cdfly
asked on
SSLSocket in Applet
Hello,
I have an applet that allows users to upload files to a server. When the user uploads the file(s) the applet makes a connection using a SSLSocket and the users smart card. The applet is unable to upload any files , it always gets a 403.7 error.
I wrote a small console app and it is able to make the connection and return a page, the exact same code fails in the applet with the 403.7 error. I have verified that the applet is reading the certs off the smart card.
Thanks
I have an applet that allows users to upload files to a server. When the user uploads the file(s) the applet makes a connection using a SSLSocket and the users smart card. The applet is unable to upload any files , it always gets a 403.7 error.
I wrote a small console app and it is able to make the connection and return a page, the exact same code fails in the applet with the 403.7 error. I have verified that the applet is reading the certs off the smart card.
Thanks
It is probably signed applet as otherwise it would not read a smart card, correct ?
perhpas this could help:
http://stackoverflow.com/questions/1531712/client-ssl-authentication-causing-403-7-error-from-iis
http://stackoverflow.com/questions/1531712/client-ssl-authentication-causing-403-7-error-from-iis
did you see these trails:
I don't think there is a solution there, but the sitautaion seesm to be very similar:
http://www.tek-tips.com/viewthread.cfm?qid=1673598
https://forums.oracle.com/forums/thread.jspa?threadID=2241443
I don't think there is a solution there, but the sitautaion seesm to be very similar:
http://www.tek-tips.com/viewthread.cfm?qid=1673598
https://forums.oracle.com/forums/thread.jspa?threadID=2241443
ASKER
The tek-tips post is actually one of my old posts. This is a self-signed applet, not sure why the console code works but it has a problem in the applet
Please post the full output from the Java Console, if necessary putting the trace level up to max (5)
You will of course need to import the server cert into your client's truststore unless the cert is a 'proper' official one with intact chain
You will of course need to import the server cert into your client's truststore unless the cert is a 'proper' official one with intact chain
ASKER
It looks like a client cert problem rather than a server cert problem. If your application manages to work with the same IIS server, make sure that the same trust store is being used in the applet. Your app working implies that you have got a client cert installed and being used when a client of that IIS server
ASKER
I'm not sure I understand. In the code both in the console app and the applet I get the keysore from the smart card using an alias that I know exists. Are you thinking that my app is using something else?
When I first tried my console app it was faling with the same 403 error untill I specified the alias and then it started working.
Can you tell me how to be sure the applet is using the same trust store as the console app
Thanks
When I first tried my console app it was faling with the same 403 error untill I specified the alias and then it started working.
Can you tell me how to be sure the applet is using the same trust store as the console app
Thanks
C:\PROGRA~1\Java\JRE15~2.0 _0\lib\sec urity\cace rts is what the applet is using. If you run the app with
it will tell you.
btw, by what means are you telling
a. the applet which alias to use?
b. the application which alias to use?
java -Djavax.net.debug=ssl
it will tell you.
btw, by what means are you telling
a. the applet which alias to use?
b. the application which alias to use?
ASKER
This is what I had to add to make my console app work, I had to use the alias on the smart card.
String alias="cert alias";
managers = new KeyManager[] { new AliasKeyManager(keyStore, alias, aSmartCardPIN) };
private static class AliasKeyManager implements X509KeyManager
{
private KeyStore _ks;
private String _alias;
private String _password;
public AliasKeyManager(KeyStore ks, String alias, String password)
{
_ks = ks;
_alias = alias;
_password = password;
}
public String chooseClientAlias(String[] str, Principal[] principal, Socket socket)
{
return _alias;
}
public String chooseServerAlias(String str, Principal[] principal, Socket socket)
{
return _alias;
}
public X509Certificate[] getCertificateChain(String alias)
{
try
{
return (X509Certificate[])_ks.getCertificateChain(alias);
}
catch (Exception e)
{
e.printStackTrace();
return null;
}
}
public String[] getClientAliases(String str, Principal[] principal)
{
return new String[] { _alias };
}
public PrivateKey getPrivateKey(String alias)
{
try
{
return (PrivateKey)_ks.getKey(alias, _password == null ? null : _password.toCharArray());
}
catch (Exception e)
{
e.printStackTrace();
return null;
}
}
public String[] getServerAliases(String str, Principal[] principal)
{
return new String[] { _alias };
}
}
And you're doing that in the applet too?
