Am Sonntag, den 15.08.2010, 17:53 +0000 schrieb Igor Galić:
> ----- "Felix Schumacher" <felix.schumac...@internetallee.de> wrote:
>
> /snip
> > > I've traced the operation with wireshark only to find it's not even
> > trying to do any kind of SASL negotiation.
> > > That seems weird, since:
> > >
> > http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-com.sun/jndi/com/sun/jndi/ldap/LdapClient.java.htm
> > > suggests it should be doing that by default.
> > If I read
> > http://java.sun.com/products/jndi/tutorial/ldap/ext/starttls.html
> > correctly, I would say, that you have to tell ldapclient explicitly
> > to
> > use tls, which the jndirealm does not.
>
> From a different part of the thread, by me:
> ``I would still like to believe that this is a simple configuration error from
> my side. That I have to tell Tomcat use StartTLS, use SASL - but none
> of the documentation gives a hint about that.''
>
> So, my question is: Is there a way to do this from within JNDI Realm?
>
> My guesswork was at the end when protocol="TLS" or "StartTLS" or
> authentication="simple" SASL, etc.. didn't do it.
There is no explicit support for tls in the standard jndi realm
implementation. So if DirContext does not do startTLS automatically -
which I doubt - you are a bit out of luck.
If you are feeling lucky and are willing to compile tomcat yourself, you
can try the attached diff. I haven't tested it, since I don't have an
ldap server around at the moment.
You have to extend the realm configuration with
<Realm ...
startTLS="true"
... />
HTH
Felix
>
> > Bye
> > Felix
> >
> > >
> > > I'm out ideas now. and welcome any advise you can offer.
> > >
> > > So long o/~
> > > --
> > > Igor Galić
> > >
> > > Tel: +43 (0) 664 886 22 883
> > > Mail: i.ga...@brainsware.org
> > > URL: http://brainsware.org/
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
>
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java
index 25dfae2..eecf414 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -33,16 +33,16 @@ import java.util.Map;
import java.util.Set;
import java.util.Map.Entry;
-import javax.naming.Context;
+import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.CompositeName;
+import javax.naming.Context;
import javax.naming.InvalidNameException;
+import javax.naming.Name;
import javax.naming.NameNotFoundException;
+import javax.naming.NameParser;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
-import javax.naming.NameParser;
-import javax.naming.Name;
-import javax.naming.AuthenticationException;
import javax.naming.PartialResultException;
import javax.naming.ServiceUnavailableException;
import javax.naming.directory.Attribute;
@@ -51,6 +51,10 @@ import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
+import javax.naming.ldap.LdapContext;
+import javax.naming.ldap.StartTlsRequest;
+import javax.naming.ldap.StartTlsResponse;
+
import org.apache.catalina.LifecycleException;
import org.apache.catalina.util.Base64;
import org.apache.tomcat.util.buf.ByteChunk;
@@ -387,6 +391,10 @@ public class JNDIRealm extends RealmBase {
* to the directory. The default is 5000 (5 seconds).
*/
protected String connectionTimeout = "5000";
+
+ private boolean startTLS;
+
+ private StartTlsResponse tls;
// ------------------------------------------------------------- Properties
@@ -898,8 +906,18 @@ public class JNDIRealm extends RealmBase {
this.connectionTimeout = timeout;
}
+
+ /**
+ * Set if TLS should be used.
+ * @param startTLS wether TLS should be used (<code>true</code>), or not (<code>false</code>, default).
+ */
+ public void setStartTLS(boolean startTLS) {
+ this.startTLS = startTLS;
+ }
-
+ public boolean getStartTLS() {
+ return this.startTLS;
+ }
/**
* Return descriptive information about this Realm implementation and
* the corresponding version number, in the format
@@ -1809,6 +1827,15 @@ public class JNDIRealm extends RealmBase {
// Do nothing if there is no opened connection
if (context == null)
return;
+
+ // close tls session if it is open
+ if (tls != null) {
+ try {
+ tls.close();
+ } catch (IOException e) {
+ containerLog.error(sm.getString("jndiRealm.closeTls"), e);
+ }
+ }
// Close our opened connection
try {
@@ -1952,6 +1979,11 @@ public class JNDIRealm extends RealmBase {
// Ensure that we have a directory context available
context = new InitialDirContext(getDirectoryContextEnvironment());
+ if (getStartTLS() && context instanceof LdapContext) {
+ this.tls =
+ (StartTlsResponse) ((LdapContext)context).extendedOperation(new StartTlsRequest());
+ tls.negotiate();
+ }
} catch (Exception e) {
@@ -1962,6 +1994,15 @@ public class JNDIRealm extends RealmBase {
// Try connecting to the alternate url.
context = new InitialDirContext(getDirectoryContextEnvironment());
+ if (getStartTLS() && context instanceof LdapContext) {
+ this.tls =
+ (StartTlsResponse) ((LdapContext)context).extendedOperation(new StartTlsRequest());
+ try {
+ tls.negotiate();
+ } catch (IOException e1) {
+ throw new NamingException(e1.getMessage());
+ }
+ }
} finally {
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
