|Summary:||Enable STARTTLS for JNDIRealm|
|Product:||Tomcat 7||Reporter:||Felix Schumacher <felix.schumacher>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
InitialContextFactory which produces TLS enabled LdapContext instances
Enable starttls for JNDIRealm
Enable starttls for JNDIRealm
Description Felix Schumacher 2010-08-19 13:04:06 UTC
Created attachment 25916 [details] InitialContextFactory which produces TLS enabled LdapContext instances To enable TLS for LDAP inside JNDIRealm one has to either patch JNDIRealm directly and introduce another state variable to hold TLS-state - and thus make introduction of pooling harder, or use a factory which produces TLS enabled DirContext instances. Such a factory is attached. It can be configured by specifying a contextFactory in JNDIRealm config: <Realm ... contextFactory="org.apache.catalina.realm.LdapTlsContextFactory" ... /> I think it would be a good idea to add a parameter startTLS to JNDIRealm, which would automatically use the above TLS-ContextFactory. If wanted, I could supply a patch. (the patch is against tomcat 6.0.x trunk, but I think it will apply fine to trunk too)
Comment 1 Rainer Jung 2010-08-19 18:11:37 UTC
Comment 2 Christopher Schultz 2012-08-09 18:31:29 UTC
The default connection factory is com.sun.jndi.ldap.LdapCtxFactory which claims to support both SSL and STARTTLS: http://docs.oracle.com/javase/1.4.2/docs/guide/jndi/jndi-ldap.html#SSL Am I missing something?
Comment 3 Felix Schumacher 2015-02-10 22:05:16 UTC
Created attachment 32448 [details] Enable starttls for JNDIRealm I integrated the functionality into JNDIRealm. There is no documentation yet and I am not sure, whether I should include the HostnameVerifier as an enum. I will extend the method, so that I can use the given string for construction of one. I will commit the code together with documentation to trunk if noone objects.
Comment 4 Felix Schumacher 2015-02-12 20:43:18 UTC
Created attachment 32465 [details] Enable starttls for JNDIRealm Basically the same as the last patch, but now with documentation and the possibility to specify a SSLSocketFactory.
Comment 5 Felix Schumacher 2015-02-12 20:44:24 UTC
(In reply to Christopher Schultz from comment #2) > The default connection factory is com.sun.jndi.ldap.LdapCtxFactory which > claims to support both SSL and STARTTLS: > http://docs.oracle.com/javase/1.4.2/docs/guide/jndi/jndi-ldap.html#SSL > > Am I missing something? SSL is used automatically, when ldaps:// is specified as the protocol, but for StartTLS you have to code a little bit to enable it.
Comment 6 Christopher Schultz 2015-02-13 17:17:06 UTC
(In reply to Felix Schumacher from comment #5) > > SSL is used automatically, when ldaps:// is specified as the protocol, but > for StartTLS you have to code a little bit to enable it. Aah, yes: I think of TLS as secure-transport, and I often forget about STARTTLS. I'm updating the description to be more clear.
Comment 7 Felix Schumacher 2015-02-19 18:55:53 UTC
Fixed in trunk and tomcat 8.0.x for 8.0.21 onwards.
Comment 8 Felix Schumacher 2015-02-21 13:14:50 UTC
Will be included in tomcat 7.0.60