Wrong spelling of the property name. s/spengo/spnego/ Regarding documentation (realm.xml): Maybe add a notice on what "QOP" stands for, "Quality of Protection". (It is not the first result in Google, though).
http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP http://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html#qop 2013/11/15 <ma...@apache.org>: > Author: markt > Date: Fri Nov 15 17:39:05 2013 > New Revision: 1542339 > > URL: http://svn.apache.org/r1542339 > Log: > Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55778 > Make value used for javax.security.sasl.qop with SPNEGO configurable. > > Modified: > tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java > tomcat/trunk/webapps/docs/config/realm.xml > > Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1542339&r1=1542338&r2=1542339&view=diff > ============================================================================== > --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original) > +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Fri Nov 15 > 17:39:05 2013 > @@ -427,6 +427,14 @@ public class JNDIRealm extends RealmBase > protected boolean useDelegatedCredential = true; > > > + /** > + * The QOP that should be used for the connection to the LDAP server > after > + * authentication. This value is used to set the > + * <code>javax.security.sasl.qop</code> environment property for the LDAP > + * connection. > + */ > + protected String spengoDelegationQop = "auth-conf"; > + > // ------------------------------------------------------------- > Properties > > /** > @@ -980,7 +988,6 @@ public class JNDIRealm extends RealmBase > } > > > - > public boolean isUseDelegatedCredential() { > return useDelegatedCredential; > } > @@ -990,6 +997,15 @@ public class JNDIRealm extends RealmBase > } > > > + public String getSpengoDelegationQop() { > + return spengoDelegationQop; > + } > + > + public void setSpengoDelegationQop(String spengoDelegationQop) { > + this.spengoDelegationQop = spengoDelegationQop; > + } > + > + > // ---------------------------------------------------------- Realm > Methods > > /** > @@ -2062,7 +2078,7 @@ public class JNDIRealm extends RealmBase > context.addToEnvironment( > "javax.security.sasl.server.authentication", "true"); > context.addToEnvironment( > - "javax.security.sasl.qop", "auth-conf"); > + "javax.security.sasl.qop", spengoDelegationQop); > // Note: Subject already set in SPNEGO authenticator so no > need > // for Subject.doAs() here > } > > Modified: tomcat/trunk/webapps/docs/config/realm.xml > URL: > http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1542339&r1=1542338&r2=1542339&view=diff > ============================================================================== > --- tomcat/trunk/webapps/docs/config/realm.xml (original) > +++ tomcat/trunk/webapps/docs/config/realm.xml Fri Nov 15 17:39:05 2013 > @@ -551,6 +551,17 @@ > <code>0</code> is used which indicates no limit.</p> > </attribute> > > + <attribute mame="spengoDelegationQop" requireed="false"> > + <p>When the JNDI Realm is used with the SPNEGO authenticator and > + <code>useDelegatedCredential</code> is <code>true</code> this > attribute > + controls the QOP that should be used for the connection to the LDAP > + server after authentication. This value is used to set the > + <code>javax.security.sasl.qop</code> environment property for the > LDAP > + connection. This attribute should be a comma-separated list of values > + selected from <code>auth-conf</code>, <code>auth-int</code> and > + <code>auth</code>. The default value is <code>auth-conf</code>.</p> > + </attribute> > + > <attribute name="stripRealmForGss" required="false"> > <p>When processing users authenticated via the GSS-API, this > attribute > controls if any "@..." is removed from the end of the user > @@ -565,7 +576,7 @@ > </attribute> > > <attribute name="useDelegatedCredential" required="false"> > - <p>When the JNIRealm is used with the SPNEGO authenticator, delegated > + <p>When the JNDIRealm is used with the SPNEGO authenticator, > delegated > credentials for the user may be available. If such credentials are > present, this attribute controls whether are not they are used to > connect to the directory. If not specified, the default value of > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
