0

We have a rest API written in SpringBoot using a 2-way ssl Auth. We would like to send 401 HTTP status code when the user selects the wrong/expired client certificate.

When it happens I can see the exception:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The API starts normally and works fine. The exception occurs whenever the user tries to call my api selecting a wrong client certificate or invalid. In this case I would like to return 401 to the caller

Spring boot is configured with Tomcat and @EnableWebSecurity

http.x509().subjectPrincipalRegex("XXXXXX").userDetailsService(this.userDetailsService);
((RequiresChannelUrl)http.requiresChannel().anyRequest()).requiresSecure();

urls().forEach((url, guard) -> {
   try {
      ((AuthorizedUrl)http.authorizeRequests().antMatchers(new String[]{url})).access(guard);
    } catch (Exception var4) {
        throw new UnsupportedOperationException("error");
    }
});

Here the stack trace:

DirectJDKLog.java:175 [] Handshake failed during wrap
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
....
....
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

The browser shows: ERR_BAD_SSL_CLIENT_AUTH_CERT Is it possible to catch this exception in SpringBoot and send a specific HTTP status code?

Fabry
  • 1,498
  • 4
  • 23
  • 47
  • Without knowning what you are using for 2-way SSL (tomcat or Spring Security or ... ) this is impossible to answer. – M. Deinum Dec 16 '20 at 08:21
  • I'll add more info – Fabry Dec 16 '20 at 10:19
  • When do you get this exception? During startup? During authentication? Also your `urls.forEach` is a bit dangerous as the ordering of the URLs is pretty important. – M. Deinum Dec 16 '20 at 10:32
  • As I wrote I get the exception when the client select the wrong certificate or invalid, it means that the client is trying to contact my Api. I will specify this as well. Thanks for your comment about the foreach. I'll have a look – Fabry Dec 16 '20 at 10:48
  • The exception will be handled by the entrypoint and/or the `ExceptionTranslationFilter`. I would expect this only to show up in the logging. – M. Deinum Dec 16 '20 at 11:24
  • I've added my stack trace – Fabry Dec 16 '20 at 12:32
  • We don't need the stacktrace. As mentioned that should only occur in the logging, this should not propagate to the caller. The caller should get only a 401. It also appears to be logging due to debug config of SSL or something. – M. Deinum Dec 16 '20 at 12:37
  • yes agree the caller should get 401 and this is what I am trying to have but is not working, the caller do not get 401 and the error propagates, The browser shows: ERR_BAD_SSL_CLIENT_AUTH_CERT This thread is how can I stop the propagation or how I can intercept the error in order to force 401 status code – Fabry Dec 16 '20 at 12:45
  • Can we reopen this please? – Fabry Dec 16 '20 at 14:51
  • The question has been answered here: https://stackoverflow.com/questions/65326068/intercept-sslhandshakeexception-in-spring-boot/65326277#65326277 – Fabry Dec 28 '20 at 20:57

2 Answers2

2

Maybe you can try a controller advice:

@ControllerAdvice
class MyControllerExceptionHandler {

    @ResponseStatus(HttpStatus.UNAUTHORIZED)  // or whatever you want
    @ExceptionHandler(SSLHandshakeException.class)
    public void handleHandshakeException() {
        // Nothing to do
    }
}
pedrohreis
  • 1,030
  • 2
  • 14
  • 33
0

Maybe the solution posted here or here can help you

In your security configuration you add this lines:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.
      //....
     and().
    .anonymous().disable()
    .exceptionHandling()
    .authenticationEntryPoint(new org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint("YourValue"));
}

and it will return HTTP 401:

Status Code: 401 Unauthorized
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0
//... other header values
WWW-Authenticate: YourValue
Jeferson Macedo
  • 695
  • 7
  • 11