Author: fschumacher
Date: Thu Feb 19 18:47:39 2015
New Revision: 1660970
URL: http://svn.apache.org/r1660970
Log:
Enable StartTLS connections for JNDIRealm.
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49785.
Merged r1659905,1659948 from /tomcat/trunk
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java
tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/LocalStrings.properties
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc8.0.x/trunk/webapps/docs/config/realm.xml
Propchange: tomcat/tc8.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Feb 19 18:47:39 2015
@@ -1 +1 @@
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659919,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924
+/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1660970&r1=1660969&r2=1660970&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/JNDIRealm.java Thu Feb
19 18:47:39 2015
@@ -17,11 +17,15 @@
package org.apache.catalina.realm;
+import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.text.MessageFormat;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Hashtable;
@@ -49,6 +53,14 @@ import javax.naming.directory.DirContext
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
+import javax.naming.ldap.InitialLdapContext;
+import javax.naming.ldap.LdapContext;
+import javax.naming.ldap.StartTlsRequest;
+import javax.naming.ldap.StartTlsResponse;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocketFactory;
import org.apache.catalina.LifecycleException;
import org.ietf.jgss.GSSCredential;
@@ -439,6 +451,30 @@ public class JNDIRealm extends RealmBase
*/
protected String spnegoDelegationQop = "auth-conf";
+ /**
+ * Whether to use TLS for connections
+ */
+ private boolean useStartTls = false;
+
+ private StartTlsResponse tls = null;
+
+ /**
+ * The list of enabled cipher suites used for establishing tls connections.
+ * <code>null</code> means to use the default cipher suites.
+ */
+ private String[] cipherSuites = null;
+
+ /**
+ * Verifier for hostnames in a StartTLS secured connection.
<code>null</code>
+ * means to use the default verifier.
+ */
+ private HostnameVerifier hostnameVerifier = null;
+
+ /**
+ * {@link SSLSocketFactory} to use when connection with StartTLS enabled.
+ */
+ private SSLSocketFactory sslSocketFactory = null;
+
// ------------------------------------------------------------- Properties
/**
@@ -1022,6 +1058,169 @@ public class JNDIRealm extends RealmBase
}
+ /**
+ * @return flag whether to use StartTLS for connections to the ldap server
+ */
+ public boolean getUseStartTls() {
+ return useStartTls;
+ }
+
+ /**
+ * Flag whether StartTLS should be used when connecting to the ldap server
+ *
+ * @param useStartTls
+ * {@code true} when StartTLS should be used. Default is
+ * {@code false}.
+ */
+ public void setUseStartTls(boolean useStartTls) {
+ this.useStartTls = useStartTls;
+ }
+
+ /**
+ * @return list of the allowed cipher suites when connections are made
using
+ * StartTLS
+ */
+ private String[] getCipherSuitesArray() {
+ return cipherSuites;
+ }
+
+ /**
+ * Set the allowed cipher suites when opening a connection using StartTLS.
+ * The cipher suites are expected as a comma separated list.
+ *
+ * @param suites
+ * comma separated list of allowed cipher suites
+ */
+ public void setCipherSuites(String suites) {
+ if (suites == null || suites.trim().isEmpty()) {
+ containerLog.warn(sm.getString("jndiRealm.emptyCipherSuites"));
+ this.cipherSuites = null;
+ } else {
+ this.cipherSuites = suites.trim().split("\\s*,\\s*");
+ containerLog.debug(sm.getString("jndiRealm.cipherSuites",
+ Arrays.asList(this.cipherSuites)));
+ }
+ }
+
+ /**
+ * @return name of the {@link HostnameVerifier} class used for connections
+ * using StartTLS, or the empty string, if the default verifier
+ * should be used.
+ */
+ public String getHostnameVerifierClassName() {
+ if (this.hostnameVerifier == null) {
+ return "";
+ }
+ return this.hostnameVerifier.getClass().getCanonicalName();
+ }
+
+ /**
+ * Set the {@link HostnameVerifier} to be used when opening connections
+ * using StartTLS. An instance of the given class name will be constructed
+ * using the default constructor.
