Author: markt
Date: Fri Nov 15 18:30:13 2013
New Revision: 1542362
URL: http://svn.apache.org/r1542362
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55778
Make value used for javax.security.sasl.qop with SPNEGO configurable.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/realm.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1542339
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1542362&r1=1542361&r2=1542362&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java Fri Nov
15 18:30:13 2013
@@ -434,6 +434,14 @@ public class JNDIRealm extends RealmBase
protected boolean useDelegatedCredential = true;
+ /**
+ * The QOP that should be used for the connection to the LDAP server after
+ * authentication. This value is used to set the
+ * <code>javax.security.sasl.qop</code> environment property for the LDAP
+ * connection.
+ */
+ protected String spengoDelegationQop = "auth-conf";
+
// ------------------------------------------------------------- Properties
/**
@@ -987,7 +995,6 @@ public class JNDIRealm extends RealmBase
}
-
public boolean isUseDelegatedCredential() {
return useDelegatedCredential;
}
@@ -996,6 +1003,16 @@ public class JNDIRealm extends RealmBase
this.useDelegatedCredential = useDelegatedCredential;
}
+
+ public String getSpengoDelegationQop() {
+ return spengoDelegationQop;
+ }
+
+ public void setSpengoDelegationQop(String spengoDelegationQop) {
+ this.spengoDelegationQop = spengoDelegationQop;
+ }
+
+
/**
* Return descriptive information about this Realm implementation and
* the corresponding version number, in the format
@@ -1003,15 +1020,12 @@ public class JNDIRealm extends RealmBase
*/
@Override
public String getInfo() {
-
return info;
-
}
// ---------------------------------------------------------- Realm Methods
-
/**
* Return the Principal associated with the specified username and
* credentials, if there is one; otherwise return <code>null</code>.
@@ -2082,7 +2096,7 @@ public class JNDIRealm extends RealmBase
context.addToEnvironment(
"javax.security.sasl.server.authentication", "true");
context.addToEnvironment(
- "javax.security.sasl.qop", "auth-conf");
+ "javax.security.sasl.qop", spengoDelegationQop);
// Note: Subject already set in SPNEGO authenticator so no need
// for Subject.doAs() here
}
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1542362&r1=1542361&r2=1542362&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Nov 15 18:30:13 2013
@@ -129,6 +129,13 @@
after an error during asynchronous processing. Includes a test case
based on code contributed by Todd West. (markt)
</fix>
+ <fix>
+ <bug>55778</bug>: Add an option to the JNDI Realm to control the QOP
+ used for the connection to the LDAP server after authentication when
+ using SPNEFO with delegated credentials. This value is used to set the
+ <code>javax.security.sasl.qop</code> environment property for the LDAP
+ connection. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/realm.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/realm.xml?rev=1542362&r1=1542361&r2=1542362&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/realm.xml Fri Nov 15 18:30:13 2013
@@ -553,6 +553,17 @@
<code>0</code> is used which indicates no limit.</p>
</attribute>
+ <attribute mame="spengoDelegationQop" requireed="false">
+ <p>When the JNDI Realm is used with the SPNEGO authenticator and
+ <code>useDelegatedCredential</code> is <code>true</code> this attribute
+ controls the QOP that should be used for the connection to the LDAP
+ server after authentication. This value is used to set the
+ <code>javax.security.sasl.qop</code> environment property for the LDAP
+ connection. This attribute should be a comma-separated list of values
+ selected from <code>auth-conf</code>, <code>auth-int</code> and
+ <code>auth</code>. The default value is <code>auth-conf</code>.</p>
+ </attribute>
+
<attribute name="stripRealmForGss" required="false">
<p>When processing users authenticated via the GSS-API, this attribute
controls if any "@..." is removed from the end of the user
@@ -567,7 +578,7 @@
</attribute>
<attribute name="useDelegatedCredential" required="false">
- <p>When the JNIRealm is used with the SPNEGO authenticator, delegated
+ <p>When the JNDIRealm is used with the SPNEGO authenticator, delegated
credentials for the user may be available. If such credentials are
present, this attribute controls whether are not they are used to
connect to the directory. If not specified, the default value of
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
