[
https://issues.apache.org/jira/browse/GRIFFIN-207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16659926#comment-16659926
]
ASF GitHub Bot commented on GRIFFIN-207:
----------------------------------------
Github user whhe commented on a diff in the pull request:
https://github.com/apache/incubator-griffin/pull/441#discussion_r227194519
--- Diff:
service/src/main/java/org/apache/griffin/core/login/ldap/SelfSignedSocketFactory.java
---
@@ -0,0 +1,100 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/
+
+package org.apache.griffin.core.login.ldap;
+
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/**
+ * SocketFactory ignoring insecure (self-signed, expired) certificates.
+ *
+ * Maintains internal {@code SSLSocketFactory} configured with {@code
NoopTrustManager}.
+ * All SocketFactory methods are proxied to internal SSLSocketFactory
instance.
+ * Accepts all client and server certificates, from any issuers.
+ */
+public class SelfSignedSocketFactory extends SocketFactory {
+ private SSLSocketFactory sf;
+
+ private SelfSignedSocketFactory() throws Exception {
+ SSLContext ctx = SSLContext.getInstance("TLS");
+ ctx.init(null, new TrustManager[]{new NoopTrustManager()}, null);
+ sf = ctx.getSocketFactory();
+ }
+
+ /**
+ * Part of SocketFactory contract, used by javax.net internals to
create new instance.
+ */
+ public static SocketFactory getDefault() {
+ try {
+ return new SelfSignedSocketFactory();
+ } catch (Exception e) {
+ throw new RuntimeException(e);
--- End diff --
It is not recommended to throw RuntimeException directly in Griffin, maybe
you can use ServiceException from GriffinException class instead.
> LDAP auth is not supporting group filters and non-CN login names
> ----------------------------------------------------------------
>
> Key: GRIFFIN-207
> URL: https://issues.apache.org/jira/browse/GRIFFIN-207
> Project: Griffin (Incubating)
> Issue Type: Bug
> Reporter: Nikolay Sokolov
> Assignee: Nikolay Sokolov
> Priority: Major
>
> Currently LDAP auth performs bind to principal with name
> "${username}${ldap.email}", and searches through user objects
> ldap.searchPattern. Result of search then only used to retrieve fullName of
> the user.
> There are two problems here:
> * login username can not be different than CN, as it is used to perform LDAP
> bind
> * it is not possible to restrict access to specific groups
> Typical approach used in other software products is to use separate bind
> account, which would search through LDAP objects using search pattern, and
> then use found object's DN to perform password check.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
