You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alex O'Ree <al...@apache.org> on 2017/07/19 15:22:49 UTC
Storing JNDI binding password using encryption
Assuming I had access to a reversible encryption mechanism and wanted
to store the JNDI binding password in an encrypted form by extending
the JNDIRealm class, which method should i override to encrypt the
password stored in server.xml on the fly?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Storing JNDI binding password using encryption
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alex,
On 7/19/17 3:53 PM, Alex O'Ree wrote:
> The jar file is in /tomcat/lib. The class is super simple
>
> package org.redacted; public class JNDIRealmExt extends JNDIRealm{
> @Override public String getConnectionPassword(){ return
> Utility.decrypt(connectionPassword); } }
>
> server.xml looks like this
>
> <Realm className="org.apache.catalina.realm.LockOutRealm">
>
> <Realm className="org.redacted.JNDIRealmExt"
> connectionName="ldapUser"
> connectionPassword="encryptedPasswordHere"
> connectionURL="ldap://localhost:389" userBase="..."
> userSearch="..." roleBase="..." roleName=".." roleSubtree=".."
> roleSearch=".." referrals="follow"
>
> />
>
>
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/> </Realm>
>
> I'm attaching the debugger pretty close to tomcat's startup and
> the getConnectionPassword method never fires. I do see tons of logs
> in the console for ldap connection failures due to the password
> not functioning (pretty much immediately locks the account out at
> the ldap server). The stack trace does not included my extended
> JNDI class, only the tomcat provided JNDIRealm class.
What's the runtime data type of the realm?
If you override setConnectionPassword() does that get called by the
digester when reading your configuration?
- -chris
> On Wed, Jul 19, 2017 at 3:03 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote: Alex,
>
> On 7/19/17 1:53 PM, Alex O'Ree wrote:
>>>> On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas
>>>> <ma...@apache.org> wrote:
>>>>> On 19/07/17 16:22, Alex O'Ree wrote:
>>>>>> Assuming I had access to a reversible encryption
>>>>>> mechanism and wanted to store the JNDI binding password
>>>>>> in an encrypted form by extending the JNDIRealm class,
>>>>>> which method should i override to encrypt the password
>>>>>> stored in server.xml on the fly?
>>>>>
>>>>> You could do this via a custom PropertySource. I wouldn't
>>>>> recommend it.
>>>>>
>>>>> https://wiki.apache.org/tomcat/FAQ/Password
>>>>
>>>> I tried just extend the JDNI Realm class and overriding
>>>> getConnectionPassword but it doesn't appear that my code
>>>> ever called, even those my fully qualified classname is
>>>> listed in the realm xml element. Any ideas?
>
> Please post your configuration (without secrets) and as much of
> your code as is relevant.
>
> Also, where did you place your .class file for your JNDIRealm
> subclass?
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZb8SHAAoJEBzwKT+lPKRYoHIQAMAnCqAdmY9Bhi5FehVAdkQs
M+q7nWSFoxzb+sMnce+IjmQ1uGVq3cAae7Hlc//IPDBaHaCGSlcODSXR2936osZM
S8bQZltIxLs/lx+ydjIlrhT6Y/AQsm9e+IV6ZyQGcQAZxtDLWXvUy6KDxDt/+ivr
PcuHbrC9TZZRMb7Bjyp40YuNUtMEcc1F5/Iy/Hv81B2IpJjrUpPHVBdkXscCQfOK
cdO8jg8Cjk2zJjd5ko/7H/8F2G1QlTq4WhqccwjPfoCObZOgbHXzn9N+woha/b7g
AZYSECVClygq/ip2L736Mlx/X3uQR176m3uTxxjuuLuMiRsq+ByCEa+FApyzFCNN
FGzhWcOg3NS6wF5hUKvIlndr0lVXojXukV3LAjkbr1VKevWUotfRT51cPi9CvScX
Wz8kcelNr2oqlsRn8tfMpdRteqk26njvniRM6H0Dw155Atq1hvgP9kXw91IWuFXx
wYANvQtmJDF5kZylaKTPyWLULHxazRBsQyD6hI6mJyDKslK1yn7S1M3bjwPXmeAR
3h8J093qLIJoFmNA0tXoqGPOPWBV58PMeAgl++hNgBkEfjol9Ens8izsDD+mJMl1
voh5nhFMKY2Pue+Hs+xzfZ/lAw4xukr+VHBUNWsxzG1NprFBuFo9NlpMT72XTgKT
PK+lfz917/OgpoODhX86
=v0p6
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Storing JNDI binding password using encryption
Posted by Alex O'Ree <al...@apache.org>.
