`
security
  • 浏览: 379429 次
  • 来自: www.pgp.org.cn
社区版块
存档分类
最新评论

Yale CAS异常问题总结(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target

阅读更多
<!----> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList
= [ null ]
[edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl
=
[https:
// sourcesite:8443/cas/proxyValidate] ticket=[ST-0-UMjsI0YOhF15RhutnkHW]
service=[http%3A%2F%2Fdestsite%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
renew=false]]]
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 52 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:
455 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:
378 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
173 )
    at filters.ExampleFilter.doFilter(ExampleFilter.java:
101 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
173 )
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
213 )
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
178 )
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:
432 )
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
126 )
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
105 )
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
107 )
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
148 )
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
869 )
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:
664 )
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:
527 )
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:
80 )
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:
684 )
    at java.lang.Thread.run(Thread.java:
595 )
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:
150 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:
1476 )
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:
174 )
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:
168 )
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:
843 )
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:
106 )
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:
495 )
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:
433 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:
815 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:
1025 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:
1038 )
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:
405 )
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:
170 )
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:
905 )
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:
234 )
    at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:
84 )
    at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:
212 )
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:
50 )
     
20  more
Caused by: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
 unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:
221 )
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:
145 )
    at sun.security.validator.Validator.validate(Validator.java:
203 )
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:
172 )
    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:
320 )
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:
836 )
     
33  more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:
236 )
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:
194 )
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:
216 )
     
38  more

这个原因发生在:在SSL握手中,CAS Client无法识别CAS Server的证书(X),即无法建立一条从cacerts信任证书到X的信任路径,
读者可以看一个叫做PKIX规范。解决办法是检查tomcat使用的信任证书路径,通常是jre/lib/security/cacerts文件,看是否已经
导入了所需信任证书。
分享到:
评论
4 楼 boogie 2007-01-05  
当客户端是weblogic时怎样导入证书?
我导入到jre/lib/security/cacerts后tomcat客户端正常,weblogic客户端出错!
3 楼 security 2006-11-20  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PKIX path building failed
检查信任证书库

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 - Enterprise license
Comment: http://www.pgp.org.cn

iQA/AwUBRWDyeE2j31FcBpdPEQJo8gCfTif3q/qVRVF/ZskW9gUQbO4Kr+QAoNEs
BzN/Navtw8L0k0CmK3FoiU5T
=P3Rz
-----END PGP SIGNATURE-----
2 楼 zzzcrpp 2006-11-01  
楼主,遇到过上面的问题吗?
1 楼 zzzcrpp 2006-11-01  
type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:254)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:174)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
org.displaytag.filter.ResponseOverrideFilter.doFilter(ResponseOverrideFilter.java:125)


root cause

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70)
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:219)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:174)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
org.displaytag.filter.ResponseOverrideFilter.doFilter(ResponseOverrideFilter.java:125)


note The full stack trace of the root cause is available in the Apache Tomcat/5.5.20 logs.

相关推荐

    Yale CAS SSO JAVA Client

    "Yale CAS SSO JAVA Client" 是一个专为Java应用程序设计的身份验证服务,它利用了耶鲁大学开发的中央认证服务(Central Authentication Service, CAS)。CAS是一种开放源代码的单点登录(Single Sign-On, SSO)框架...

    Yale CAS Server的部署及cas-java-client 3.2的应用

    《Yale CAS Server的部署及cas-java-client 3.2的应用》 CAS(Central Authentication Service,中央认证服务)是耶鲁大学开发的一个开源的身份验证框架,它为Web应用程序提供了单一登录(Single Sign-On,SSO)...

    Yale CAS实现单点登陆的客户端和服务端源码

    Yale CAS实现单点登陆的客户端源码和服务端源码,客户端cas-client-3.1.10代码和cas-server-3.4.2.1代码

    解决报错:edu.yale.its.tp.cas.client.IContextInit

    解决普元EOS报错:edu.yale.its.tp.cas.client.IContextInit 下载后需jar到lib里面且单击右键在属性一栏的弹出框内添加该jar包即可解决爆粗

    Yale CAS SSO DotNet Client

    "Yale CAS SSO DotNet Client" 是一个专为.NET框架设计的客户端库,用于集成耶鲁大学(Yale)的中央认证服务(Central Authentication Service, CAS)。CAS是一种开源的身份验证协议,它允许用户通过单一登录...