ASKER
Correct, all the code is the same in the console app and the applet
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will try that. The console app was just a test to see if I could get connected, the applet is what I really need to get working.
Going through the trace I see
Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~2.0 _0\lib\sec urity\cace rts I think we should be using java 1.5_06,maybe it's using the wrong trust store, that would be an easy fix
Going through the trace I see
Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~2.0
Going through the trace I see ...
Yes, i mentioned that here
What did the application claim it was using as its truststore?
ASKER
I didn't see that in the application, I will look again when I get back to the shop
java -Djavax.net.debug=ssl YourApp >application.txt 2>&1
should save it to file for you
ASKER
I looked at the file I'm not seeing the version though. I'm attaching both the ssl debug and all debug
application-debug-all.txt
application-debug-ssl.txt
application-debug-all.txt
application-debug-ssl.txt
I looked at the file I'm not seeing the version though.
That's strange. What command did you give to the app?
Also what was the result of adding debug code to your programmatic key management routines - are they called?
ASKER
I ran the command you gave me
1:java -Djavax.net.debug=ssl YourApp >application.txt 2>&1
2:java -Djavax.net.debug=all YourApp >application.txt 2>&1
I didn't add debug code to key management routines yet, I will do that and post the results
ASKER
The key managment class is being created in both the console app and the applet, but the two following methods are being called in the application but not the applet
chooseClientAlias
getCertificateChain
Full code of key managment class
chooseClientAlias
getCertificateChain
Full code of key managment class
private static class AliasKeyManager implements X509KeyManager
{
private KeyStore _ks;
private String _alias;
private String _password;
public AliasKeyManager(KeyStore ks, String alias, String password)
{
System.out.println("Init ALiasKeyManager");
_ks = ks;
_alias = alias;
_password = password;
}
public String chooseClientAlias(String[] str, Principal[] principal, Socket socket)
{
System.out.println("In ALiasKeyManager.chooseClientAlias returning alias:"+ _alias);
return _alias;
}
public String chooseServerAlias(String str, Principal[] principal, Socket socket)
{
System.out.println("In ALiasKeyManager.chooseServerAlias returning alias:" + _alias);
return _alias;
}
public X509Certificate[] getCertificateChain(String alias)
{
try
{
System.out.println("In ALiasKeyManager.getCertificateChain returning chain for alias:" + _alias);
return (X509Certificate[])_ks.getCertificateChain(alias);
}
catch (Exception e)
{
e.printStackTrace();
return null;
}
}
public String[] getClientAliases(String str, Principal[] principal)
{
System.out.println("In ALiasKeyManager.getClientAliases returning alias:" + _alias);
return new String[] { _alias };
}
public PrivateKey getPrivateKey(String alias)
{
try
{
return (PrivateKey)_ks.getKey(alias, _password == null ? null : _password.toCharArray());
}
catch (Exception e)
{
e.printStackTrace();
return null;
}
}
public String[] getServerAliases(String str, Principal[] principal)
{
return new String[] { _alias };
}
}
the two following methods are being called in the application but not the applet
I thought that might be the case. In which applet method are you invoking the key management routines?
ASKER
Before I left I noticed that when I compiled my application from the command line it compiled fine. I use Eclipse to compile my applet and I noticed that their implementation of the X509KeyManager calls for a couple other methods. I need to double check when I get back to the office to see what methods the applet has that the application doesn't, but the chooseClientAlias and getCertificateChain methods are actually being called in my applet it was just using methods with different signatures. When I get back tomorrow I will verify that those methods are actually returning something.
I have a method called testConnection and that is running when the applet starts up this is the method that is invoking the key management class .
I have a method called testConnection and that is running when the applet starts up this is the method that is invoking the key management class .
when the applet starts up
Which method? The ctor?
ASKER
I'm not sure I understand the question.
ASKER
Ok, it's working now. When Eclipse added the other methods to the X509KeyManager class there were two chooseClientAlias methods, the method being called by the applet was different than the method being called in the console app and it was returning null. I changed the value being returned from null to _alias and all seems well now.
I appreciate all you help on this. I'm new to Exchange Experts but I think I accepted you answer correctly,if not let me know
Take care.
I appreciate all you help on this. I'm new to Exchange Experts but I think I accepted you answer correctly,if not let me know
Take care.
Good - glad you got it working :)
Does it make a connection to the same server from which it was loaded (from which was served the HTML page with the applet tag) ?