The jar file is in /tomcat/lib. The class is super simple
package org.redacted;
public class JNDIRealmExt extends JNDIRealm{
@Override public String getConnectionPassword(){
return Utility.decrypt(connectionPassword);
}
}
server.xml looks like this
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.redacted.JNDIRealmExt"
connectionName="ldapUser"
connectionPassword="encryptedPasswordHere"
connectionURL="ldap://localhost:389"
userBase="..."
userSearch="..."
roleBase="..."
roleName=".."
roleSubtree=".."
roleSearch=".."
referrals="follow"
/>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
I'm attaching the debugger pretty close to tomcat's startup and the
getConnectionPassword method never fires. I do see tons of logs in the
console for ldap connection failures due to the password not
functioning (pretty much immediately locks the account out at the ldap
server). The stack trace does not included my extended JNDI class,
only the tomcat provided JNDIRealm class.
On Wed, Jul 19, 2017 at 3:03 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alex,
>
> On 7/19/17 1:53 PM, Alex O'Ree wrote:
>> On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas <ma...@apache.org>
>> wrote:
>>> On 19/07/17 16:22, Alex O'Ree wrote:
>>>> Assuming I had access to a reversible encryption mechanism and
>>>> wanted to store the JNDI binding password in an encrypted form
>>>> by extending the JNDIRealm class, which method should i
>>>> override to encrypt the password stored in server.xml on the
>>>> fly?
>>>
>>> You could do this via a custom PropertySource. I wouldn't
>>> recommend it.
>>>
>>> https://wiki.apache.org/tomcat/FAQ/Password
>>
>> I tried just extend the JDNI Realm class and overriding
>> getConnectionPassword but it doesn't appear that my code ever
>> called, even those my fully qualified classname is listed in the
>> realm xml element. Any ideas?
>
> Please post your configuration (without secrets) and as much of your
> code as is relevant.
>
> Also, where did you place your .class file for your JNDIRealm subclass?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJZb60bAAoJEBzwKT+lPKRYgGkP/25fnw6EVElSQCmXVgINsCBX
> rBb/77kSxNGnnBO1KBmGszjyUUXmW0aKDfwLM+fR+poGYyI3IOyzwZ7iZlXiQ2+2
> iqNfoqv8J/OjFezV9fRMKSk3Iws5CGJcuV13wUgmgAKgquUOvR21hKI8j3BbQvq8
> S0Z1hXxLdCNGLWesQiXJEg4wYzNSDjlruOHaAFH7sQ6pyfCYKKEpOs73no3QVeTd
> Rl/xIP70wu36IYIGPedUrufARij5bQOVd8mqi4VAyOxj8f3ENsbT/qFHA5xAb8Qi
> m8TofIkYYXOC11rBHsr17zobPawiZurh/ocUC4/8GN3O1FWYwd4jrAiJXlVPe8pQ
> SuLLTygXu2NTa5F6atjFbKeBDSasBFNSAuEE1OaW7qYIYW3oc+4vNRegcK3SAnRK
> R+2GonQLMUB51H5AHuU/pXcuZXZWbxxE1Fu1xMMULtVpI6iIxLLxKvw6y+MV2S2w
> AVcWJASMdAXmBq8NgiYVj/yjn/jlXdDMvJSs1mUzKE8egMHxZkGkbyEDcwjGjTod
> b3SgvDRD/DcjwubzsanNPFwDmsdFTRrvhOHmtbFkZ+Rod/QWlRkgDN0kC2SyltmY
> Dp5zcTlJW33RTQl9T9Hzg3rkH4OFOpchw4ObmhLwgrPPl25SPCq9sn8JHMvZrbii
> 4z8GSeBeaXCf9UVubrrR
> =9o3d
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Storing JNDI binding password using encryption
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alex,
On 7/19/17 1:53 PM, Alex O'Ree wrote:
> On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas <ma...@apache.org>
> wrote:
>> On 19/07/17 16:22, Alex O'Ree wrote:
>>> Assuming I had access to a reversible encryption mechanism and
>>> wanted to store the JNDI binding password in an encrypted form
>>> by extending the JNDIRealm class, which method should i
>>> override to encrypt the password stored in server.xml on the
>>> fly?
