Bug 55778 - JNDIRealm: Authentication with GSSAPI to LDAP with SSL connection causes an exception
JNDIRealm: Authentication with GSSAPI to LDAP with SSL connection causes an e...
Status: RESOLVED FIXED
Product: Tomcat 7
Classification: Unclassified
Component: Catalina
7.0.42
PC All
: P2 major (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2013-11-14 14:51 UTC by gerald.kritzinger
Modified: 2013-11-18 08:07 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description gerald.kritzinger 2013-11-14 14:51:16 UTC
Whenever i try to authenticate with GSSAPI to a LDAP server with a SSL connection (ldaps), the following exception is thrown:

javax.naming.ServiceUnavailableException: myserver.at:636; socket closed; remaining name 'dc=example,dc=org'
    at com.sun.jndi.ldap.Connection.readReply(Connection.java:452)
    at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:631)
    at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:554)
    at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
    at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
    at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
    ...

Steps to reproduce:
1. Configure the valve org.apache.catalina.authenticator.SpnegoAuthenticator in the server.xml with storeDelegatedCredential="true".
2. Configure the realm org.apache.catalina.realm.JNDIRealm in the server.xml with an SSL connection url (e.g. ldaps://myserver.at:636)
3. Configure an auth-method with SPNEGO, security-constraints and security-roles in the web.xml
4. Add required keystores to the jdk for the ldaps connection.
5. Try to authenticate

I debugged into the JNDIRealm and figured out, that changing line 2082 from "context.addToEnvironment("javax.security.sasl.qop", "auth-conf");" to "context.addToEnvironment("javax.security.sasl.qop", "auth");" would solve the problem. I also tested the fix with a new written JNDIRealm.

But i'm not sure, if this fix causes other security issues.
Comment 1 Mark Thomas 2013-11-15 18:30:19 UTC
It is safe to reduce that to auth when using SSL as SSL should take care of the integrity and confidentiality issues. However, it might not be appropriate to do that in all scenarios.

To address this bug I have added (yet) another option to the JNDI Realm - spengoDelegationQop. It defaults to the current "auth-conf".

This change has been applied to trunk and 7.0.x and will be included in 8.0.0-RC6 and 7.0.48 onwards.
Comment 2 gerald.kritzinger 2013-11-18 07:14:21 UTC
Thanks for the fast fix.
Comment 3 Mark Thomas 2013-11-18 08:07:31 UTC
(In reply to Mark Thomas from comment #1)

> To address this bug I have added (yet) another option to the JNDI Realm -
> spengoDelegationQop. It defaults to the current "auth-conf".

s/spengoDelegationQop/spnegoDelegationQop/