Home » Java » java – x509 certificate auth with postman-Exceptionshub

java – x509 certificate auth with postman-Exceptionshub

Posted by: admin February 25, 2020 Leave a comment

Questions:

I am trying to authenticate a user. I have generated x509 client and server certificates and set properties from here example https://dzone.com/articles/securing-rest-apis-with-client-certificates and send .crt and .pem files with postman. In postman console it looks like this:

Client Certificate
cert: {…}
src: "C:\Users\Work\Project\app-gateway\src\main\resources\keystore5\cid.crt"
id: "8b727c9c-db0a-406c-a4bd-a140dfd044ac"
key: {…}
src: "C:\Users\Work\Project\app-gateway\src\main\resources\keystore5\clientPrivateKey.pem"
matches: [1]
0: {…}
passphrase: ""
pfx: {…}
src: ""

@Slf4j
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityContext {

    @Configuration
    @Order(1)
    public static class X509SecurityConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/api/integration/v1/zip/**")
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .x509()
                    .subjectPrincipalRegex("CN=(.*?)(?:,|$)")
                    .userDetailsService(userDetailsService());
        }

        public UserDetailsService userDetailsService() {
            return username -> {
                if (username.equals("cid")) {
                    return new User(username, "", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
                }
                return null;
            };
        }
    }

    @Configuration
    public static class SAMLSecurityContext extends WebSecurityConfigurerAdapter { ... }}

Please see log below:

2020-02-21 07:48:26.304 DEBUG [-,,,] 1 --- [nio-8080-exec-2] o.a.coyote.http11.Http11InputBuffer      : Received [POST /api/integration/v1/zip/upload?integrationId=m-cf0360046a22a4e1 HTTP/1.0
Host: myhost.com
X-Real-IP: 172.18.0.1
X-Forwarded-For: 172.18.0.1
Connection: close
Content-Length: 5951415
User-Agent: PostmanRuntime/7.22.0
Accept: */*
Cache-Control: no-cache
Postman-Token: 42ae665a-6e69-46bd-8f48-f6971806b389
Content-Type: multipart/form-data; boundary=--------------------------544339150535283410991868
Accept-Encoding: gzip, deflate, br
Cookie: SESSION=YTg1ZGZjYzAtODY4MS00NTY3LWJmOTctODI4MzRlYjYyMDQy
----------------------------544339150535283410991868
Content-Disposition: form-data; name="file"; filename="1000.zip"
Content-Type: application/zip
PK   �šdEµ   'ã~L tm  $ vds/ChainClean049_do_11.vds .......
2020-02-21 07:48:26.322 DEBUG [-,,,] 1 --- [nio-8080-exec-2] o.a.t.util.http.Rfc6265CookieProcessor   : Cookies: Parsing b[]: SESSION=YTg1ZGZjYzAtODY4MS00NTY3LWJmOTctODI4MzRlYjYyMDQy
2020-02-21 07:48:26.322 DEBUG [-,,,] 1 --- [nio-8080-exec-2] o.a.c.authenticator.AuthenticatorBase    : Security checking request POST /api/integration/v1/zip/upload
2020-02-21 07:48:26.322 DEBUG [-,,,] 1 --- [nio-8080-exec-2] org.apache.catalina.realm.RealmBase      :   No applicable constraints defined
2020-02-21 07:48:26.322 DEBUG [-,,,] 1 --- [nio-8080-exec-2] o.a.c.authenticator.AuthenticatorBase    :  Not subject to any constraint
2020-02-21 07:48:26.322 DEBUG [-,,,] 1 --- [nio-8080-exec-2] o.apache.catalina.core.StandardWrapper   :   Returning non-STM instance
2020-02-21 07:48:26.324  INFO [-,,,] 1 --- [nio-8080-exec-2] o.s.c.n.zuul.web.ZuulHandlerMapping      : Root mapping to handler of type [class org.springframework.cloud.netflix.zuul.web.ZuulController]
2020-02-21 07:48:26.324 DEBUG [-,,,] 1 --- [nio-8080-exec-2] o.s.c.n.zuul.web.ZuulHandlerMapping      : Matching patterns for request [/api/integration/v1/zip/upload] are [/api/integration/**]
2020-02-21 07:48:26.325 DEBUG [-,,,] 1 --- [nio-8080-exec-2] o.s.c.n.zuul.web.ZuulHandlerMapping      : URI Template variables for request [/api/integration/v1/zip/upload] are {}
2020-02-21 07:48:26.325 DEBUG [-,,,] 1 --- [nio-8080-exec-2] o.s.c.n.zuul.web.ZuulHandlerMapping      : Mapping [/api/integration/v1/zip/upload] to HandlerExecutionChain with handler [[email protected]3b] and 1 interceptor
2020-02-21 07:48:26.326 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] org.apache.tomcat.util.http.Parameters   : Set encoding to UTF-8
2020-02-21 07:48:26.327 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] org.apache.tomcat.util.http.Parameters   : Decoding query null UTF-8
2020-02-21 07:48:26.328 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] org.apache.tomcat.util.http.Parameters   : Start processing with input [integrationId=m-cf0360046a22a4e1]
2020-02-21 07:48:26.330 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.a.tomcat.util.net.SocketWrapperBase    : Socket: [[email protected]:[email protected]:java.nio.channels.SocketChannel[connected local=/172.18.0.5:8080 remote=/172.18.0.11:54218]], Read from buffer: [0]
2020-02-21 07:48:26.331 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] org.apache.tomcat.util.net.NioEndpoint   : Socket: [[email protected]:[email protected]:java.nio.channels.SocketChannel[connected local=/172.18.0.5:8080 remote=/172.18.0.11:54218]], Read direct from socket: [8192]
2020-02-21 07:48:27.100 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.d.redis.core.RedisConnectionUtils    : Closing Redis Connection
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.springframework.session.web.http.SessionRepo[email protected]504324f9. A new one will be created.
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : /api/integration/v1/zip/upload?integrationId=m-cf0360046a22a4e1 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : /api/integration/v1/zip/upload?integrationId=m-cf0360046a22a4e1 at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://myhost.com/api/integration/v1/zip/upload?integrationId=m-cf0360046a22a4e1
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]7bf51802
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2020-02-21 07:48:27.103 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.d.redis.core.RedisConnectionUtils    : Opening RedisConnection
2020-02-21 07:48:27.103 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] io.lettuce.core.RedisChannelHandler      : dispatching command AsyncCommand [type=HMSET, output=StatusOutput [output=null, error='null'], commandType=io.lettuce.core.protocol.Command]
2020-02-21 07:48:29.043 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.d.redis.core.RedisConnectionUtils    : Closing Redis Connection
2020-02-21 07:48:29.044 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : /error?integrationId=m-cf0360046a22a4e1 at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2020-02-21 07:48:29.044 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : /error?integrationId=m-cf0360046a22a4e1 at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : /api/integration/v1/zip/upload?integrationId=m-cf0360046a22a4e1 at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://myhost.com/api/integration/v1/zip/upload?integrationId=m-cf0360046a22a4e1
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]7bf51802
2020-02-21 07:48:27.102 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2020-02-21 07:48:27.103 DEBUG [-,3fb9ccff80040395,3fb9ccff80040395,true] 1 --- [nio-8080-exec-2] o.s.d.redis.core.RedisConnectionUtils    : Opening RedisConnection

And I recieve “status”: 403,”error”: “Forbidden”. I do not see the processing of certificates, it seems that they do not pass at all. After ZuulHandlerMapping the request does not go further. What does it mean? How to get and process a certificate?

How to&Answers: