David.Turing's blog
          

          

           
          
			
          
				
					
	
          
		
          
			Yale CAS異常問題總結(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target
		
          
		
          
				
				edu.yale.its.tp.cas.client.CASAuthenticationException:?Unable?to?validate?ProxyTicketValidator 
          [[edu.yale.its.tp.cas.client.ProxyTicketValidator?proxyList          
				=
				[
				null
				] 
          [edu.yale.its.tp.cas.client.ServiceTicketValidator?casValidateUrl          
				=
				
						
          [https:          
				//
				sourcesite:8443/cas/proxyValidate]?ticket=[ST-0-UMjsI0YOhF15RhutnkHW] 
          service=[http%3A%2F%2Fdestsite%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] 
          renew=false]]]
          
				
				
				????at?edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:
				52
				)
          ????at?edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:          
				455
				)
          ????at?edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:          
				378
				)
          ????at?org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:          
				202
				)
          ????at?org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:          
				173
				)
          ????at?filters.ExampleFilter.doFilter(ExampleFilter.java:          
				101
				)
          ????at?org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:          
				202
				)
          ????at?org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:          
				173
				)
          ????at?org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:          
				213
				)
          ????at?org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:          
				178
				)
          ????at?org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:          
				432
				)
          ????at?org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:          
				126
				)
          ????at?org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:          
				105
				)
          ????at?org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:          
				107
				)
          ????at?org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:          
				148
				)
          ????at?org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:          
				869
				)
          ????at?org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:          
				664
				)
          ????at?org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:          
				527
				)
          ????at?org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:          
				80
				)
          ????at?org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:          
				684
				)
          ????at?java.lang.Thread.run(Thread.java:          
				595
				)
          Caused?by:?javax.net.ssl.SSLHandshakeException:?sun.security.validator.ValidatorException:?PKIX?path?building?failed: 
          sun.security.provider.certpath.SunCertPathBuilderException:?unable?to?find?valid?certification?path?to?requested?target
          ????at?com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:          
				150
				)
          ????at?com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:          
				1476
				)
          ????at?com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:          
				174
				)
          ????at?com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:          
				168
				)
          ????at?com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:          
				843
				)
          ????at?com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:          
				106
				)
          ????at?com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:          
				495
				)
          ????at?com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:          
				433
				)
          ????at?com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:          
				815
				)
          ????at?com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:          
				1025
				)
          ????at?com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:          
				1038
				)
          ????at?sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:          
				405
				)
          ????at?sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:          
				170
				)
          ????at?sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:          
				905
				)
          ????at?sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:          
				234
				)
          ????at?edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:          
				84
				)
          ????at?edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:          
				212
				)
          ????at?edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:          
				50
				)
          ?????          
				20
				?more
          Caused?by:?sun.security.validator.ValidatorException: 
          PKIX?path?building?failed:?sun.security.provider.certpath.SunCertPathBuilderException:
          ?unable?to?find?valid?certification?path?to?requested?target
          ????at?sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:          
				221
				)
          ????at?sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:          
				145
				)
          ????at?sun.security.validator.Validator.validate(Validator.java:          
				203
				)
          ????at?com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:          
				172
				)
          ????at?com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:          
				320
				)
          ????at?com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:          
				836
				)
          ?????          
				33
				?more
          Caused?by:?sun.security.provider.certpath.SunCertPathBuilderException:?unable?to?find?valid?certification?path?to?requested?target
          ????at?sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:          
				236
				)
          ????at?java.security.cert.CertPathBuilder.build(CertPathBuilder.java:          
				194
				)
          ????at?sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:          
				216
				)
          ?????          
				38
				?more
		
          
		
          這個原因發生在:在SSL握手中,CAS Client無法識別CAS Server的證書(X),即無法建立一條從cacerts信任證書到X的信任路徑,
          讀者可以看一個叫做PKIX規范。解決辦法是檢查tomcat使用的信任證書路徑,通常是jre/lib/security/cacerts文件,看是否已經
          導入了所需信任證書。
          
		
          
			posted on 2006-09-06 09:08 david.turing 閱讀(11345) 評論(5)  編輯  收藏  所屬分類: Security異常問題 
		
          
	
          
	
	


	


          
	    
    


          

          評論
          
	
	
			
          
				# re: Yale CAS異常問題總結(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target
					
						2007-02-08 15:54
					
				oldman
			
          
			
          
				keytool -list -v -keystore D:\jdk1.5.0_06\.keystore

          我導入了證書,怎么還是有錯誤啊!