>>
>> You could do this via a custom PropertySource. I wouldn't
>> recommend it.
>>
>> https://wiki.apache.org/tomcat/FAQ/Password
>
> I tried just extend the JDNI Realm class and overriding
> getConnectionPassword but it doesn't appear that my code ever
> called, even those my fully qualified classname is listed in the
> realm xml element. Any ideas?
Please post your configuration (without secrets) and as much of your
code as is relevant.
Also, where did you place your .class file for your JNDIRealm subclass?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZb60bAAoJEBzwKT+lPKRYgGkP/25fnw6EVElSQCmXVgINsCBX
rBb/77kSxNGnnBO1KBmGszjyUUXmW0aKDfwLM+fR+poGYyI3IOyzwZ7iZlXiQ2+2
iqNfoqv8J/OjFezV9fRMKSk3Iws5CGJcuV13wUgmgAKgquUOvR21hKI8j3BbQvq8
S0Z1hXxLdCNGLWesQiXJEg4wYzNSDjlruOHaAFH7sQ6pyfCYKKEpOs73no3QVeTd
Rl/xIP70wu36IYIGPedUrufARij5bQOVd8mqi4VAyOxj8f3ENsbT/qFHA5xAb8Qi
m8TofIkYYXOC11rBHsr17zobPawiZurh/ocUC4/8GN3O1FWYwd4jrAiJXlVPe8pQ
SuLLTygXu2NTa5F6atjFbKeBDSasBFNSAuEE1OaW7qYIYW3oc+4vNRegcK3SAnRK
R+2GonQLMUB51H5AHuU/pXcuZXZWbxxE1Fu1xMMULtVpI6iIxLLxKvw6y+MV2S2w
AVcWJASMdAXmBq8NgiYVj/yjn/jlXdDMvJSs1mUzKE8egMHxZkGkbyEDcwjGjTod
b3SgvDRD/DcjwubzsanNPFwDmsdFTRrvhOHmtbFkZ+Rod/QWlRkgDN0kC2SyltmY
Dp5zcTlJW33RTQl9T9Hzg3rkH4OFOpchw4ObmhLwgrPPl25SPCq9sn8JHMvZrbii
4z8GSeBeaXCf9UVubrrR
=9o3d
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Storing JNDI binding password using encryption
Posted by Alex O'Ree <sp...@gmail.com>.
Thanks Mark
I tried just extend the JDNI Realm class and overriding
getConnectionPassword but it doesn't appear that my code ever called,
even those my fully qualified classname is listed in the realm xml
element. Any ideas?
On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas <ma...@apache.org> wrote:
> On 19/07/17 16:22, Alex O'Ree wrote:
>> Assuming I had access to a reversible encryption mechanism and wanted
>> to store the JNDI binding password in an encrypted form by extending
>> the JNDIRealm class, which method should i override to encrypt the
>> password stored in server.xml on the fly?
>
> You could do this via a custom PropertySource. I wouldn't recommend it.
>
> https://wiki.apache.org/tomcat/FAQ/Password
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Storing JNDI binding password using encryption
Posted by Mark Thomas <ma...@apache.org>.
On 19/07/17 16:22, Alex O'Ree wrote:
> Assuming I had access to a reversible encryption mechanism and wanted
> to store the JNDI binding password in an encrypted form by extending
> the JNDIRealm class, which method should i override to encrypt the
> password stored in server.xml on the fly?
You could do this via a custom PropertySource. I wouldn't recommend it.
https://wiki.apache.org/tomcat/FAQ/Password
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org