We have setup a setup a server at localhost:8081 which would be our default website. We have then opened a https port on 8443 which requires a certificate. The first time there is a request to that port Chrome/Edge shows a popup-dialog with available certificates (1 in our case). We then have a program that kicks in which does other authorizations that makes the certificate available so that the browser can send it to the server. However if we try to connect to that port a second time the browser seems to have cached the certificate and sends it to the server without showing the popup-dialog. We are sure to have invalidated all sessions at the server side. It seems the only way to reprompt the certificate is to restart the browser or go incognito. Is there any way to force the browser not to cache the certificates?
I have managed to solve it by doing two things and before that I just want to clarify what we are doing. We have a smart card reader that detects a card. If a card is inserted, chrome shows certificate dialog. After selecting the certificate the smart card reader authenticates the card through a pin dialog and sends the cards certificate to the server. If the card was removed and reinserted it should reprompt the pin dialog but in our case it did not since chrome/edge cached the session.
We are using Spring boot with Apache and doing the following things solved our problem:
At requesthandler using httpResponse.addHeader("Connection","close"):
private void handleSessionUnlockRequest(HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws IOException {
...
...
httpResponse.addHeader("Access-Control-Allow-Credentials",
"true");
httpResponse.addHeader("Cache-Control",
"no-cache, no-store, max-age=0, must-revalidate");
httpResponse.addHeader("Connection","close");
writer.flush();
httpRequest.getSession().invalidate();
}
At HttpConnector by setting hostConfig.setSessionTimeout(1):
private Connector getHttpConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
connector.setScheme("https");
connector.setSecure(true);
...
...
protocol.setSslEnabledProtocols("TLSv1.2");
protocol.setClientAuth("Required");
for(SSLHostConfig hostConfig : connector.findSslHostConfigs()){
hostConfig.setSessionTimeout(1);
}
return connector;
}
Related
I have a local web server set up at 192.168.1.39 with domain www.server.local. DNS has been configured to resolve this properly on my router.
Everything worked just fine until recently. My browser started to report the following error if I access page like www.server.local/page.html that references external resources.
Access to CSS stylesheet at 'https://cdn.jsdelivr.net/npm/reveal.js#4.1.0/dist/reset.css' from origin 'http://www.server.local' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.
However, if http://192.168.1.39/page.html is used, the page opens properly.
But the error message really confuses me, because it suggests the css hosted at jsdelivr is in a private address space! Seriously?! Or did I miss something?
My Browser: Microsoft Edge 94.0.992.31 (Official build) (x86_64)
You can try this solution:
Open Edge and navigate to edge://flags/#block-insecure-private-network-requests
Disable the highlighted option Block insecure private network requests.
Restart Edge and test again.
For more details, you could refer to this blog: https://developer.chrome.com/blog/private-network-access-update/
I'm using PouchDB 7.0.0 in an Ionic project (Ionic 4.0.5).
Within a provider, I define both a local and a remote database:
#Injectable()
export class DatabaseProvider {
constructor() {
this.db = new PouchDB("mydb");
this.remote = new PouchDB("http://<my_server_running_couchdb>/<remote_db_name>")
}
The local database lives in the Chrome browser as an IndexedDB instance. However, the problem also occurs in Firefox so it does not look like the browser is the guy to blame.
The remote database is initially empty and runs on CouchDB 2.1.2. It has already been created on my server with no admin or member set up, so it should be public and allow non-authenticated requests. By the way, CORS are enabled as well.
In the same provider I also define a method that triggers a replication from the local db to the remote node:
replicateLocalDBToRemote() {
console.log("Replicating database...");
this.db.replicate.to(this.remote).then(() => {
console.log("Celebrate");
}).catch(error => {
console.error(error)
})
}
And here is what the call to replicateLocalDBToRemote throws at me
CustomPouchError {__zone_symbol__currentTask: e, result: {…}}
result:
doc_write_failures: 0
docs_read: 0
docs_written: 0
end_time: "2018-11-21T16:23:36.974Z"
errors: []
last_seq: 0
ok: false
start_time: "2018-11-21T16:23:36.874Z"
status: "aborting"
and I am afraid I can't call this a self-explanatory message.
Any guess on what might be the root cause of the issue?
EDIT: After crawling through the PouchDB repo on github, I found this entry which might refer to the same problem.
I fixed the problem by allowing traffic through port 5984 on my remote CouchDB server.
The thing is, sending requests on port 80 (i.e. GET http://<my_server>.com/mydb) does send back some data so I never bothered to try with port 5984 in the first place because I thought the API was also implemented on port 80...
So at least my issue had nothing to do with PouchDB but I wish the error message was a bit more specific.
I have a protractor selenium test for an angular2 that I run with protractor conf.js --params.login.username=John --params.login.password=Doe. The test shall try to log in to my backend and fail with access denied.
