Bug 49785 - Enable STARTTLS for JNDIRealm
Enable STARTTLS for JNDIRealm
Status: RESOLVED FIXED
Product: Tomcat 7
Classification: Unclassified
Component: Catalina
trunk
All All
: P2 enhancement with 6 votes (vote)
: ---
Assigned To: Tomcat Developers Mailing List
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2010-08-19 13:04 UTC by Felix Schumacher
Modified: 2015-02-21 13:14 UTC (History)
0 users



Attachments
InitialContextFactory which produces TLS enabled LdapContext instances (7.72 KB, patch)
2010-08-19 13:04 UTC, Felix Schumacher
Details | Diff
Enable starttls for JNDIRealm (12.44 KB, patch)
2015-02-10 22:05 UTC, Felix Schumacher
Details | Diff
Enable starttls for JNDIRealm (17.56 KB, patch)
2015-02-12 20:43 UTC, Felix Schumacher
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Schumacher 2010-08-19 13:04:06 UTC
Created attachment 25916 [details]
InitialContextFactory which produces TLS enabled LdapContext instances

To enable TLS for LDAP inside JNDIRealm one has to either patch JNDIRealm directly and introduce another state variable to hold TLS-state - and thus make introduction of pooling harder, or use a factory which produces TLS enabled DirContext instances.

Such a factory is attached. It can be configured by specifying a contextFactory in JNDIRealm config:
 <Realm
   ...
   contextFactory="org.apache.catalina.realm.LdapTlsContextFactory"
   ...
   />

I think it would be a good idea to add a parameter startTLS to JNDIRealm, which would automatically use the above TLS-ContextFactory. If wanted, I could supply a patch.

(the patch is against tomcat 6.0.x trunk, but I think it will apply fine to trunk too)
Comment 1 Rainer Jung 2010-08-19 18:11:37 UTC
See also http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo
Comment 2 Christopher Schultz 2012-08-09 18:31:29 UTC
The default connection factory is com.sun.jndi.ldap.LdapCtxFactory which claims to support both SSL and STARTTLS: http://docs.oracle.com/javase/1.4.2/docs/guide/jndi/jndi-ldap.html#SSL

Am I missing something?
Comment 3 Felix Schumacher 2015-02-10 22:05:16 UTC
Created attachment 32448 [details]
Enable starttls for JNDIRealm

I integrated the functionality into JNDIRealm. There is no documentation yet and I am not sure, whether I should include the HostnameVerifier as an enum. I will extend the method, so that I can use the given string for construction of one.

I will commit the code together with documentation to trunk if noone objects.
Comment 4 Felix Schumacher 2015-02-12 20:43:18 UTC
Created attachment 32465 [details]
Enable starttls for JNDIRealm

Basically the same as the last patch, but now with documentation and the possibility to specify a SSLSocketFactory.
Comment 5 Felix Schumacher 2015-02-12 20:44:24 UTC
(In reply to Christopher Schultz from comment #2)
> The default connection factory is com.sun.jndi.ldap.LdapCtxFactory which
> claims to support both SSL and STARTTLS:
> http://docs.oracle.com/javase/1.4.2/docs/guide/jndi/jndi-ldap.html#SSL
> 
> Am I missing something?

SSL is used automatically, when ldaps:// is specified as the protocol, but for StartTLS you have to code a little bit to enable it.
Comment 6 Christopher Schultz 2015-02-13 17:17:06 UTC
(In reply to Felix Schumacher from comment #5)
>
> SSL is used automatically, when ldaps:// is specified as the protocol, but
> for StartTLS you have to code a little bit to enable it.

Aah, yes: I think of TLS as secure-transport, and I often forget about STARTTLS. I'm updating the description to be more clear.
Comment 7 Felix Schumacher 2015-02-19 18:55:53 UTC
Fixed in trunk and tomcat 8.0.x for 8.0.21 onwards.
Comment 8 Felix Schumacher 2015-02-21 13:14:50 UTC
Will be included in tomcat 7.0.60