You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Peter Diefenthäler (JIRA)" <ji...@apache.org> on 2011/06/15 09:25:47 UTC
[jira] [Created] (SHIRO-305) Connect to a SSL secured LDAP
Connect to a SSL secured LDAP
-----------------------------
Key: SHIRO-305
URL: https://issues.apache.org/jira/browse/SHIRO-305
Project: Shiro
Issue Type: Bug
Components: Realms
Affects Versions: 1.1.0
Environment: Windows 7, Tomcat 6.x
Reporter: Peter Diefenthäler
Fix For: 1.1.1
Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
Parameters for LDAP in the shiro.ini file:
[main]
...
ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
These entries lead to following error message:
org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair. This must be the case for all map entries.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SHIRO-305) Connect to a SSL secured LDAP
Posted by "Les Hazlewood (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Les Hazlewood updated SHIRO-305:
--------------------------------
Fix Version/s: (was: 1.1.1)
1.2.0
> Connect to a SSL secured LDAP
> -----------------------------
>
> Key: SHIRO-305
> URL: https://issues.apache.org/jira/browse/SHIRO-305
> Project: Shiro
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0
> Environment: Windows 7, Tomcat 6.x
> Reporter: Peter Diefenthäler
> Fix For: 1.2.0
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair. This must be the case for all map entries.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SHIRO-305) Connect to a SSL secured LDAP
Posted by "Les Hazlewood (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Les Hazlewood resolved SHIRO-305.
---------------------------------
Resolution: Fixed
Assignee: Les Hazlewood
Documentation doesn't need to be changed - it now works as expected, i.e.
ldapRealm.contextFactory.environment[key] = value
will now work.
> Connect to a SSL secured LDAP
> -----------------------------
>
> Key: SHIRO-305
> URL: https://issues.apache.org/jira/browse/SHIRO-305
> Project: Shiro
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0
> Environment: Windows 7, Tomcat 6.x
> Reporter: Peter Diefenthäler
> Assignee: Les Hazlewood
> Fix For: 1.2.0
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair. This must be the case for all map entries.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SHIRO-305) Connect to a SSL secured LDAP
Posted by "Jaakko Saari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13071038#comment-13071038 ]
Jaakko Saari commented on SHIRO-305:
------------------------------------
There's a workaround if you can use spring integration. Configure your securitymanager, realm etc beans in and set the environment variables as a map property on the contextfactory bean.
> Connect to a SSL secured LDAP
> -----------------------------
>
> Key: SHIRO-305
> URL: https://issues.apache.org/jira/browse/SHIRO-305
> Project: Shiro
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0
> Environment: Windows 7, Tomcat 6.x
> Reporter: Peter Diefenthäler
> Fix For: 1.1.1
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair. This must be the case for all map entries.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SHIRO-305) Connect to a SSL secured LDAP
Posted by "Jeff Muller (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163440#comment-13163440 ]
Jeff Muller commented on SHIRO-305:
-----------------------------------
I'm new to shiro so I might have missed something, but it looks like the problem is larger than just the key/value tokenization.
My use case is Vaadin + Shiro + LDAP + SSL.
The following configuration will work:
-----------------------------------------------------
#Config A
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = <user-dn-string>
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"
ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
ldapRealm.contextFactory.authenticationMechanism = none
The following will not work:
---------------------------------------
#Config B
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = <user-dn-string>
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl"
ldapRealm.contextFactory.environment = "java.naming.referral":"follow"
ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
ldapRealm.contextFactory.authenticationMechanism = none
Neither will this:
-----------------------
#Config C
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = <user-dn-string>
ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
ldapRealm.contextFactory.authenticationMechanism = none
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"
There are two problems:
1. The string tokenizer for maps doesn't deal with the documented beanProperty[key]=value syntax properly. It does work properly with the beanProperty = key:value I use above.
2. ldapRealm.contextFactory.environment call JndiLdapContextFactory.setEnvironment(...) which wipes out any environment variables stored there currently. This is why Config A and Config C doesn't.
Issue 1 seems best fixed with a change in the documentation.
Issue 2 should either be much better documented (removing erroneous documentation) or there should be a mergeEnvironment that gets used in place of setEnvironment.
I'd be happy to provide a documentation patch for both. I don't have time to do the mergeEnvironment patch of sufficient quality.
Cheers,
Jeff
> Connect to a SSL secured LDAP
> -----------------------------
>
> Key: SHIRO-305
> URL: https://issues.apache.org/jira/browse/SHIRO-305
> Project: Shiro
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0
> Environment: Windows 7, Tomcat 6.x
> Reporter: Peter Diefenthäler
> Fix For: 1.1.1
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair. This must be the case for all map entries.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (SHIRO-305) Connect to a SSL secured LDAP
Posted by "Les Hazlewood (Closed) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Les Hazlewood closed SHIRO-305.
-------------------------------
Closing with the 1.2.0 release.
