using Basic Auth) using the XMLHttpRequest object.
For the ADF stuff deployed on weblogic using the same realm this is not really a problem.
function createRequest() {
if (typeof XMLHttpRequest != 'undefined') {
return new XMLHttpRequest();
}
try {
return new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e) {
try {
return new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e) {
}
}
return false;
}
function performRedirect() {
xmlhttp = createRequest();
xmlhttp.open("GET", "https://server/url_to_call", false, "username", "password");
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4) {
document.location.href = 'https://server/url_to_call';
}
}
xmlhttp.send(null);
}
My notes to self during this process (stupidly trying to do this sever side but hey well):
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP
athBuilderException: unable to find valid certification path to requested target
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(new KeyManager[0], new TrustManager[] { new DefaultTrustManager() }, new SecureRandom());
SSLContext.setDefault(ctx);
401: This indicates that you have not logged in
- Create a new inner class for a custom authenticator and set the default before invoking the URL
import java.net.PasswordAuthentication;
private static class CustomAuthenticator extends Authenticator {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("w3676021", "richard01".toCharArray());
}
}
Authenticator.setDefault(new CustomAuthenticator());
OR:
- Just add a username password request property
byte[] base = val.getBytes();
String authorizationString = "Basic " + new String(new Base64().encode(base));
uc.setRequestProperty("Authorization", authorizationString);
java.io.IOException: HTTPS hostname wrong: should be
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName, SSLSession session) {
System.out.println("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost());
return true;
}
};
HttpsURLConnection.setDefaultHostnameVerifier(hv);
OR on the console
Env --> Servers --> SSL Hostname Verification: none
OR on startup -Dweblogic.security.SSL.ignoreHostnameVerification=true
The certificate chain received from server - ip contained a V3 CA certificate which was missing the basic constraints extension
- Add the following properties to startup
-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off -Dweblogic.webservice.client.ssl.strictcertchecking=false
Certificate chain received from was not trusted causing SSL handshake failure
- Only way I found for this was to correctly add you cert to the correct file see:
Comments
Post a Comment