Demo request/wcs/wps pages incompatible with HTTPS/PKI
Description
Environment
relates to
Activity
With https://osgeo-org.atlassian.net/browse/GEOS-11390#icft=GEOS-11390 replacing the WfsTestServlet for client side javascript for Get and Post calls the Demo Request page and related Builders can now be used successfully for this environment (example self signed certificate).
I think apache HttpClient is the same thing as commons-http client which I recommended above?
Yes, that is correct. I tried a solution using it but was never able to get it fully functional.
We could also use the same approach as the test cases, and use a mock object to issue the demo request straight to the dispatcher...
This seems to be a viable solution, although I wonder if it might have some hidden implications. The biggest issue I have ran into using a similar method is that this approach tends to skip though some of geoservers monitoring and execution limits. Given that the Demos page defaults to publicly accessible, this could open up a DOS vulnerability.
I think apache HttpClient is the same thing as commons-http client which I recommended above?
We could also use the same approach as the test cases, and use a mock object to issue the demo request straight to the dispatcher...
I have taken a look at this, and while I have been unable to fix the issue, I do have some further insight into the problem and potential solutions:
Steps to reproduce:
1. Follow the instructions for configuring X.509 Certificate Authentication (PKI Authentication)
2. Run any request from the GeoServer Demo Requests page. You will get the error javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate.
Cause:
All of the requests on the Demo Request page send a request to the TestWfsPost servlet, which builds the correct request and uses an HttpUrlRequest to execute it. The response is then returned as to the user as a the response to the original request.
When PKI is enabled, the generated request does not contain the client certificate, and is rejected by the server. A similar error can also occur if you or the server is using a self-signed certificate.
Potential Solution:
Apache HttpClient allows a more customizable framework then the current HttpUrlConnection framework, and can support self-signed certificates through use of a custom TrustManager. This should probably be used instead of HttpsUrlConnection.
In addition, a valid client certificate needs to be installed into GeoServer to be used by TestWfsServlet for authentication. This should only be used if PKI is enabled. TestWfsServlet will need to be modified to send this certificate with any PKI-enabled https requests.
One other note - there seem to be a number of other authentication methods that can be used by GeoServer. The Demo Request page should probably be tested with these methods.
Reading TestWfsPost is set as non-interactive (so has no ability to accept a self-signed localhost certificate).
Consider switching to commons-http client for this class in order to have greater control over what we accept.
It specifically has allowance to handle "Ability to accept self-signed or untrusted SSL certificates.".
Just what it says on the tin, when issuing an HTTPS (while using X.509 Certificate Authentication) request from:
WCS Builder
WPS Builder
Demo Request - all request fail (not just WCS and WPS)
The following certification error is produced and displayed (for example in the "wps result window"):
<servlet-exception> javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate </servlet-exception>I expect this is a limitation of TestWfsPost servlet:
URL u = new URL(urlString); java.net.HttpURLConnection acon = (java.net.HttpURLConnection) u.openConnection(); acon.setAllowUserInteraction(false);With setAllowUserInteraction(false) Java has no ability to prompt the user and accept the self signed certificate, failing and producing the exception.