Bug 49785

Summary: Enable STARTTLS for JNDIRealm
Product: Tomcat 7 Reporter: Felix Schumacher <felix.schumacher>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: enhancement Keywords: PatchAvailable
Priority: P2    
Version: trunk   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: InitialContextFactory which produces TLS enabled LdapContext instances
Enable starttls for JNDIRealm
Enable starttls for JNDIRealm

Description Felix Schumacher 2010-08-19 13:04:06 UTC 
Created attachment 25916 [details]
InitialContextFactory which produces TLS enabled LdapContext instances

To enable TLS for LDAP inside JNDIRealm one has to either patch JNDIRealm directly and introduce another state variable to hold TLS-state - and thus make introduction of pooling harder, or use a factory which produces TLS enabled DirContext instances.

Such a factory is attached. It can be configured by specifying a contextFactory in JNDIRealm config:
 &lt;Realm
   ...
   contextFactory="org.apache.catalina.realm.LdapTlsContextFactory"
   ...
   /&gt;

I think it would be a good idea to add a parameter startTLS to JNDIRealm, which would automatically use the above TLS-ContextFactory. If wanted, I could supply a patch.

(the patch is against tomcat 6.0.x trunk, but I think it will apply fine to trunk too)
Comment 1 Rainer Jung 2010-08-19 18:11:37 UTC 
See also http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo
Comment 2 Christopher Schultz 2012-08-09 18:31:29 UTC 
The default connection factory is com.sun.jndi.ldap.LdapCtxFactory which claims to support both SSL and STARTTLS: http://docs.oracle.com/javase/1.4.2/docs/guide/jndi/jndi-ldap.html#SSL

Am I missing something?
Comment 3 Felix Schumacher 2015-02-10 22:05:16 UTC 
Created attachment 32448 [details]
Enable starttls for JNDIRealm

I integrated the functionality into JNDIRealm. There is no documentation yet and I am not sure, whether I should include the HostnameVerifier as an enum. I will extend the method, so that I can use the given string for construction of one.

I will commit the code together with documentation to trunk if noone objects.
Comment 4 Felix Schumacher 2015-02-12 20:43:18 UTC 
Created attachment 32465 [details]
Enable starttls for JNDIRealm

Basically the same as the last patch, but now with documentation and the possibility to specify a SSLSocketFactory.
Comment 5 Felix Schumacher 2015-02-12 20:44:24 UTC 
(In reply to Christopher Schultz from comment #2)
> The default connection factory is com.sun.jndi.ldap.LdapCtxFactory which
> claims to support both SSL and STARTTLS:
> http://docs.oracle.com/javase/1.4.2/docs/guide/jndi/jndi-ldap.html#SSL
> 
> Am I missing something?

SSL is used automatically, when ldaps:// is specified as the protocol, but for StartTLS you have to code a little bit to enable it.
Comment 6 Christopher Schultz 2015-02-13 17:17:06 UTC 
(In reply to Felix Schumacher from comment #5)
>
> SSL is used automatically, when ldaps:// is specified as the protocol, but
> for StartTLS you have to code a little bit to enable it.

Aah, yes: I think of TLS as secure-transport, and I often forget about STARTTLS. I'm updating the description to be more clear.
Comment 7 Felix Schumacher 2015-02-19 18:55:53 UTC 
Fixed in trunk and tomcat 8.0.x for 8.0.21 onwards.
Comment 8 Felix Schumacher 2015-02-21 13:14:50 UTC 
Will be included in tomcat 7.0.60