Author: markt
Date: Fri Nov 15 17:39:05 2013
New Revision: 1542339
URL: http://svn.apache.org/r1542339
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55778
Make value used for javax.security.sasl.qop with SPNEGO configurable.
Modified:
tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
tomcat/trunk/webapps/docs/config/realm.xml
Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1542339&r1=1542338&r2=1542339&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Fri Nov 15
17:39:05 2013
@@ -427,6 +427,14 @@ public class JNDIRealm extends RealmBase
protected boolean useDelegatedCredential = true;
+ /**
+ * The QOP that should be used for the connection to the LDAP server after
+ * authentication. This value is used to set the
+ * <code>javax.security.sasl.qop</code> environment property for the LDAP
+ * connection.
+ */
+ protected String spengoDelegationQop = "auth-conf";
+
// ------------------------------------------------------------- Properties
/**
@@ -980,7 +988,6 @@ public class JNDIRealm extends RealmBase
}
-
public boolean isUseDelegatedCredential() {
return useDelegatedCredential;
}
@@ -990,6 +997,15 @@ public class JNDIRealm extends RealmBase
}
+ public String getSpengoDelegationQop() {
+ return spengoDelegationQop;
+ }
+
+ public void setSpengoDelegationQop(String spengoDelegationQop) {
+ this.spengoDelegationQop = spengoDelegationQop;
+ }
+
+
// ---------------------------------------------------------- Realm Methods
/**
@@ -2062,7 +2078,7 @@ public class JNDIRealm extends RealmBase
context.addToEnvironment(
"javax.security.sasl.server.authentication", "true");
context.addToEnvironment(
- "javax.security.sasl.qop", "auth-conf");
+ "javax.security.sasl.qop", spengoDelegationQop);
// Note: Subject already set in SPNEGO authenticator so no need
// for Subject.doAs() here
}
Modified: tomcat/trunk/webapps/docs/config/realm.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1542339&r1=1542338&r2=1542339&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/trunk/webapps/docs/config/realm.xml Fri Nov 15 17:39:05 2013
@@ -551,6 +551,17 @@
<code>0</code> is used which indicates no limit.</p>
</attribute>
+ <attribute mame="spengoDelegationQop" requireed="false">
+ <p>When the JNDI Realm is used with the SPNEGO authenticator and
+ <code>useDelegatedCredential</code> is <code>true</code> this attribute
+ controls the QOP that should be used for the connection to the LDAP
+ server after authentication. This value is used to set the
+ <code>javax.security.sasl.qop</code> environment property for the LDAP
+ connection. This attribute should be a comma-separated list of values
+ selected from <code>auth-conf</code>, <code>auth-int</code> and
+ <code>auth</code>. The default value is <code>auth-conf</code>.</p>
+ </attribute>
+
<attribute name="stripRealmForGss" required="false">
<p>When processing users authenticated via the GSS-API, this attribute
controls if any "@..." is removed from the end of the user
@@ -565,7 +576,7 @@
</attribute>
<attribute name="useDelegatedCredential" required="false">
- <p>When the JNIRealm is used with the SPNEGO authenticator, delegated
+ <p>When the JNDIRealm is used with the SPNEGO authenticator, delegated
credentials for the user may be available. If such credentials are
present, this attribute controls whether are not they are used to
connect to the directory. If not specified, the default value of
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
