Title | Expired Signing Certificate |
Date | 25-Sep-2006 18:04:49 EEST |
Version | 2.4.56 |
Submitter | 210.84.8.244 |
Bug criticality | MediumBug |
Browser version | IE6 |
Bug status | ClosedBug |
PageProvider used | n/a |
Servlet Container | Tomcat 5.5.17 |
Operating System | Linux |
URL | n/a |
Java version | 5.0.8 |
The certificate file jspwiki.jks, used to sign the JSPWiki jar files has expired (March 2006).
This causes JAAS authentication to fail when using a security policy (actually it makes installation almost impossible unless you use AllPermission in the policy file, or add a number of additional permissions to make it work.)
Workaround: Remove 'signedBy "jspwiki",' text from the policy file. The signing of the JAR file will then be ignored, and the policies will just be read according to their Principals. However: This has the negative effect of making all other applications on the VM crash, because they cannot resolve the security role class:
java.lang.LinkageError: com/ecyrd/jspwiki/auth/authorize/Role java.lang.Class.forName0(Native Method) java.lang.Class.forName(Class.java:242) sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1403)
If the signing is replaced with the codebase, everything works well. eg:
grant codeBase "file:/cust/metawiki/-", principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
Possible solutions: Move role definitions out of the java security policy entirely, or sign a longer lasting certificate.
If there's another solution here, or I'm missing something, please let me know, and keep up the great work guys!
Neale Rudd
metawerx
http://www.metawerx.net
neale@metawerx.net
I'm downgrading this - I cannot replicate. My Tomcat is chugging along nicely with expired certificates.
Janne --
You really should renew your signing certificate. :)
--Andrew Jaquith, 01-Nov-2006
If I'm correct, this still isn't solved:
Your keystore contains 1 entry Alias name: jspwiki Creation date: Dec 4, 2005 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, O=jspwiki.org, C=FI Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, O=jspwiki.org, C=FI Serial number: 43923fab Valid from: Sun Dec 04 02:00:27 CET 2005 until: Sat Mar 04 02:00:27 CET 2006 Certificate fingerprints: MD5: 0A:13:BD:25:A6:F1:B5:80:78:56:7A:58:F3:E7:AA:B6 SHA1: 68:F9:6C:06:C7:E4:10:62:F4:0B:44:28:B7:FC:42:20:5A:FB:3D:23
This is from a 2.4.91 release download.
--HarryMetske, 02-Mar-2007
Fixed in 2.4.100.