    Yale CAS最佳实践.rar

    **Yale CAS(Central Authentication Service)是耶鲁大学开发的一款基于Web的身份验证系统,它允许用户通过单一登录(Single Sign-On, SSO)访问多个应用系统。本篇将详细探讨Yale CAS的最佳实践,包括环境准备、...

    耶鲁CasServer单点登录教程

    【耶鲁CasServer单点登录教程】 一、Yale CAS简介 Yale Central Authentication Service (CAS) 是一个开源的身份验证框架,由耶鲁大学开发,主要用于实现单点登录(Single Sign-On, SSO)。SSO允许用户在一个系统上...

    yale-cas服务器端深度定制

    【标题】"Yale CAS服务器端深度定制"主要涉及到的是CAS(Central Authentication Service)系统,这是一个基于Java开发的开源身份验证框架,由耶鲁大学开发并广泛应用于各个机构的单点登录(Single Sign-On,SSO)...

    在Tomcat中使用Yale CAS实现单点登陆(SSO)

    Yale CAS(Central Authentication Service)是由耶鲁大学开发的一个开源的SSO解决方案,它作为一个独立的Web应用程序运行,提供了一个集中式的认证服务。 在Tomcat服务器中集成Yale CAS以实现SSO,首先需要下载CAS...

    用YALE -CAS实现SSO

    2. **应用系统集成**:每个需要SSO功能的应用系统都会配置以与CAS服务器通信。如果用户尝试访问一个未授权的资源,该应用会将用户重定向到CAS服务器进行身份验证。 3. **安全通信**:CAS服务器与客户端之间的通信...

    Cas配置说明[定义].pdf

    - 如果遇到“unable to find valid certification path to requested target”错误,检查`JAVA_HOME`是否指向正确的JDK,并且证书已正确导入`cacerts`。 7. **单点登录和单点退出**: - 单点登录允许用户登录一次...

    Weblogic使用YALE(耶鲁)CAS实现SSO单点登录 的方法.doc

    Weblogic 使用 YALE CAS 实现 SSO 单点登录的方法 一、Yale CAS 简介 Yale CAS 是耶鲁大学开发的一种开源的单点登录(SSO)解决方案,提供了一个通用的身份验证框架,允许用户使用单个身份验证来访问多个应用程序。...

    cas 配置client 1.0 &2.0 及proxy DEMO 说明

    在实际操作中,可能会遇到如下的问题:如果未正确配置SSL,CAS client在验证`ProxyTicketValidator`时可能会抛出异常,如`edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ...

    Introduction to Computing Systems From bits &amp; gates to C &amp; beyond

    计算机系统概论 英文版 作者: [美] Yale N. Patt'Introduction to Computing Systems: From bits & gates to C & beyond', now in its second edition, is designed to give students a better understanding of ...

    yale-cas 与 shiro进行整合

    总结,整合Yale CAS与Apache Shiro,能够让我们在享受CAS带来的SSO便利的同时,利用Shiro实现更精细的权限控制。通过理解CAS和Shiro的核心原理,以及正确配置和测试,可以构建出一个强大而安全的Web应用程序。在这个...

    lc3-yale-patt-introduction-to-cs

    lc3-yale-patt-introduction-to-cs lc3-yale-patt-introduction-to-cs lc3-yale-patt-introduction-to-cs 'lc3汇编代码

    CAS SSO配置文档详解

    ### CAS SSO配置文档详解 #### 一、SSO实现原理与CAS的作用 单点登录(Single Sign-On,简称SSO)是一种用户身份验证机制,允许用户在一个安全领域内访问多个应用系统,而无需多次输入身份验证信息。在税务行业...

Global site tag (gtag.js) - Google Analytics