Yale CAS异常问题总结(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target

<!----> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList = [ null ]
[edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl =
[https: // sourcesite:8443/cas/proxyValidate] ticket=[ST-0-UMjsI0YOhF15RhutnkHW]
service=[http%3A%2F%2Fdestsite%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
renew=false]]]
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 52 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java: 455 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java: 378 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 173 )
    at filters.ExampleFilter.doFilter(ExampleFilter.java: 101 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 173 )
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java: 213 )
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java: 178 )
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java: 432 )
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java: 126 )
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java: 105 )
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java: 107 )
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 148 )
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java: 869 )
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java: 664 )
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java: 527 )
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java: 80 )
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java: 684 )
    at java.lang.Thread.run(Thread.java: 595 )
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java: 150 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java: 1476 )
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java: 174 )
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java: 168 )
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java: 843 )
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java: 106 )
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java: 495 )
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java: 433 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java: 815 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java: 1025 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java: 1038 )
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java: 405 )
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java: 170 )
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java: 905 )
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java: 234 )
    at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java: 84 )
    at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java: 212 )
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 50 )
      20  more
Caused by: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
 unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java: 221 )
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java: 145 )
    at sun.security.validator.Validator.validate(Validator.java: 203 )
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java: 172 )
    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java: 320 )
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java: 836 )
      33  more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java: 236 )
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java: 194 )
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java: 216 )
      38  more

这个原因发生在：在SSL握手中，CAS Client无法识别CAS Server的证书(X)，即无法建立一条从cacerts信任证书到X的信任路径，
读者可以看一个叫做PKIX规范。解决办法是检查tomcat使用的信任证书路径，通常是jre/lib/security/cacerts文件，看是否已经
导入了所需信任证书。

评论

4 楼 boogie 2007-01-05  

当客户端是weblogic时怎样导入证书？
我导入到jre/lib/security/cacerts后tomcat客户端正常，weblogic客户端出错！

3 楼 security 2006-11-20  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PKIX path building failed
检查信任证书库

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 - Enterprise license
Comment: http://www.pgp.org.cn

iQA/AwUBRWDyeE2j31FcBpdPEQJo8gCfTif3q/qVRVF/ZskW9gUQbO4Kr+QAoNEs
BzN/Navtw8L0k0CmK3FoiU5T
=P3Rz
-----END PGP SIGNATURE-----

2 楼 zzzcrpp 2006-11-01  

楼主，遇到过上面的问题吗？

1 楼 zzzcrpp 2006-11-01  

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:254)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:174)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
org.displaytag.filter.ResponseOverrideFilter.doFilter(ResponseOverrideFilter.java:125)


root cause

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70)
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:219)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:174)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
org.displaytag.filter.ResponseOverrideFilter.doFilter(ResponseOverrideFilter.java:125)


note The full stack trace of the root cause is available in the Apache Tomcat/5.5.20 logs.