+ *
+ * @param verifierClassName
+ * class name of the {@link HostnameVerifier} to be constructed
+ */
+ public void setHostnameVerifierClassName(String verifierClassName) {
+ if (verifierClassName == null || verifierClassName.trim().equals("")) {
+ return;
+ }
+ try {
+ Object o = constructInstance(verifierClassName);
+ if (o instanceof HostnameVerifier) {
+ this.hostnameVerifier = (HostnameVerifier) o;
+ } else {
+ containerLog
+ .warn(sm.getString("jndiRealm.invalidHostnameVerifier",
+ verifierClassName));
+ }
+ } catch (ClassNotFoundException | SecurityException
+ | InstantiationException | IllegalAccessException
+ | IllegalArgumentException e) {
+ containerLog.warn(sm.getString("jndiRealm.invalidHostnameVerifier",
+ verifierClassName), e);
+ }
+ }
+
+ /**
+ * @return the {@link HostnameVerifier} to use for peer certificate
+ * verification when opening connections using StartTLS.
+ */
+ public HostnameVerifier getHostnameVerifier() {
+ return this.getHostnameVerifier();
+ }
+
+ /**
+ * Set the {@link SSLSocketFactory} to be used when opening connections
+ * using StartTLS. An instance of the factory with the given name will be
+ * created using the default constructor. The SSLSocketFactory can also be
+ * set using {@link JNDIRealm#setSslProtocol(String)
setSslProtocol(String)}.
+ *
+ * @param factoryClassName
+ * class name of the factory to be constructed
+ */
+ public void setSslSocketFactoryClassName(String factoryClassName) {
+ if (factoryClassName == null || factoryClassName.trim().equals("")) {
+ return;
+ }
+ try {
+ Object o = constructInstance(factoryClassName);
+ if (o instanceof SSLSocketFactory) {
+ this.sslSocketFactory = (SSLSocketFactory) o;
+ } else {
+ containerLog.warn(sm.getString(
+ "jndiRealm.invalidSslSocketFactory",
factoryClassName));
+ }
+ } catch (ClassNotFoundException | SecurityException
+ | InstantiationException | IllegalAccessException
+ | IllegalArgumentException e) {
+ containerLog.warn(sm.getString("jndiRealm.invalidSslSocketFactory",
+ factoryClassName));
+ }
+ }
+
+ /**
+ * Set the ssl protocol to be used for connections using StartTLS.
+ *
+ * @param protocol
+ * one of the allowed ssl protocol names
+ */
+ public void setSslProtocol(String protocol) {
+ try {
+ SSLContext sslContext = SSLContext.getInstance(protocol);
+ sslContext.init(null, null, null);
+ this.sslSocketFactory = sslContext.getSocketFactory();
+ } catch (NoSuchAlgorithmException | KeyManagementException e) {
+ List<String> allowedProtocols = Arrays
+ .asList(getSupportedSslProtocols());
+ throw new IllegalArgumentException(
+ sm.getString("jndiRealm.invalidSslProtocol", protocol,
+ allowedProtocols), e);
+ }
+ }
+
+ /**
+ * @return the list of supported ssl protocols by the default
+ * {@link SSLContext}
+ */
+ private String[] getSupportedSslProtocols() {
+ try {
+ SSLContext sslContext = SSLContext.getDefault();
+ sslContext.init(null, null, null);
+ return sslContext.getSupportedSSLParameters().getProtocols();
+ } catch (NoSuchAlgorithmException | KeyManagementException e) {
+ throw new RuntimeException(sm.getString("jndiRealm.exception"), e);
+ }
+ }
+
+ private Object constructInstance(String className)
+ throws ClassNotFoundException, InstantiationException,
+ IllegalAccessException {
+ Class<?> clazz = Class.forName(className);
+ return clazz.newInstance();
+ }
+
// ---------------------------------------------------------- Realm Methods
/**
@@ -1933,6 +2132,14 @@ public class JNDIRealm extends RealmBase
if (context == null)
return;
+ // Close tls startResponse if used
+ if (tls != null) {
+ try {
+ tls.close();
+ } catch (IOException e) {
+ containerLog.error(sm.getString("jndiRealm.tlsClose"), e);
+ }
+ }
// Close our opened connection
try {
if (containerLog.isDebugEnabled())
@@ -2125,7 +2332,7 @@ public class JNDIRealm extends RealmBase
try {
// Ensure that we have a directory context available
- context = new InitialDirContext(getDirectoryContextEnvironment());
+ context = createDirContext(getDirectoryContextEnvironment());
} catch (Exception e) {
@@ -2135,7 +2342,7 @@ public class JNDIRealm extends RealmBase
containerLog.info(sm.getString("jndiRealm.exception.retry"), e);
// Try connecting to the alternate url.
