Boolean.getBoolean perform system property lookup. I'll try that solution and update.
On Tue, Apr 5, 2016 at 6:20 PM, Harsha Kumara <hars...@wso2.com> wrote: > I have done some analysis on this. In API Manager initial functionality > works fine. When the access token is generated SAML2BearerGrantHandler > doing DefaultBootstrap.bootstrap(); in opensaml library. With the new > version of the opensaml library they have > perform initializeHttpClient();[1] during the bootstrap. So the underline > commons http client library socket factory has changed > from SSLProtocolSocketFactory to TLSProtocolSocketFactory. > In TLSProtocolSocketFactory it's perform host name verification which cause > this exception. When go through their code, they have tried to disable this > from System property. But implementation is doing Boolean.getBoolean > instead of looking from System.getPropety[2] which seems bug. If this has > worked, we could have set a system property. > > [1] > /** > * Initializes the Apache Commons HttpClient library. > */ > protected static void initializeHttpClient() { > if > (!Boolean.getBoolean(SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION)) > { > ProtocolSocketFactory socketFactory = > new TLSProtocolSocketFactory(null, null, new > StrictHostnameVerifier()); > Protocol.registerProtocol("https", new Protocol("https", > socketFactory, 443)); > } > } > > [2] > /** System property used to disable global default HTTPS hostname > verification in Apache Commons HttpClient. */ > public static final String > SYSPROP_HTTPCLIENT_HTTPS_DISABLE_HOSTNAME_VERIFICATION = > "org.opensaml.httpclient.https.disableHostnameVerification"; > > Thanks, > Harsha > > > On Tue, Apr 5, 2016 at 5:48 PM, Nuwan Dias <nuw...@wso2.com> wrote: > >> IS Team, >> >> It looks like the TLSProtocolSocketFactory isn't honouring the HostName >> verification parameter. It always tries to do the hostname verification. >> Looks like a buggy behaviour to me. >> >> This causes problems for API Manager and any other product which has a >> distributed deployment (App Manager, DAS, etc) because it prevents http >> clients within our code from accessing Admin Services of remote nodes. The >> http clients fail since the server cert is by default for localhost and >> whenever we try to access through IPs it fails. The only way to overcome >> this is to create the proper certs and deploy on the server. Which is a >> huge hassle for simple test scenarios. >> >> The TLSProtocolSocketFactory is being set when the SAMLBearerGrant is >> being initialized. Until then things work fine. We either have to stop it >> being set or use a version of opensaml which supports skipping the host >> name verification (like our transports allow). Otherwise this is going to >> be a huge blocker for our releases. >> >> Thanks, >> NuwanD. >> >> On Thu, Mar 17, 2016 at 7:09 PM, Sam Sivayogam <s...@wso2.com> wrote: >> >>> HI All, >>> >>> Had a offline chat with Pulasthi and got to know that in IS 5.0.8 there >>> was opensaml upgrade from 2.4.1 to 2.6.4. After going through [1] got to >>> know that there is a hostname verification introduced in opensaml 2.6.4 >>> which is not there in opensaml 2.4.1 and this is why we are getting the >>> above issue after moving to carbon identity 5.0.8. >>> >>> We are using *CommonsHTTPTransportSender * to call key >>> manager internally and from what I understood if we set the >>> *HostnameVerifier >>> *parameter to *AllowAll *we should be able to get rid of this issue, >>> But still we are getting this issue. Does anyone know why HostnameVerifier >>> prameter is not working as expected with CommonsHTTPTransportSender ? >>> >>> [1] >>> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.servicemix.bundles/org.apache.servicemix.bundles.opensaml/2.4.1_2/org/opensaml/ws/soap/client/http/TLSProtocolSocketFactory.java/?v=diff&id2=2.6.4_1 >>> >>> Thanks, >>> >>> On Thu, Mar 17, 2016 at 11:12 AM, Sam Sivayogam <s...