[JBoss-user] [Security & JAAS/JBoss] - Re: ssl in jboss 3.2.5 is broken

Wed, 07 Jul 2004 13:26:08 -0700 

Here is a trivial jsp page that shows a principal with secured with basic auth using 
both ssl and non-ssl connections:


  | <[EMAIL PROTECTED] import="java.io.*,javax.naming.*,
  |                 java.util.Date,
  |                 java.util.Enumeration,
  |                 javax.security.cert.X509Certificate" %>
  | <html>
  | <body bgcolor="white">
  | <h1> Session Info</h1>
  | SessionID: <%= session.getId() %><br>
  | CreationTime: <%= new Date(session.getCreationTime()) %><br>
  | LastAccessedTime: <%= new Date(session.getLastAccessedTime()) %><br>
  | <ul>
  | <%
  |    Enumeration names = session.getAttributeNames();
  |    while( names.hasMoreElements() )
  |    {
  |       String name = (String) names.nextElement();
  |       out.print("<li>");
  |       out.print(name);
  |       out.print(" = ");
  |       out.print(session.getAttribute(name));
  |       out.println("</li>");
  |    }
  |    if( request.getScheme().equals("https") )
  |    {
  |       String cipherSuite;
  |       X509Certificate certChain [];
  |       cipherSuite = (String) request.getAttribute 
("javax.servlet.request.cipher_suite");
  |       certChain = (X509Certificate []) request.getAttribute 
("javax.servlet.request.X509Certificate");
  |       out.print("<li>javax.servlet.request.cipher_suite = ");
  |       out.print(cipherSuite);
  |       out.println("</li>");
  |       out.print("<li>javax.servlet.request.X509Certificate = ");
  |       out.print(certChain);
  |       out.println("</li>");
  | 
  |    }%>
  | </ul>
  | 
  | <h1> JNDI java:comp/env Context Info</h1>
  | <pre>
  | <%
  |     if( initException != null )
  |         out.println(initException);
  |     else
  |         out.println(jndiEnvCtxInfo);
  | %>
  | </pre>
  | <h1> Request Information </h1>
  | <font size="4">
  | JSP Request Method: <%= request.getMethod() %>
  | <br>
  | Request URL: <%= request.getRequestURL() %>
  | <br>
  | Request URI: <%= request.getRequestURI() %>
  | <br>
  | Request Protocol: <%= request.getProtocol() %>
  | <br>
  | Servlet path: <%= request.getServletPath() %>
  | <br>
  | Path info: <%= request.getPathInfo() %>
  | <br>
  | Path translated: <%= request.getPathTranslated() %>
  | <br>
  | Query string: <%= request.getQueryString() %>
  | <br>
  | Content length: <%= request.getContentLength() %>
  | <br>
  | Content type: <%= request.getContentType() %>
  | <br>
  | Server name: <%= request.getServerName() %>
  | <br>
  | Server port: <%= request.getServerPort() %>
  | <br>
  | UserPrincipal: <%= request.getUserPrincipal() %>
  | <br>
  | Remote user: <%= request.getRemoteUser() %>
  | <br>
  | Remote address: <%= request.getRemoteAddr() %>
  | <br>
  | Remote host: <%= request.getRemoteHost() %>
  | <br>
  | Authorization scheme: <%= request.getAuthType() %> 
  | <br>
  | Is secure: <%= request.isSecure() %> 
  | <br>
  | Locale: <%= request.getLocale() %>
  | <hr>
  | The browser you are using is <%= request.getHeader("User-Agent") %>
  | <hr>
  | </font>
  | </body>
  | </html>
  | 
  | 

Output without ssl:

  |  Session Info
  | SessionID: 7D6B2FA8783C0B451C23319E990C393E
  | CreationTime: Wed Jul 07 13:15:27 PDT 2004
  | LastAccessedTime: Wed Jul 07 13:15:27 PDT 2004
  | 
  | Request Information
  | JSP Request Method: GET
  | Request URL: http://localhost:8080/jmx-console/snoop.jsp
  | Request URI: /jmx-console/snoop.jsp
  | Request Protocol: HTTP/1.1
  | Servlet path: /snoop.jsp
  | Path info: null
  | Path translated: null
  | Query string: null
  | Content length: -1
  | Content type: null
  | Server name: localhost
  | Server port: 8080
  | UserPrincipal: admin
  | Remote user: admin
  | Remote address: 127.0.0.1
  | Remote host: 127.0.0.1
  | Authorization scheme: BASIC
  | Is secure: false
  | Locale: en_US
  | 

Output with ssl:

  |  Session Info
  | SessionID: 1AA806630E9DC97500C2D240066407EC
  | CreationTime: Wed Jul 07 13:01:34 PDT 2004
  | LastAccessedTime: Wed Jul 07 13:08:48 PDT 2004
  | 
  |     * javax.servlet.request.cipher_suite = TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  |     * javax.servlet.request.X509Certificate = null
  | 
  | Request Information
  | JSP Request Method: GET
  | Request URL: https://localhost:8443/jmx-console/snoop.jsp
  | Request URI: /jmx-console/snoop.jsp
  | Request Protocol: HTTP/1.1
  | Servlet path: /snoop.jsp
  | Path info: null
  | Path translated: null
  | Query string: null
  | Content length: -1
  | Content type: null
  | Server name: localhost
  | Server port: 8443
  | UserPrincipal: admin
  | Remote user: admin
  | Remote address: 127.0.0.1
  | Remote host: 127.0.0.1
  | Authorization scheme: BASIC
  | Is secure: true
  | Locale: en_US
  | 


View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3841273#3841273

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3841273


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to