- context = new InitialDirContext(getDirectoryContextEnvironment());
+ context = createDirContext(getDirectoryContextEnvironment());
} finally {
@@ -2149,6 +2356,64 @@ public class JNDIRealm extends RealmBase
}
+ private DirContext createDirContext(Hashtable<String, String> env) throws
NamingException {
+ if (useStartTls) {
+ return createTlsDirContext(env);
+ } else {
+ return new InitialDirContext(env);
+ }
+ }
+
+ /**
+ * Create a tls enabled LdapContext and set the StartTlsResponse tls
+ * instance variable.
+ *
+ * @param env
+ * Environment to use for context creation
+ * @return configured {@link LdapContext}
+ * @throws NamingException
+ * when something goes wrong while negotiating the connection
+ */
+ private DirContext createTlsDirContext(
+ Hashtable<String, String> env) throws NamingException {
+ Map<String, Object> savedEnv = new HashMap<>();
+ for (String key : Arrays.asList(Context.SECURITY_AUTHENTICATION,
+ Context.SECURITY_CREDENTIALS, Context.SECURITY_PRINCIPAL,
+ Context.SECURITY_PROTOCOL)) {
+ Object entry = env.remove(key);
+ if (entry != null) {
+ savedEnv.put(key, entry);
+ }
+ }
+ LdapContext result = null;
+ try {
+ result = new InitialLdapContext(env, null);
+ tls = (StartTlsResponse) result
+ .extendedOperation(new StartTlsRequest());
+ if (hostnameVerifier != null) {
+ tls.setHostnameVerifier(hostnameVerifier);
+ }
+ if (getCipherSuitesArray() != null) {
+ tls.setEnabledCipherSuites(getCipherSuitesArray());
+ }
+ try {
+ SSLSession negotiate = tls.negotiate(sslSocketFactory);
+ containerLog.debug(sm.getString("jndiRealm.negotiatedTls",
+ negotiate.getProtocol()));
+ } catch (IOException e) {
+ throw new NamingException(e.getMessage());
+ }
+ } finally {
+ if (result != null) {
+ for (Map.Entry<String, Object> savedEntry :
savedEnv.entrySet()) {
+ result.addToEnvironment(savedEntry.getKey(),
+ savedEntry.getValue());
+ }
+ }
+ }
+ return result;
+ }
+
/**
* Create our directory context configuration.
*
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/LocalStrings.properties?rev=1660970&r1=1660969&r2=1660970&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/LocalStrings.properties
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/realm/LocalStrings.properties
Thu Feb 19 18:47:39 2015
@@ -40,10 +40,17 @@ jdbcRealm.open=Exception opening databas
jdbcRealm.open.invalidurl=Driver "{0}" does not support the url "{1}"
jndiRealm.authenticateFailure=Username {0} NOT successfully authenticated
jndiRealm.authenticateSuccess=Username {0} successfully authenticated
+jndiRealm.emptyCipherSuites=Empty String for cipher suites given. Using
default cipher suites.
