Saturday, June 6, 2015

Certificate chain received from graph.facebook.com - failed hostname verification check. Certificate contained *.facebook.com but check expected graph.facebook.com

How to avoid following Weblogic error when implementing "authentication and authorization via facebook":

<2015-05-17 20:59:29 CEST> <Warning> <Security> <BEA-090504> <Certificate chain received from graph.facebook.com - 31.13.93.3 failed hostname verification check. Certificate contained *.facebook.com but check expected graph.facebook.com> 

javax.net.ssl.SSLKeyException: Hostname verification failed: HostnameVerifier=weblogic.security.utils.SSLWLSHostnameVerifier, hostname=graph.facebook.com.

    at weblogic.security.SSL.jsseadapter.JaSSLEngine.doPostHandshake(JaSSLEngine.java:677)

    at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:748)

    at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)

    at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:603)

    at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:507)

    at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:96)

    at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:75)

    at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:219)

    at weblogic.net.http.HttpsClient.New(HttpsClient.java:563)

    at weblogic.net.http.HttpsClient.New(HttpsClient.java:534)

    at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:248)

    at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:636)

    at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)

    at java.net.URL.openStream(URL.java:1037)

    at pl.windroos.shiro.FacebookRealm.readURL(FacebookRealm.java:84)

    at pl.windroos.shiro.FacebookRealm.doGetAuthenticationInfo(FacebookRealm.java:58)

    at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)

    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219)

    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)

    at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)

    at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)

    at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)

    at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)

    at pl.windroos.shiro.FacebookLoginServlet.doGet(FacebookLoginServlet.java:53)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)

    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)

    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)

    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:112)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:588)

    at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:273)

    at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:546)

    at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)

    at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)

    at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)

    at oracle.adfinternal.view.faces.config.rich.RecordRequestAttributesDuringDispatch.dispatch(RecordRequestAttributesDuringDispatch.java:44)

    at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)

    at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93)

    at org.apache.myfaces.trinidadinternal.context.FacesContextFactoryImpl$OverrideDispatch.dispatch(FacesContextFactoryImpl.java:167)

    at com.sun.faces.application.view.JspViewHandlingStrategy.executePageToBuildView(JspViewHandlingStrategy.java:364)

    at com.sun.faces.application.view.JspViewHandlingStrategy.buildView(JspViewHandlingStrategy.java:154)

    at org.apache.myfaces.trinidad.view.ViewDeclarationLanguageWrapper.buildView(ViewDeclarationLanguageWrapper.java:94)

    at org.apache.myfaces.trinidad.view.ViewDeclarationLanguageWrapper.buildView(ViewDeclarationLanguageWrapper.java:94)

    at org.apache.myfaces.trinidadinternal.application.ViewDeclarationLanguageFactoryImpl$ChangeApplyingVDLWrapper.buildView(ViewDeclarationLanguageFactoryImpl.java:322)

    at oracle.adfinternal.view.faces.lifecycle.ResponseRenderManager._processViewDefinitionLanguage(ResponseRenderManager.java:105)

    at oracle.adfinternal.view.faces.lifecycle.ResponseRenderManager.runRenderView(ResponseRenderManager.java:41)

    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._renderResponse(LifecycleImpl.java:1095)

    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:389)

    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:255)

    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)

    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)

    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)

    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)

    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:192)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:105)

    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:502)

    at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)

    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:502)

    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:327)

    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:229)

    at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)

    at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)

    at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)

    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)

    at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)

    at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)

    at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)

    at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)

    at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)

    at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)

    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:137)

    at java.security.AccessController.doPrivileged(Native Method)

    at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)

    at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460)

    at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:120)

    at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:217)

    at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:81)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:220)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)

    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)

    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3436)

    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3402)

    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

    at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)

    at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2285)

    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2201)

    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)

    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1572)

    at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:255)

    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)

    at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)

Best solution is using the Wildcarded Host Name Verifier.
  1. In the left pane of the Console, expand Environment and select Servers.
  2. Click the name of the server for which you want to disable host name verification.
  3. Select Configuration > SSL , and click Advanced at the bottom of the page.
  4. Set the Hostname Verification field to Custom Hostname Verifier.
  5. Set the Custom Hostname Verifier to 
Not recommended but more general solution is disabling host name verification at all. To do this go to Weblogic console and :
  1. In the left pane of the Console, expand Environment and select Servers.
  2. Click the name of the server for which you want to disable host name verification.
  3. Select Configuration > SSL , and click Advanced at the bottom of the page.
  4. Set the Hostname Verification field to None.
You can disable hostname verification also via commandline of an SSL client by entering the following argument: -Dweblogic.security.SSL.ignoreHostnameVerification=true

1 comment:

  1. Nice article.

    But, disabling hostname verification is not recommended as it will introduce security issues. I am trying to identify a better option without disabling the hostname verification disabled, but, so far I did not find any solution that works in 12c.

    ReplyDelete