@wso2.com> wrote: >>> >>>> Hi All, >>>> >>>> I'm trying to to upgrade APIM's Crabon kernel to 4.4.4. during the >>>> kernel upgrade i also upgraded the following >>>> carbon identity from 5.0.7 to 5.08 >>>> carbon commons from 4.4.8 to 4.5.2 >>>> wso2 rampart from 1.6.1-wso2v16 to 1.6.1-wso2v18 >>>> >>>> After the upgrade, when I try to generate a key from the API Store I'm >>>> getting the error [1] . I was able to get rid of this issue after replacing >>>> APIKeyValidator ip with localhost in api-manager.xml. >>>> Please note that this issue is occuring after the kernel upgrade before >>>> that we didn't encounter this issue. what i would like to know to know is >>>> there is any changes in kernel 4.4.4 or rampart 1.6.1-wso2v18 to do the >>>> hostname verification by default? >>>> >>>> [1] [2016-03-17 11:08:35,995] INFO - HTTPSender Unable to sendViaPost >>>> to url[https://10.100.5.192:9443//services/APIKeyMgtSubscriberService] >>>> javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname >>>> validation for name: 10.100.5.192 >>>> at >>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) >>>> at >>>> org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194) >>>> at >>>> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) >>>> at >>>> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) >>>> at >>>> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) >>>> at >>>> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) >>>> at >>>> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) >>>> at >>>> org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:632) >>>> at >>>> org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195) >>>> at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77) >>>> at >>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451) >>>> at >>>> org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278) >>>> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) >>>> at >>>> org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430) >>>> at >>>> org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) >>>> at >>>> org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) >>>> at >>>> org.wso2.carbon.apimgt.keymgt.stub.subscriber.APIKeyMgtSubscriberServiceStub.retrieveOAuthApplication(APIKeyMgtSubscriberServiceStub.java:1389) >>>> at >>>> org.wso2.carbon.apimgt.keymgt.client.SubscriberKeyMgtClient.getOAuthApplication(SubscriberKeyMgtClient.java:89) >>>> at >>>> org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl.retrieveApplication(AMDefaultKeyManagerImpl.java:224) >>>> at >>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getClientOfApplication(ApiMgtDAO.java:2338) >>>> at >>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getOAuthApplications(ApiMgtDAO.java:2302) >>>> at >>>> org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO.getApplications(ApiMgtDAO.java:4434) >>>> at >>>> org.wso2.carbon.apimgt.impl.APIConsumerImpl.getApplications(APIConsumerImpl.java:2813) >>>> at >>>> org.wso2.carbon.apimgt.impl.UserAwareAPIConsumer.getApplications(UserAwareAPIConsumer.java:36) >>>> at >>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.getAllSubscriptions(APIStoreHostObject.java:2416) >>>> at >>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject.jsFunction_getAllSubscriptionsOfApplication(APIStoreHostObject.java:2659) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:601) >>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>> at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386) >>>> at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>> at >>>> org.jaggeryjs.rhino.store.modules.subscription.c1._c_anonymous_2(/store/modules/subscription/list.jag:31) >>>> at >>>> org.jaggeryjs.rhino.store.modules.subscription.c1.call(/store/modules/subscription/list.jag) >>>> at >>>> org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430) >>>> at org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269) >>>> at >>>> org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97) >>>> at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>> at >>>> org.jaggeryjs.rhino.store.modules.subscription.c0._c_anonymous_5(/store/modules/subscription/module.jag:19) >>>> >>>> Thanks, >>>> Sam >>>> -- >>>> *Sam Sivayogam* >>>> >>>> Software Engineer >>>> Mobile : +94 772 906 439 >>>> Office : +94 112 145 345 >>>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>>> lean.enterprise.middleware. >>>> >>> >>> >>> >>> -- >>> *Sam Sivayogam* >>> >>> Software Engineer >>> Mobile : +94 772 906 439 >>> Office : +94 112 145 345 >>> *WSO2, Inc. :** wso2.com <http://wso2.com/>* >>> lean.enterprise.middleware. >>> >> >> >> >> -- >> Nuwan Dias >> >> Technical Lead - WSO2, Inc. http://wso2.com >> email : nuw...@wso2.com >> Phone : +94 777 775 729 >> > > > > -- > Harsha Kumara > Software Engineer, WSO2 Inc. > Mobile: +94775505618 > Blog:harshcreationz.blogspot.com > -- Harsha Kumara Software Engineer, WSO2 Inc. Mobile: +94775505618 Blog:harshcreationz.blogspot.com
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev