play-samples icon indicating copy to clipboard operation
play-samples copied to clipboard
verified publisher icon playframework

scala-tls-example needClientAuth flag not considered

Open christianri opened this issue 4 years ago • 1 comments

It seems that the current version of the sample does not consider the client certificate based authentication option set with play.ssl.needClientAuth=true .

Steps to reproduce:

  1. Git clone of the samples, change to the sample play-scala-tls-example
  2. Certificates have not been re-generated due to script errors, using the one from git
  3. Point example.com to localhost as described in the README
  4. Un-comment the line in ./play: JVM_OPTIONS="$JVM_OPTIONS -Dplay.ssl.needClientAuth=true"
  5. Adjust the javaagent line to avoid errors: from export SBT_OPTS="$SBT_OPTS -J-javaagent:$AGENT" to export SBT_OPTS="$SBT_OPTS -javaagent:$AGENT"
  6. run ./play run

Expected outcome: Opening the page https://example.com:9443/ should prompt for a certificate.

Actual outcome: The page https://example.com:9443/ opens without prompting for a client certificate. The console shows the following log output (folder names redacted):

Detected ALPN Agent: /.../play-samples/play-scala-tls-example/target/universal/stage/jetty-alpn-agent/jetty-alpn-agent-2.0.10.jar 
[jetty-alpn-agent][ warn] Could not find a matching alpn-boot jar for Java version: 11.0.14
[jetty-alpn-agent][ warn] Could not find a matching alpn-boot jar for Java version: 11.0.14
[info] welcome to sbt 1.3.13 (Eclipse Adoptium Java 11.0.14)
[info] loading global plugins from /.../.sbt/1.0/plugins
[info] loading settings for project play-scala-tls-example-build from plugins.sbt ...
[info] loading project definition from /.../play-samples/play-scala-tls-example/project
[info] loading settings for project root from build.sbt ...
[info]   __              __
[info]   \ \     ____   / /____ _ __  __
[info]    \ \   / __ \ / // __ `// / / /
[info]    / /  / /_/ // // /_/ // /_/ /
[info]   /_/  / .___//_/ \__,_/ \__, /
[info]       /_/               /____/
[info] 
[info] Version 2.8.13 running Java 11.0.14
[info] 
[info] Play is run entirely by the community. If you want to keep using it please consider donating:
[info] https://www.playframework.com/sponsors
[info] 

--- (Running the application, auto-reloading is enabled) ---

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/.../Library/Caches/Coursier/v1/https/repo1.maven.org/maven2/com/google/inject/guice/4.2.3/guice-4.2.3.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[info] p.a.h.EnabledFilters - Enabled Filters (see <https://www.playframework.com/documentation/latest/Filters>):

    play.filters.csrf.CSRFFilter
    play.filters.headers.SecurityHeadersFilter
    play.filters.hosts.AllowedHostsFilter

[info] play.api.Play - Application started (Dev) (no global state)
[info] p.c.s.AkkaHttpServer - Enabling HTTP/2 on Akka HTTP server...
[info] p.c.s.AkkaHttpServer - Listening for HTTPS on /0:0:0:0:0:0:0:0:9443

(Server started, use Enter to stop and go back to the console...)

[debug] h.SniKeyManager - chooseEngineServerAlias: using selected sniHostname example.com as server alias

Environment:

  • Java java: 11.0.14-tem installed via sdkman (tried with 8.0.322 too)
  • OSX 12.2.1

christianri avatar Mar 02 '22 11:03 christianri

Thanks, there is #132 which is a bit related, so I am linking this issue there to take it into account.

mkurz avatar Mar 03 '22 18:03 mkurz