+jndiRealm.cipherSuites=Enable [{0}] as cipher suites for tls connection.
jndiRealm.close=Exception closing directory server connection
jndiRealm.exception=Exception performing authentication
jndiRealm.exception.retry=Exception performing authentication. Retrying...
+jndiRealm.invalidHostnameVerifier="{0}" not a valid class name for a
HostnameVerifier
+jndiRealm.invalidSslProtocol=Given protocol "{0}" is invalid. It has to be one
of {1}
+jndiRealm.invalidSslSocketFactory="{0}" not a valid class name for a
SSLSocketFactory
+jndiRealm.negotiatedTls=Negotiated tls connection using protocol "{0}"
jndiRealm.open=Exception opening directory server connection
+jndiRealm.tlsClose=Exception closing tls response
memoryRealm.authenticateFailure=Username {0} NOT successfully authenticated
memoryRealm.authenticateSuccess=Username {0} successfully authenticated
memoryRealm.loadExist=Memory database file {0} cannot be read
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1660970&r1=1660969&r2=1660970&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Thu Feb 19 18:47:39 2015
@@ -45,6 +45,14 @@
issues to not "pop up" wrt. others).
-->
<section name="Tomcat 8.0.21 (markt)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <add>
+ <bug>49785</bug>: Enable StartTLS connections for JNDIRealm.
+ (fschumacher)
+ </add>
+ </changelog>
+ </subsection>
<subsection name="Coyote">
<changelog>
<add>
Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/realm.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/realm.xml?rev=1660970&r1=1660969&r2=1660970&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/config/realm.xml Thu Feb 19 18:47:39 2015
@@ -412,6 +412,13 @@
can be used. If no value is given the providers default is used.</p>
</attribute>
+ <attribute name="cipherSuites" required="false">
+ <p>Specify which cipher suites are allowed when trying to open
+ a secured connection using StartTLS. The allowed cipher suites
+ are specified by a comma separated list. The default is to use the
+ cipher suites of the JVM.</p>
+ </attribute>
+
<attribute name="commonRole" required="false">
<p>A role name assigned to each successfully authenticated user in
addition to the roles retrieved from LDAP. If not specified, only
@@ -468,6 +475,15 @@
<strong>CredentialHandler</strong> element instead.</p>
</attribute>
+ <attribute name="hostnameVerifierClassName" required="false">
+ <p>The name of the class to use for hostname verification when
+ using StartTLS for securing the connection to the ldap server.
+ The default constructor will be used to construct an instance of
+ the verifier class. The default is to accept only those hostnames,
+ that are valid according to the peer certificate of the ldap
+ server.</p>
+ </attribute>
+
<attribute name="protocol" required="false">
<p>A string specifying the security protocol to use. If not given
the providers default is used.</p>
@@ -577,6 +593,19 @@
<p>The default value is <code>auth-conf</code>.</p>
</attribute>
+ <attribute name="sslProtocol" required="false">
+ <p>Specifies which ssl protocol should be used, when connecting with
+ StartTLS. The default is to let the jre decide. If you need even more
+ control, you can specify the <code>SSLSocketFactory</code> to use.</p>
+ </attribute>
+
+ <attribute name="sslSocketFactory" required="false">
+ <p>Specifies which <code>SSLSocketFactory</code> to use when connecting
+ to the ldap server using StartTLS. An instance of the class will be
+ constructed using the default constructor. If none class name is given
+ the default jre <code>SSLSocketFactory</code> will be used.</p>
+ </attribute>
+
<attribute name="stripRealmForGss" required="false">
<p>When processing users authenticated via the GSS-API, this attribute
controls if any "@..." is removed from the end of the user
@@ -682,6 +711,12 @@
expression.</p>
</attribute>
+ <attribute name="useStartTls" required="false">
+ <p>Set to <code>true</code> if you want to use StartTLS for securing
+ the connection to the ldap server. The default value is
<code>false</code>.
+ </p>
+ </attribute>
+
<attribute name="X509UsernameRetrieverClassName" required="false">
<p>When using X509 client certificates, this specifies the class name
that will be used to retrieve the user name from the certificate.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
