On 15/11/2013 20:09, Konstantin Kolinko wrote: > Wrong spelling of the property name. > s/spengo/spnego/
Grr. I keep doing that. No idea why. Fixed. Thanks for the review. Mark > > Regarding documentation (realm.xml): > Maybe add a notice on what "QOP" stands for, "Quality of Protection". > (It is not the first result in Google, though). > > http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP > http://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html#qop > > > 2013/11/15 <ma...@apache.org>: >> Author: markt >> Date: Fri Nov 15 17:39:05 2013 >> New Revision: 1542339 >> >> URL: http://svn.apache.org/r1542339 >> Log: >> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55778 >> Make value used for javax.security.sasl.qop with SPNEGO configurable. >> >> Modified: >> tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java >> tomcat/trunk/webapps/docs/config/realm.xml >> >> Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1542339&r1=1542338&r2=1542339&view=diff >> ============================================================================== >> --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original) >> +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Fri Nov 15 >> 17:39:05 2013 >> @@ -427,6 +427,14 @@ public class JNDIRealm extends RealmBase >> protected boolean useDelegatedCredential = true; >> >> >> + /** >> + * The QOP that should be used for the connection to the LDAP server >> after >> + * authentication. This value is used to set the >> + * <code>javax.security.sasl.qop</code> environment property for the >> LDAP >> + * connection. >> + */ >> + protected String spengoDelegationQop = "auth-conf"; >> + >> // ------------------------------------------------------------- >> Properties >> >> /** >> @@ -980,7 +988,6 @@ public class JNDIRealm extends RealmBase >> } >> >> >> - >> public boolean isUseDelegatedCredential() { >> return useDelegatedCredential; >> } >> @@ -990,6 +997,15 @@ public class JNDIRealm extends RealmBase >> } >> >> >> + public String getSpengoDelegationQop() { >> + return spengoDelegationQop; >> + } >> + >> + public void setSpengoDelegationQop(String spengoDelegationQop) { >> + this.spengoDelegationQop = spengoDelegationQop; >> + } >> + >> + >> // ---------------------------------------------------------- Realm >> Methods >> >> /** >> @@ -2062,7 +2078,7 @@ public class JNDIRealm extends RealmBase >> context.addToEnvironment( >> "javax.security.sasl.server.authentication", >> "true"); >> context.addToEnvironment( >> - "javax.security.sasl.qop", "auth-conf"); >> + "javax.security.sasl.qop", spengoDelegationQop); >> // Note: Subject already set in SPNEGO authenticator so no >> need >> // for Subject.doAs() here >> } >> >> Modified: tomcat/trunk/webapps/docs/config/realm.xml >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1542339&r1=1542338&r2=1542339&view=diff >> ============================================================================== >> --- tomcat/trunk/webapps/docs/config/realm.xml (original) >> +++ tomcat/trunk/webapps/docs/config/realm.xml Fri Nov 15 17:39:05 2013 >> @@ -551,6 +551,17 @@ >> <code>0</code> is used which indicates no limit.</p> >> </attribute> >> >> + <attribute mame="spengoDelegationQop" requireed="false"> >> + <p>When the JNDI Realm is used with the SPNEGO authenticator and >> + <code>useDelegatedCredential</code> is <code>true</code> this >> attribute >> + controls the QOP that should be used for the connection to the LDAP >> + server after authentication. This value is used to set the >> + <code>javax.security.sasl.qop</code> environment property for the >> LDAP >> + connection. This attribute should be a comma-separated list of >> values >> + selected from <code>auth-conf</code>, <code>auth-int</code> and >> + <code>auth</code>. The default value is <code>auth-conf</code>.</p> >> + </attribute> >> + >> <attribute name="stripRealmForGss" required="false"> >> <p>When processing users authenticated via the GSS-API, this >> attribute >> controls if any "@..." is removed from the end of the user >> @@ -565,7 +576,7 @@ >> </attribute> >> >> <attribute name="useDelegatedCredential" required="false"> >> - <p>When the JNIRealm is used with the SPNEGO authenticator, >> delegated >> + <p>When the JNDIRealm is used with the SPNEGO authenticator, >> delegated >> credentials for the user may be available. If such credentials are >> present, this attribute controls whether are not they are used to >> connect to the directory. If not specified, the default value of >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
