You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/11/15 18:39:05 UTC
svn commit: r1542339 - in /tomcat/trunk:
java/org/apache/catalina/realm/JNDIRealm.java webapps/docs/config/realm.xml
Author: markt
Date: Fri Nov 15 17:39:05 2013
New Revision: 1542339
URL: http://svn.apache.org/r1542339
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55778
Make value used for javax.security.sasl.qop with SPNEGO configurable.
Modified:
tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
tomcat/trunk/webapps/docs/config/realm.xml
Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1542339&r1=1542338&r2=1542339&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Fri Nov 15 17:39:05 2013
@@ -427,6 +427,14 @@ public class JNDIRealm extends RealmBase
protected boolean useDelegatedCredential = true;
+ /**
+ * The QOP that should be used for the connection to the LDAP server after
+ * authentication. This value is used to set the
+ * <code>javax.security.sasl.qop</code> environment property for the LDAP
+ * connection.
+ */
+ protected String spengoDelegationQop = "auth-conf";
+
// ------------------------------------------------------------- Properties
/**
@@ -980,7 +988,6 @@ public class JNDIRealm extends RealmBase
}
-
public boolean isUseDelegatedCredential() {
return useDelegatedCredential;
}
@@ -990,6 +997,15 @@ public class JNDIRealm extends RealmBase
}
+ public String getSpengoDelegationQop() {
+ return spengoDelegationQop;
+ }
+
+ public void setSpengoDelegationQop(String spengoDelegationQop) {
+ this.spengoDelegationQop = spengoDelegationQop;
+ }
+
+
// ---------------------------------------------------------- Realm Methods
/**
@@ -2062,7 +2078,7 @@ public class JNDIRealm extends RealmBase
context.addToEnvironment(
"javax.security.sasl.server.authentication", "true");
context.addToEnvironment(
- "javax.security.sasl.qop", "auth-conf");
+ "javax.security.sasl.qop", spengoDelegationQop);
// Note: Subject already set in SPNEGO authenticator so no need
// for Subject.doAs() here
}
Modified: tomcat/trunk/webapps/docs/config/realm.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1542339&r1=1542338&r2=1542339&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/trunk/webapps/docs/config/realm.xml Fri Nov 15 17:39:05 2013
@@ -551,6 +551,17 @@
<code>0</code> is used which indicates no limit.</p>
</attribute>
+ <attribute mame="spengoDelegationQop" requireed="false">
+ <p>When the JNDI Realm is used with the SPNEGO authenticator and
+ <code>useDelegatedCredential</code> is <code>true</code> this attribute
+ controls the QOP that should be used for the connection to the LDAP
+ server after authentication. This value is used to set the
+ <code>javax.security.sasl.qop</code> environment property for the LDAP
+ connection. This attribute should be a comma-separated list of values
+ selected from <code>auth-conf</code>, <code>auth-int</code> and
+ <code>auth</code>. The default value is <code>auth-conf</code>.</p>
+ </attribute>
+
<attribute name="stripRealmForGss" required="false">
<p>When processing users authenticated via the GSS-API, this attribute
controls if any "@..." is removed from the end of the user
@@ -565,7 +576,7 @@
</attribute>
<attribute name="useDelegatedCredential" required="false">
- <p>When the JNIRealm is used with the SPNEGO authenticator, delegated
+ <p>When the JNDIRealm is used with the SPNEGO authenticator, delegated
credentials for the user may be available. If such credentials are
present, this attribute controls whether are not they are used to
connect to the directory. If not specified, the default value of
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1542339 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java webapps/docs/config/realm.xml
Posted by Jeremy Boynes <jb...@apache.org>.
On Nov 17, 2013, at 2:09 PM, Mark Thomas <ma...@apache.org> wrote:
> On 15/11/2013 20:09, Konstantin Kolinko wrote:
>> Wrong spelling of the property name.
>> s/spengo/spnego/
>
> Grr. I keep doing that. No idea why.
I believe it has a reality distortion field. At least, I always have to remind myself it's not "spegno."
Re: svn commit: r1542339 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java
webapps/docs/config/realm.xml
Posted by Mark Thomas <ma...@apache.org>.
On 15/11/2013 20:09, Konstantin Kolinko wrote:
> Wrong spelling of the property name.