This is the conf.js:
exports.config = {
framework: 'jasmine2',
seleniumAddress: 'http://localhost:4444/wd/hub',
capabilities: {
'browserName': 'chrome'
},
baseUrl:'http://127.0.0.1:4200',
specs: ['mytest.spec.js'],
useAllAngular2AppRoots: true,
jasmineNodeOpts: {
showColors: true,
defaultTimeoutInterval: 30000
}
}
The webdriver was started with webdriver-manager start. The app loads fine and the test fills out the Auth0 popup as shown below. It then clicks the submit button. However, this leads to the error message below being shown instead of the login happening. If I understand correctly, Auth0 can't reach the auth server (which is not the issue when logging in manually).
The version of auth0 lock is 10.0.
Through browser.pause() I could verify that other non-localhost addresses like stackoverflow.com are accessible.
Any idea where this might come from and how to solve it?
Update:
In the developer console the following message is displayed.
XMLHttpRequest cannot load https://MYDOMAIN.eu.auth0.com/usernamepassword/login.
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://127.0.0.1:4200' is therefore not allowed access.
The problem was, that the local url http://127.0.0.1:4200 was not listed in the auth0 dashboard under Allowed Origins (CORS), only http://localhost:4200 which I used for testing manually.
The issue was resolved by adding http://127.0.0.1:4200 to Allowed Origins (CORS) and adding the appropriate callback URLs to Allowed Callback URLs.
Time ago we set up a PEP proxy to secure the API our widgets are using. All have being working correctly until today, that we are receiving a 502 Bad Gateway error code for every call going through the proxy.
We have checked the requests are reaching our server and it is responsing correctly to them. The parameters added by the proxy (x-nick-name, x-display-name...) are defined correctly too.
We have also checked the requests outside wirecloud and all go well: we get the token properly and use it in the subsequent calls without problem.
We do not know where this error comes from, any ideas?
EDIT 06/11/2015
After Alvaro's new setting we are receiving the following error in the response body:
{
"description": "Connection Error",
"details": "('Connection aborted.', error(104, 'Connection reset by peer'))"
}
EDIT 09/11/15
Today, the code received in the request's response is different: 504 GATEWAY TIMEOUT
{
"description": "Connection Error",
"details": "('Connection aborted.', error(104, 'Connection reset by peer'))"
}
EDIT 16/11/15
Answering to Mr. Alonso's question:
1.- If we request directly to the server, the response is correctly displayed in the application.
2.- Here you can see the logs from the PEP Proxy with the new line added. As you can see the request is redirected correctly but the info is not displayed in the app.
Seems that the problem is in the PEP proxy side.
I've checked using other tools like curl (I obtained the connection details from the server log). Making the same request using curl gives the same result than using WireCloud: connection reset by peer. Also, if I make the request without the X-Auth-Token header, your service responds with an 401 error code. This is important, because it means that there is not a communication problem between the Mashup portal and your server. I don't know why, but the PEP proxy seems to be crashing when making the authenticated request from the Mashup portal (the same command works executing it from my machine).
I suggest you to restart the PEP proxy. If the problem persist, please attach any available info about the crash from the PEP proxy logs.
You can check three things to give us more information:
Try to remove the PEP and send the request directly to your service.
Introduce a new log in PEP to print the headers of the response: line 41 of lib/HTTPClient.js, log.debug("Headers: ", headers);
Try to send a request to the root path (directly to the tomacat or apache)
If not perhaps we can talk in private to check more information
I am recording a https session of a JSF based web app on JMeter and it's not working.
Target application is hosted on: AWS
JMeter version: 2.9 r1437961
Browser: Chrome version 29.0.1547.65
Java: java version "1.6.0_27"
OpenJDK Runtime Environment (IcedTea6 1.12.5) (6b27-1.12.5-0ubuntu0.12.04.1)
OpenJDK Server VM (build 20.0-b12, mixed mode)
OS: Ubuntu 12.04
Proxy server config:
Port: 8084
Target Controller: Test Plan > Thread Group
Capture HTTP headers is checked.
HTTP Sample settings:
Type: not selected. Follow Redirects and Use KeepAlive checked.
URL patterns to exclude:
1. Added Suggested Excludes
2. .*\.jsf
Exceptions that are getting thrown (from JMeter.log):
ERROR - jmeter.protocol.http.proxy.Proxy: java.net.SocketException: Connection closed by remote host
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1377)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:62)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.apache.jmeter.protocol.http.proxy.Proxy.writeToClient(Proxy.java:404)
at org.apache.jmeter.protocol.http.proxy.Proxy.run(Proxy.java:218)
ERROR - jmeter.protocol.http.proxy.Proxy: Problem with SSL certificate? Ensure browser is set to accept the JMeter proxy cert: Connection closed by remote host java.net.SocketException: Connection closed by remote host
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1377)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:62)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.apache.jmeter.protocol.http.proxy.Proxy.writeToClient(Proxy.java:404)
at org.apache.jmeter.protocol.http.proxy.Proxy.run(Proxy.java:218)
The steps I am following are:
1. Set proxy server pointing to 8084.
2. Change proxy settings from chrome:
Set https proxy to 8084.