          Keystore type: jks
          Keystore provider: SUN

          Your keystore contains 1 entry

          Alias name: tomcat
          Creation date: Feb 8, 2007
          Entry type: keyEntry
          Certificate chain length: 1
          Certificate[1]:
          Owner: CN=localhost, OU=onepoint, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
          Issuer: CN=localhost, OU=onepoint, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
          Serial number: 45cad5a6
          Valid from: Thu Feb 08 15:47:50 CST 2007 until: Wed May 09 15:47:50 CST 2007
          Certificate fingerprints:
                   MD5:  EF:89:D1:5E:0E:59:AC:FB:1A:7C:08:1E:C0:2A:3D:B5
                   SHA1: 32:59:93:24:06:A9:23:E4:C6:6E:94:D9:09:CA:B6:0A:AC:C2:C9:45


            回復  更多評論
				  
			
          
		
			
          
				# re: Yale CAS異常問題總結(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target[未登錄]
					
						2007-02-08 20:10
					
				david.turing
			
          
			
          
				This is a trustcert entry but you need to import it into %JAVA_HOME%\jre\lib\security\cacerts where your CAS can't locate it. Make sure you do that, and the password for cacerts has a lot of un-useful trustcert, remove all of them and importyour "tomcat" entry into cacerts(through SecureRCP)  回復  更多評論
				  
			
          
		
			
          
				# re: Yale CAS異常問題總結(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target
					
						2007-06-13 11:02
					
				yongyuan.jiang
			
          
			
          
				good~  回復  更多評論
				  
			
          
		
			
          
				# re: Yale CAS異常問題總結(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target
					
						2010-06-26 17:19
					
				zhaoyanh
			
          
			
          
				@yongyuan.jiang

          經驗總結,需要將CAS服務器的證書文件,不是CRT文件,而是用KEYTOOL生成的數據文件拷貝到應用服務器上,用keytool  -import 導入到已在應用服務上自己生成的證書文件中(cacerts),用 -list 命令查看變成了2條,一條是自己的,一條是CAS服務器的,將這個文件拷貝到JVM環境中,就好用了。  回復  更多評論
				  
			
          
		
			
          
				# re: Yale CAS異常問題總結(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target[未登錄]
					
						2010-06-30 15:22
					
				墮落佛
			
          
			
          
				@oldman

          你看看你是不是顯示聲明了 trustStore的位置,如果是的話,看看那個位置對不對  回復  更多評論
				  
			
          
		

          




          








          

				
			
          
			
          
				
					

          導航
          

					

          統計
          
	
					
					

          常用鏈接
          


          留言簿(110)
          



          我參與的團隊
          


		
          隨筆分類(126)
          
		
				
			
	
		
          隨筆檔案(155)
          
		
				
			
	
		
          文章分類(9)
          
		
				
			
	
		
          文章檔案(19)
          
		
				
			
	
		
          相冊
          
		
				
			
	



          搜索
          



          積分與排名
          



          最新隨筆
          

          


          


          最新評論
	
          

          
	
			
		

          


          閱讀排行榜
          

          
	
			
		

          


          評論排行榜
          

          
	
			
		

          

				
			
          			
			

	

    







          
        
	




主站蜘蛛池模板:
连江县|
师宗县|
双城市|
河源市|
四平市|
霍邱县|
禹州市|
贵港市|
白玉县|
太仓市|
博客|
会同县|
涿鹿县|
改则县|
厦门市|
镇巴县|
陆丰市|
辽阳市|
广安市|
乌兰察布市|
寻甸|
绍兴市|
武鸣县|
阿图什市|
泰安市|
仁化县|
富源县|
韩城市|
高清|
蛟河市|
依兰县|
峨山|
高雄市|
阿拉善盟|
张家口市|
左权县|
合阳县|
乐业县|
射阳县|
出国|
阳东县|