> s/spengo/spnego/
Grr. I keep doing that. No idea why.
Fixed. Thanks for the review.
Mark
>
> Regarding documentation (realm.xml):
> Maybe add a notice on what "QOP" stands for, "Quality of Protection".
> (It is not the first result in Google, though).
>
> http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP
> http://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html#qop
>
>
> 2013/11/15 <ma...@apache.org>:
>> Author: markt
>> Date: Fri Nov 15 17:39:05 2013
>> New Revision: 1542339
>>
>> URL: http://svn.apache.org/r1542339
>> Log:
>> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55778
>> Make value used for javax.security.sasl.qop with SPNEGO configurable.
>>
>> Modified:
>> tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
>> tomcat/trunk/webapps/docs/config/realm.xml
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1542339&r1=1542338&r2=1542339&view=diff
>> ==============================================================================
>> --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Fri Nov 15 17:39:05 2013
>> @@ -427,6 +427,14 @@ public class JNDIRealm extends RealmBase
>> protected boolean useDelegatedCredential = true;
>>
>>
>> + /**
>> + * The QOP that should be used for the connection to the LDAP server after
>> + * authentication. This value is used to set the
>> + * <code>javax.security.sasl.qop</code> environment property for the LDAP
>> + * connection.
>> + */
>> + protected String spengoDelegationQop = "auth-conf";
>> +
>> // ------------------------------------------------------------- Properties
>>
>> /**
>> @@ -980,7 +988,6 @@ public class JNDIRealm extends RealmBase
>> }
>>
>>
>> -
>> public boolean isUseDelegatedCredential() {
>> return useDelegatedCredential;
>> }
>> @@ -990,6 +997,15 @@ public class JNDIRealm extends RealmBase
>> }
>>
>>
>> + public String getSpengoDelegationQop() {
>> + return spengoDelegationQop;
>> + }
>> +
>> + public void setSpengoDelegationQop(String spengoDelegationQop) {
>> + this.spengoDelegationQop = spengoDelegationQop;
>> + }
>> +
>> +
>> // ---------------------------------------------------------- Realm Methods
>>
>> /**
>> @@ -2062,7 +2078,7 @@ public class JNDIRealm extends RealmBase
>> context.addToEnvironment(
>> "javax.security.sasl.server.authentication", "true");
>> context.addToEnvironment(
>> - "javax.security.sasl.qop", "auth-conf");
>> + "javax.security.sasl.qop", spengoDelegationQop);
>> // Note: Subject already set in SPNEGO authenticator so no need
>> // for Subject.doAs() here
>> }
>>
>> Modified: tomcat/trunk/webapps/docs/config/realm.xml
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1542339&r1=1542338&r2=1542339&view=diff
>> ==============================================================================
>> --- tomcat/trunk/webapps/docs/config/realm.xml (original)
>> +++ tomcat/trunk/webapps/docs/config/realm.xml Fri Nov 15 17:39:05 2013
>> @@ -551,6 +551,17 @@
>> <code>0</code> is used which indicates no limit.</p>
>> </attribute>
>>
>> + <attribute mame="spengoDelegationQop" requireed="false">
>> + <p>When the JNDI Realm is used with the SPNEGO authenticator and
>> + <code>useDelegatedCredential</code> is <code>true</code> this attribute
>> + controls the QOP that should be used for the connection to the LDAP
>> + server after authentication. This value is used to set the
>> + <code>javax.security.sasl.qop</code> environment property for the LDAP
>> + connection. This attribute should be a comma-separated list of values
>> + selected from <code>auth-conf</code>, <code>auth-int</code> and
>> + <code>auth</code>. The default value is <code>auth-conf</code>.</p>
>> + </attribute>
>> +
>> <attribute name="stripRealmForGss" required="false">
>> <p>When processing users authenticated via the GSS-API, this attribute
>> controls if any "@..." is removed from the end of the user
>> @@ -565,7 +576,7 @@
>> </attribute>
>>
>> <attribute name="useDelegatedCredential" required="false">
>> - <p>When the JNIRealm is used with the SPNEGO authenticator, delegated
>> + <p>When the JNDIRealm is used with the SPNEGO authenticator, delegated
>> credentials for the user may be available. If such credentials are
>> present, this attribute controls whether are not they are used to
>> connect to the directory. If not specified, the default value of
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1542339 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java
webapps/docs/config/realm.xml
Posted by Konstantin Kolinko <kn...@gmail.com>.
