Summary: | Enable STARTTLS for JNDIRealm | ||
---|---|---|---|
Product: | Tomcat 7 | Reporter: | Felix Schumacher <felix.schumacher> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | Keywords: | PatchAvailable |
Priority: | P2 | ||
Version: | trunk | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All | ||
Attachments: |
InitialContextFactory which produces TLS enabled LdapContext instances
Enable starttls for JNDIRealm Enable starttls for JNDIRealm |
The default connection factory is com.sun.jndi.ldap.LdapCtxFactory which claims to support both SSL and STARTTLS: http://docs.oracle.com/javase/1.4.2/docs/guide/jndi/jndi-ldap.html#SSL Am I missing something? Created attachment 32448 [details]
Enable starttls for JNDIRealm
I integrated the functionality into JNDIRealm. There is no documentation yet and I am not sure, whether I should include the HostnameVerifier as an enum. I will extend the method, so that I can use the given string for construction of one.
I will commit the code together with documentation to trunk if noone objects.
Created attachment 32465 [details]
Enable starttls for JNDIRealm
Basically the same as the last patch, but now with documentation and the possibility to specify a SSLSocketFactory.
(In reply to Christopher Schultz from comment #2) > The default connection factory is com.sun.jndi.ldap.LdapCtxFactory which > claims to support both SSL and STARTTLS: > http://docs.oracle.com/javase/1.4.2/docs/guide/jndi/jndi-ldap.html#SSL > > Am I missing something? SSL is used automatically, when ldaps:// is specified as the protocol, but for StartTLS you have to code a little bit to enable it. (In reply to Felix Schumacher from comment #5) > > SSL is used automatically, when ldaps:// is specified as the protocol, but > for StartTLS you have to code a little bit to enable it. Aah, yes: I think of TLS as secure-transport, and I often forget about STARTTLS. I'm updating the description to be more clear. Fixed in trunk and tomcat 8.0.x for 8.0.21 onwards. Will be included in tomcat 7.0.60 |
Created attachment 25916 [details] InitialContextFactory which produces TLS enabled LdapContext instances To enable TLS for LDAP inside JNDIRealm one has to either patch JNDIRealm directly and introduce another state variable to hold TLS-state - and thus make introduction of pooling harder, or use a factory which produces TLS enabled DirContext instances. Such a factory is attached. It can be configured by specifying a contextFactory in JNDIRealm config: <Realm ... contextFactory="org.apache.catalina.realm.LdapTlsContextFactory" ... /> I think it would be a good idea to add a parameter startTLS to JNDIRealm, which would automatically use the above TLS-ContextFactory. If wanted, I could supply a patch. (the patch is against tomcat 6.0.x trunk, but I think it will apply fine to trunk too)