TitleExpired Signing Certificate
Date25-Sep-2006 18:04:49 EEST
Version2.4.56
Submitter210.84.8.244
Bug criticalityMediumBug
Browser versionIE6
Bug statusClosedBug
PageProvider usedn/a
Servlet ContainerTomcat 5.5.17
Operating SystemLinux
URLn/a
Java version5.0.8

The certificate file jspwiki.jks, used to sign the JSPWiki jar files has expired (March 2006).

This causes JAAS authentication to fail when using a security policy (actually it makes installation almost impossible unless you use AllPermission in the policy file, or add a number of additional permissions to make it work.)

Workaround: Remove 'signedBy "jspwiki",' text from the policy file. The signing of the JAR file will then be ignored, and the policies will just be read according to their Principals. However: This has the negative effect of making all other applications on the VM crash, because they cannot resolve the security role class:

java.lang.LinkageError: com/ecyrd/jspwiki/auth/authorize/Role 
java.lang.Class.forName0(Native Method) 
java.lang.Class.forName(Class.java:242) 
sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1403) 

If the signing is replaced with the codebase, everything works well. eg:

grant 
codeBase "file:/cust/metawiki/-", 
principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" { 

Possible solutions: Move role definitions out of the java security policy entirely, or sign a longer lasting certificate.

If there's another solution here, or I'm missing something, please let me know, and keep up the great work guys!

Neale Rudd metawerx http://www.metawerx.net neale@metawerx.net


I'm downgrading this - I cannot replicate. My Tomcat is chugging along nicely with expired certificates.

-- JanneJalkanen


Janne --

You really should renew your signing certificate. :)

--Andrew Jaquith, 01-Nov-2006


If I'm correct, this still isn't solved:

Your keystore contains 1 entry

Alias name: jspwiki
Creation date: Dec 4, 2005
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, O=jspwiki.org, C=FI
Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, O=jspwiki.org, C=FI
Serial number: 43923fab
Valid from: Sun Dec 04 02:00:27 CET 2005 until: Sat Mar 04 02:00:27 CET 2006
Certificate fingerprints:
         MD5:  0A:13:BD:25:A6:F1:B5:80:78:56:7A:58:F3:E7:AA:B6
         SHA1: 68:F9:6C:06:C7:E4:10:62:F4:0B:44:28:B7:FC:42:20:5A:FB:3D:23

This is from a 2.4.91 release download.

--HarryMetske, 02-Mar-2007

Fixed in 2.4.100.

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-9) was last changed on 02-Mar-2007 21:44 by JanneJalkanen