Wrong spelling of the property name.
s/spengo/spnego/
Regarding documentation (realm.xml):
Maybe add a notice on what "QOP" stands for, "Quality of Protection".
(It is not the first result in Google, though).
http://docs.oracle.com/javase/7/docs/api/javax/security/sasl/Sasl.html#QOP
http://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html#qop
2013/11/15 <ma...@apache.org>:
> Author: markt
> Date: Fri Nov 15 17:39:05 2013
> New Revision: 1542339
>
> URL: http://svn.apache.org/r1542339
> Log:
> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55778
> Make value used for javax.security.sasl.qop with SPNEGO configurable.
>
> Modified:
> tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
> tomcat/trunk/webapps/docs/config/realm.xml
>
> Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1542339&r1=1542338&r2=1542339&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Fri Nov 15 17:39:05 2013
> @@ -427,6 +427,14 @@ public class JNDIRealm extends RealmBase
> protected boolean useDelegatedCredential = true;
>
>
> + /**
> + * The QOP that should be used for the connection to the LDAP server after
> + * authentication. This value is used to set the
> + * <code>javax.security.sasl.qop</code> environment property for the LDAP
> + * connection.
> + */
> + protected String spengoDelegationQop = "auth-conf";
> +
> // ------------------------------------------------------------- Properties
>
> /**
> @@ -980,7 +988,6 @@ public class JNDIRealm extends RealmBase
> }
>
>
> -
> public boolean isUseDelegatedCredential() {
> return useDelegatedCredential;
> }
> @@ -990,6 +997,15 @@ public class JNDIRealm extends RealmBase
> }
>
>
> + public String getSpengoDelegationQop() {
> + return spengoDelegationQop;
> + }
> +
> + public void setSpengoDelegationQop(String spengoDelegationQop) {
> + this.spengoDelegationQop = spengoDelegationQop;
> + }
> +
> +
> // ---------------------------------------------------------- Realm Methods
>
> /**
> @@ -2062,7 +2078,7 @@ public class JNDIRealm extends RealmBase
> context.addToEnvironment(
> "javax.security.sasl.server.authentication", "true");
> context.addToEnvironment(
> - "javax.security.sasl.qop", "auth-conf");
> + "javax.security.sasl.qop", spengoDelegationQop);
> // Note: Subject already set in SPNEGO authenticator so no need
> // for Subject.doAs() here
> }
>
> Modified: tomcat/trunk/webapps/docs/config/realm.xml
> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1542339&r1=1542338&r2=1542339&view=diff
> ==============================================================================
> --- tomcat/trunk/webapps/docs/config/realm.xml (original)
> +++ tomcat/trunk/webapps/docs/config/realm.xml Fri Nov 15 17:39:05 2013
> @@ -551,6 +551,17 @@
> <code>0</code> is used which indicates no limit.</p>
> </attribute>
>
> + <attribute mame="spengoDelegationQop" requireed="false">
> + <p>When the JNDI Realm is used with the SPNEGO authenticator and
> + <code>useDelegatedCredential</code> is <code>true</code> this attribute
> + controls the QOP that should be used for the connection to the LDAP
> + server after authentication. This value is used to set the
> + <code>javax.security.sasl.qop</code> environment property for the LDAP
> + connection. This attribute should be a comma-separated list of values
> + selected from <code>auth-conf</code>, <code>auth-int</code> and
> + <code>auth</code>. The default value is <code>auth-conf</code>.</p>
> + </attribute>
> +
> <attribute name="stripRealmForGss" required="false">
> <p>When processing users authenticated via the GSS-API, this attribute
> controls if any "@..." is removed from the end of the user
> @@ -565,7 +576,7 @@
> </attribute>
>
> <attribute name="useDelegatedCredential" required="false">
> - <p>When the JNIRealm is used with the SPNEGO authenticator, delegated
> + <p>When the JNDIRealm is used with the SPNEGO authenticator, delegated
> credentials for the user may be available. If such credentials are
> present, this attribute controls whether are not they are used to
> connect to the directory. If not specified, the default value of
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org