> Connect to a SSL secured LDAP
> -----------------------------
>
> Key: SHIRO-305
> URL: https://issues.apache.org/jira/browse/SHIRO-305
> Project: Shiro
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0
> Environment: Windows 7, Tomcat 6.x
> Reporter: Peter Diefenthäler
> Assignee: Les Hazlewood
> Fix For: 1.2.0
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair. This must be the case for all map entries.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SHIRO-305) Connect to a SSL secured LDAP
Posted by "Les Hazlewood (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13049810#comment-13049810 ]
Les Hazlewood commented on SHIRO-305:
-------------------------------------
I wonder if BeanUtils is interpreting the text inside the brackets as an OGNL expression thinking it should navigate an object graph (like the other properties). We'll have to investigate how to ensure they are interpreted as Strings. Thanks for the issue Peter.
> Connect to a SSL secured LDAP
> -----------------------------
>
> Key: SHIRO-305
> URL: https://issues.apache.org/jira/browse/SHIRO-305
> Project: Shiro
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0
> Environment: Windows 7, Tomcat 6.x
> Reporter: Peter Diefenthäler
> Fix For: 1.1.1
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair. This must be the case for all map entries.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SHIRO-305) Connect to a SSL secured LDAP
Posted by "Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13181800#comment-13181800 ]
Les Hazlewood commented on SHIRO-305:
-------------------------------------
also note that this solution allows you to append to the environment map without overwriting it.
> Connect to a SSL secured LDAP
> -----------------------------
>
> Key: SHIRO-305
> URL: https://issues.apache.org/jira/browse/SHIRO-305
> Project: Shiro
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0
> Environment: Windows 7, Tomcat 6.x
> Reporter: Peter Diefenthäler
> Assignee: Les Hazlewood
> Fix For: 1.2.0
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair. This must be the case for all map entries.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (SHIRO-305) Connect to a SSL secured
LDAP
Posted by "Jeff Muller (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163440#comment-13163440 ]
Jeff Muller edited comment on SHIRO-305 at 12/6/11 8:46 AM:
------------------------------------------------------------
I'm new to shiro so I might have missed something, but it looks like the problem is larger than just the key/value tokenization.
My use case is Vaadin + Shiro + LDAP + SSL.
The following configuration will work:
-----------------------------------------------------
#Config A
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = {user-dn-string}
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"
ldapRealm.contextFactory.url = ldaps://{ldap-host}:{ldap-port}
ldapRealm.contextFactory.authenticationMechanism = none
The following will not work:
---------------------------------------
#Config B
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = {user-dn-string}
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl"
ldapRealm.contextFactory.environment = "java.naming.referral":"follow"
ldapRealm.contextFactory.url = ldaps://{ldap-host}:{ldap-port}
ldapRealm.contextFactory.authenticationMechanism = none
Neither will this:
-----------------------
#Config C
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = {user-dn-string}
ldapRealm.contextFactory.url = ldaps://{ldap-host}:{ldap-port}
ldapRealm.contextFactory.authenticationMechanism = none
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"
There are two problems:
1. The string tokenizer for maps doesn't deal with the documented beanProperty[key]=value syntax properly. It does work properly with the beanProperty = key:value I use above.
2. ldapRealm.contextFactory.environment call JndiLdapContextFactory.setEnvironment(...) which wipes out any environment variables stored there currently. This is why Config A and Config C doesn't.
Issue 1 seems best fixed with a change in the documentation.
Issue 2 should either be much better documented (removing erroneous documentation) or there should be a mergeEnvironment that gets used in place of setEnvironment.
I'd be happy to provide a documentation patch for both. I don't have time to do the mergeEnvironment patch of sufficient quality.
Cheers,
Jeff
was (Author: jcmuller):
I'm new to shiro so I might have missed something, but it looks like the problem is larger than just the key/value tokenization.
My use case is Vaadin + Shiro + LDAP + SSL.
The following configuration will work:
-----------------------------------------------------
#Config A
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = <user-dn-string>
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"
ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
ldapRealm.contextFactory.authenticationMechanism = none
The following will not work:
---------------------------------------
#Config B
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = <user-dn-string>
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl"
ldapRealm.contextFactory.environment = "java.naming.referral":"follow"
ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
ldapRealm.contextFactory.authenticationMechanism = none
Neither will this:
-----------------------
#Config C
[main]
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = <user-dn-string>
ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
ldapRealm.contextFactory.authenticationMechanism = none
#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"
There are two problems:
1. The string tokenizer for maps doesn't deal with the documented beanProperty[key]=value syntax properly. It does work properly with the beanProperty = key:value I use above.
2. ldapRealm.contextFactory.environment call JndiLdapContextFactory.setEnvironment(...) which wipes out any environment variables stored there currently. This is why Config A and Config C doesn't.
Issue 1 seems best fixed with a change in the documentation.
Issue 2 should either be much better documented (removing erroneous documentation) or there should be a mergeEnvironment that gets used in place of setEnvironment.
I'd be happy to provide a documentation patch for both. I don't have time to do the mergeEnvironment patch of sufficient quality.
Cheers,
Jeff
> Connect to a SSL secured LDAP
> -----------------------------
>
> Key: SHIRO-305
> URL: https://issues.apache.org/jira/browse/SHIRO-305
> Project: Shiro
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0
> Environment: Windows 7, Tomcat 6.x
> Reporter: Peter Diefenthäler
> Fix For: 1.1.1
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair. This must be the case for all map entries.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira