Bug 6034 – Two new security logging fixes

Bug 6034 - Two new security logging fixes

Summary:

Two new security logging fixes

Status:	RESOLVED FIXED

Product:	Java WS Security
Component:	Authentication
Version:	unspecified
Platform:	Macintosh All

Importance:	P3 normal
Target Milestone:	4.2.1
Assigned To:	Rachana Ananthakrishnan

URL:
Keywords:	4.0.x

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-04-22 10:31 by Charles Bacon
Modified:	2008-07-28 10:26 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Charles Bacon 2008-04-22 10:31:07

Part 1:  Better error for http/https mismatches
Part 2:  Better error for expired CRL.

Part 1:
This one always means you used the wrong protocol (http to talk to an https
container in this example).  Can we remove the stack trace and explain the
protocol mismatch here?

2008-04-22T09:11:03.255-05:00 ERROR container.GSIServiceThread
[ServiceThread-110,process:134] [JWSCORE-192] Error processing request
java.io.IOException: Token length 1347375956 > 33554432
    at
org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readToken(GSIGssInputStream.java:98)
    at
org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:59)
    at
org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:65)
    at
org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:127)
    at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:147)
    at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:166)
    at
org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:131)
    at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:468)

Part 2:
Bacon:rc1 bacon$ bin/globus-start-container
Starting SOAP server at https://10.0.1.3:8443/wsrf/services/
2008-04-22T09:08:46.934-05:00 ERROR container.GSIServiceThread
[ServiceThread-110,process:134] [JWSCORE-192] Error processing request
Authentication failed. Caused by Defective credential detected. Caused by
org.globus.gsi.proxy.ProxyPathValidatorException: CRL for CA
"DC=org,DC=DOEGrids,OU=Certificate Authorities,CN=DOEGrids CA 1" has expired.
    at
org.globus.gsi.proxy.ProxyPathValidator.checkCRL(ProxyPathValidator.java:906)
    at
org.globus.gsi.proxy.ProxyPathValidator.validate(ProxyPathValidator.java:551)
    at
org.globus.gsi.proxy.ProxyPathValidator.validate(ProxyPathValidator.java:353)
    at
org.globus.gsi.gssapi.GlobusGSSContextImpl$GSSProxyPathValidator.validate(GlobusGSSContextImpl.java:679)
    at
org.globus.gsi.gssapi.GlobusGSSContextImpl.verifyChain(GlobusGSSContextImpl.java:715)
    at
org.globus.gsi.gssapi.GlobusGSSContextImpl.acceptSecContext(GlobusGSSContextImpl.java:314)
    at
org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:129)
    at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:147)
    at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:166)
    at
org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:131)
    at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:468)
[JWSCORE-115] Failed to obtain a list of services from
'https://10.0.1.3:8443/wsrf/services/ContainerRegistryService' service: ;
nested exception is:
    java.io.EOFException

I'd rather see this be an error message like:

The CRL for "/DC=org/DC=DOEGrids/OU=..." at
"/home/bacon/.globus/certificates/1c3f2ca8.r0" has expired at Apr 16 19:24:44
2008 GMT.

------- Comment #1 From Rachana Ananthakrishnan 2008-07-08 17:23:37 -------

Thanks Charles. Fix committed to trunk, 4.0 and 4.2 branch.