|Title|Expired Signing Certificate 
|Date|25-Sep-2006 18:04:49 EEST 
|Version|2.4.56 
|Submitter|210.84.8.244 
|[Bug criticality]|MediumBug 
|Browser version|IE6 
|[Bug status]|ClosedBug 
|[PageProvider] used|n/a 
|Servlet Container|Tomcat 5.5.17 
|Operating System|Linux 
|URL|n/a 
|Java version|5.0.8 

The certificate file jspwiki.jks, used to sign the JSPWiki jar files has expired (March 2006). 

This causes JAAS authentication to fail when using a security policy (actually it makes installation almost impossible unless you use AllPermission in the policy file, or add a number of additional permissions to make it work.) 

Workaround: Remove 'signedBy "jspwiki",' text from the policy file. The signing of the JAR file will then be ignored, and the policies will just be read according to their Principals. 
However: This has the negative effect of making all other applications on the VM crash, because they cannot resolve the security role class: 

{{{
java.lang.LinkageError: com/ecyrd/jspwiki/auth/authorize/Role 
java.lang.Class.forName0(Native Method) 
java.lang.Class.forName(Class.java:242) 
sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1403) 
}}}

If the signing is replaced with the codebase, everything works well. 
eg: 

{{{
grant 
codeBase "file:/cust/metawiki/-", 
principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" { 
}}}

Possible solutions: Move role definitions out of the java security policy entirely, or sign a longer lasting certificate. 

If there's another solution here, or I'm missing something, please let me know, and keep up the great work guys! 

Neale Rudd 
metawerx 
http://www.metawerx.net 
neale@metawerx.net 

----

I'm downgrading this - I cannot replicate.  My Tomcat is chugging along nicely with expired certificates.

-- JanneJalkanen


----

Janne --

You really should renew your signing certificate. :)

--Andrew Jaquith, 01-Nov-2006


----

If I'm correct, this still isn't solved:
{{{
Your keystore contains 1 entry

Alias name: jspwiki
Creation date: Dec 4, 2005
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, O=jspwiki.org, C=FI
Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, O=jspwiki.org, C=FI
Serial number: 43923fab
Valid from: Sun Dec 04 02:00:27 CET 2005 until: Sat Mar 04 02:00:27 CET 2006
Certificate fingerprints:
         MD5:  0A:13:BD:25:A6:F1:B5:80:78:56:7A:58:F3:E7:AA:B6
         SHA1: 68:F9:6C:06:C7:E4:10:62:F4:0B:44:28:B7:FC:42:20:5A:FB:3D:23
}}}

This is from a 2.4.91 release download.



--HarryMetske, 02-Mar-2007

Fixed in 2.4.100.