Bug 6034 - Two new security logging fixes
: Two new security logging fixes
Status: RESOLVED FIXED
: Java WS Security
Authentication
: unspecified
: Macintosh All
: P3 normal
: 4.2.1
Assigned To:
:
: 4.0.x
:
:
  Show dependency treegraph
 
Reported: 2008-04-22 10:31 by
Modified: 2008-07-28 10:26 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2008-04-22 10:31:07
Part 1:  Better error for http/https mismatches
Part 2:  Better error for expired CRL.

Part 1:
This one always means you used the wrong protocol (http to talk to an https
container in this example).  Can we remove the stack trace and explain the
protocol mismatch here?

2008-04-22T09:11:03.255-05:00 ERROR container.GSIServiceThread
[ServiceThread-110,process:134] [JWSCORE-192] Error processing request
java.io.IOException: Token length 1347375956 > 33554432
    at
org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readToken(GSIGssInputStream.java:98)
    at
org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:59)
    at
org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:65)
    at
org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:127)
    at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:147)
    at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:166)
    at
org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:131)
    at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:468)

Part 2:
Bacon:rc1 bacon$ bin/globus-start-container
Starting SOAP server at https://10.0.1.3:8443/wsrf/services/
2008-04-22T09:08:46.934-05:00 ERROR container.GSIServiceThread
[ServiceThread-110,process:134] [JWSCORE-192] Error processing request
Authentication failed. Caused by Defective credential detected. Caused by
org.globus.gsi.proxy.ProxyPathValidatorException: CRL for CA
"DC=org,DC=DOEGrids,OU=Certificate Authorities,CN=DOEGrids CA 1" has expired.
    at
org.globus.gsi.proxy.ProxyPathValidator.checkCRL(ProxyPathValidator.java:906)
    at
org.globus.gsi.proxy.ProxyPathValidator.validate(ProxyPathValidator.java:551)
    at
org.globus.gsi.proxy.ProxyPathValidator.validate(ProxyPathValidator.java:353)
    at
org.globus.gsi.gssapi.GlobusGSSContextImpl$GSSProxyPathValidator.validate(GlobusGSSContextImpl.java:679)
    at
org.globus.gsi.gssapi.GlobusGSSContextImpl.verifyChain(GlobusGSSContextImpl.java:715)
    at
org.globus.gsi.gssapi.GlobusGSSContextImpl.acceptSecContext(GlobusGSSContextImpl.java:314)
    at
org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:129)
    at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:147)
    at org.globus.gsi.gssapi.net.GssSocket.getOutputStream(GssSocket.java:166)
    at
org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:131)
    at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:468)
[JWSCORE-115] Failed to obtain a list of services from
'https://10.0.1.3:8443/wsrf/services/ContainerRegistryService' service: ;
nested exception is:
    java.io.EOFException

I'd rather see this be an error message like:

The CRL for "/DC=org/DC=DOEGrids/OU=..." at
"/home/bacon/.globus/certificates/1c3f2ca8.r0" has expired at Apr 16 19:24:44
2008 GMT.
------- Comment #1 From 2008-07-08 17:23:37 -------
Thanks Charles. Fix committed to trunk, 4.0 and 4.2 branch.