My Java Planet: Certificate chain received from graph.facebook.com - failed hostname verification check. Certificate contained *.facebook.com but check expected graph.facebook.com

How to avoid following Weblogic error when implementing "authentication and authorization via facebook":

<2015-05-17 20:59:29 CEST> <Warning> <Security> <BEA-090504> <Certificate chain received from graph.facebook.com - 31.13.93.3 failed hostname verification check. Certificate contained *.facebook.com but check expected graph.facebook.com> 

javax.net.ssl.SSLKeyException: Hostname verification failed: HostnameVerifier=weblogic.security.utils.SSLWLSHostnameVerifier, hostname=graph.facebook.com.

    at weblogic.security.SSL.jsseadapter.JaSSLEngine.doPostHandshake(JaSSLEngine.java:677)

    at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:748)

    at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)

    at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:603)

    at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:507)

    at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:96)

    at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:75)

    at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:219)

    at weblogic.net.http.HttpsClient.New(HttpsClient.java:563)

    at weblogic.net.http.HttpsClient.New(HttpsClient.java:534)

    at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:248)

    at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:636)

    at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)

    at java.net.URL.openStream(URL.java:1037)

    at pl.windroos.shiro.FacebookRealm.readURL(FacebookRealm.java:84)

    at pl.windroos.shiro.FacebookRealm.doGetAuthenticationInfo(FacebookRealm.java:58)

    at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)

    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219)

    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)

    at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)

    at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)

    at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)

    at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)

    at pl.windroos.shiro.FacebookLoginServlet.doGet(FacebookLoginServlet.java:53)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)

    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)

    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)

    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:112)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:588)

    at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:273)

    at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:546)

    at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)

    at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)

    at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)

    at oracle.adfinternal.view.faces.config.rich.RecordRequestAttributesDuringDispatch.dispatch(RecordRequestAttributesDuringDispatch.java:44)

    at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)

    at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)

    at org.apache.myfaces.trinidadinternal.context.FacesContextFactoryImpl$OverrideDispatch.dispatch(FacesContextFactoryImpl.java:167)

    at com.sun.faces.application.view.JspViewHandlingStrategy.executePageToBuildView(JspViewHandlingStrategy.java:364)

    at com.sun.faces.application.view.JspViewHandlingStrategy.buildView(JspViewHandlingStrategy.java:154)

    at org.apache.myfaces.trinidad.view.ViewDeclarationLanguageWrapper.buildView(ViewDeclarationLanguageWrapper.java:94)

    at org.apache.myfaces.trinidad.view.ViewDeclarationLanguageWrapper.buildView(ViewDeclarationLanguageWrapper.java:94)

    at org.apache.myfaces.trinidadinternal.application.ViewDeclarationLanguageFactoryImpl$ChangeApplyingVDLWrapper.buildView(ViewDeclarationLanguageFactoryImpl.java:322)

    at oracle.adfinternal.view.faces.lifecycle.ResponseRenderManager._processViewDefinitionLanguage(ResponseRenderManager.java:105)

    at oracle.adfinternal.view.faces.lifecycle.ResponseRenderManager.runRenderView(ResponseRenderManager.java:41)

    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._renderResponse(LifecycleImpl.java:1095)

    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:389)

    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:255)

    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)

    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)

    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)

    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:192)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:105)

    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:502)

    at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)

    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:502)

    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:327)

    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:229)

    at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)

    at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)

    at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)

    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)

    at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)

    at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)

    at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)

    at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)

    at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)

    at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)

    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:137)

    at java.security.AccessController.doPrivileged(Native Method)

    at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)

    at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460)

    at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:120)

    at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:217)

    at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:81)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:220)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3436)

    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3402)

    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

    at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)

    at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2285)

    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2201)

    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)

    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1572)

    at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:255)

    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)

    at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)

Best solution is using the Wildcarded Host Name Verifier.

In the left pane of the Console, expand Environment and select Servers.
Click the name of the server for which you want to disable host name verification.
Select Configuration > SSL , and click Advanced at the bottom of the page.
Set the Hostname Verification field to Custom Hostname Verifier.
Set the Custom Hostname Verifier to

Not recommended but more general solution is disabling host name verification at all. To do this go to Weblogic console and :

In the left pane of the Console, expand Environment and select Servers.
Click the name of the server for which you want to disable host name verification.
Select Configuration > SSL , and click Advanced at the bottom of the page.
Set the Hostname Verification field to None.

You can disable hostname verification also via commandline of an SSL client by entering the following argument: -Dweblogic.security.SSL.ignoreHostnameVerification=true

1 comment:

AnonymousAugust 3, 2015 at 6:40 PM
Nice article.

But, disabling hostname verification is not recommended as it will introduce security issues. I am trying to identify a better option without disabling the hostname verification disabled, but, so far I did not find any solution that works in 12c.

My Java Planet

Saturday, June 6, 2015

Certificate chain received from graph.facebook.com - failed hostname verification check. Certificate contained *.facebook.com but check expected graph.facebook.com

1 comment:

Pages

Followers

About Me

Blog Archive

Backlinks

Translate