3. Disabled all chrome extensions and chrome account.
4. Started jmeter proxy server and hit https://url/login
5. Certificate confirmation page appears on browser. Meanwhile, jmeter.log shows:
2013/09/11 13:16:30 INFO - jmeter.protocol.http.proxy.Daemon: Creating Daemon Socket on port: 8084
2013/09/11 13:16:30 INFO - jmeter.protocol.http.proxy.Daemon: Proxy up and running!
2013/09/11 13:22:39 INFO - jmeter.protocol.http.proxy.Proxy: Proxy will remove the headers: If-Modified-Since,If-None-Match,Host
2013/09/11 13:22:39 INFO - jmeter.protocol.http.proxy.Proxy: Opened Keystore file: /home/abhijeet/Automation_Dev/LoadAutomation/Jmeter/apache-jmeter-2.9/bin/proxyserver.jks
2013/09/11 13:22:39 INFO - jmeter.protocol.http.proxy.Proxy: KeyStore for SSL loaded OK and put host in map (clients4.google.com)
2013/09/11 13:22:39 INFO - jmeter.protocol.http.proxy.Proxy: Opened Keystore file: /home/abhijeet/Automation_Dev/LoadAutomation/Jmeter/apache-jmeter-2.9/bin/proxyserver.jks
2013/09/11 13:22:39 INFO - jmeter.protocol.http.proxy.Proxy: KeyStore for SSL loaded OK and put host in map (translate.googleapis.com)
2013/09/11 13:22:40 INFO - jmeter.protocol.http.sampler.HTTPHCAbstractImpl: Local host = abhijeet-desktop
2013/09/11 13:22:40 INFO - jmeter.protocol.http.sampler.HTTPHC4Impl: HTTP request retry count = 1
2013/09/11 13:22:40 INFO - jmeter.protocol.http.sampler.HTTPHC4Impl: Setting up HTTPS TrustAll scheme
2013/09/11 13:22:40 INFO - jmeter.protocol.http.proxy.FormCharSetFinder: Using htmlparser version: 2.0 (Release Build Sep 17, 2006)<br>
6. Thread group starts showing unknown requests to these domains:
1. translate.googleapis.com
2. clients4.google.com
3. www.google.co.in
4. www.google.com
5. ssl.gstatic.com
6. safebrowsing.google.com
7. alt1-safebrowsing.google.com
8. clients4.google.com
9. www.gstatic.com
.
.
n all other requests going to the target application.
(For every request the above exceptions are thrown)
I believe, the google domain requests above are getting recorded because chrome is dynamically searching the keywords on google, while I am typing the url string in the address bar. But I don't want these requests to get recorded in the Thread Group.
Also, I tried the solutions from these pages but they didn't work for me:
Link 1
Link 2
Link 3
I don't understand, why is JMeter not able to use the fake certificate that it already has. I checked the SSL settings in chrome and I could not find any JMeter certificates. Need help!!
To do it in chrome/IE we have to place the certificate into 'Trusted Root Certificates Store'
Double click the certificate created
Certificate Import Wizard opens
Click Next
Select Second radio button (Place All Certificates in the following store)
Click Browse and select 'Trusted Root Certificates Authorities'. Click Next
Click Finish
Check your certificate installed in Chrome Settings (under Http/SSL) - Manage certificates.. (Trusted Root Certificates Authorities Tab)
This should at cure the exceptions thrown as your screenshot shows.
I have the same problem and solve it to trust the certificate. Just like you when i look at the
Options > Advanced > Certificates > View Certificates ==> Authorities
and couldn't see a name ApacheJMeterRootCertificate.crt or a related name, but i realize that there is a name something like
_DO NOT INSTALL unless this is your certificate
I click this object and 'Edit_Trust' both item under this object. I share my screenshot. I hope this can be help you and others.
I use Firefox. At chrome there should be similar way to edit the certificate.
jmeter 2.12 has good support for HTTPS. Under the WorkBench, just select Add -> Non-Test Elements -> HTTP(S) Test Script Recorder. This version worked first time for me.
Latest versions of Google Chrome made difficult to bypass security settings to avoid security Threats as Phishing or Man-in-the-middle attacks.
I have successfully configured Google Chrome (v.54.0) to allow JMeter Self-Signed Certificate for HTTP(S) Recording.
Here the instructions (on Windows):
Open MMC console (SUPER + R, Type mmc, Press Enter)
Select File Add/Remove Snap-in
Select Certificates Snap-in for Current User
Select Trusted Root Certification Authorities >> Certificates
Right-click over Certificates folder and select All Tasks >> Import...
Import JMeter Self-Signed certificate using the wizard keeping the default options.
Once installed, right-click over JMeter Self-Signed certificate and select Properties
On General tab, make sure Enable for all purposes option is selected
On Cross-Certificates, include the URL of the application you want to record (make sure you enter the full url, e.g. https://www.live.com)
Close all windows.
Done. You should now be able to reach the destination bypassing Chrome security alert and start recording.