You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Peter Diefenthäler (JIRA)" <ji...@apache.org> on 2011/06/15 09:25:47 UTC

[jira] [Created] (SHIRO-305) Connect to a SSL secured LDAP

Connect to a SSL secured LDAP
-----------------------------

                 Key: SHIRO-305
                 URL: https://issues.apache.org/jira/browse/SHIRO-305
             Project: Shiro
          Issue Type: Bug
          Components: Realms 
    Affects Versions: 1.1.0
         Environment: Windows 7, Tomcat 6.x
            Reporter: Peter Diefenthäler
             Fix For: 1.1.1


Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.

Parameters for LDAP in the shiro.ini file:
[main]
...
ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true

These entries lead to following error message:

org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair.  This must be the case for all map entries. 

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (SHIRO-305) Connect to a SSL secured LDAP

Posted by "Les Hazlewood (Updated) (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood updated SHIRO-305:
--------------------------------

    Fix Version/s:     (was: 1.1.1)
                   1.2.0
    
> Connect to a SSL secured LDAP
> -----------------------------
>
>                 Key: SHIRO-305
>                 URL: https://issues.apache.org/jira/browse/SHIRO-305
>             Project: Shiro
>          Issue Type: Bug
>          Components: Realms 
>    Affects Versions: 1.1.0
>         Environment: Windows 7, Tomcat 6.x
>            Reporter: Peter Diefenthäler
>             Fix For: 1.2.0
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair.  This must be the case for all map entries. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Resolved] (SHIRO-305) Connect to a SSL secured LDAP

Posted by "Les Hazlewood (Resolved) (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood resolved SHIRO-305.
---------------------------------

    Resolution: Fixed
      Assignee: Les Hazlewood

Documentation doesn't need to be changed - it now works as expected, i.e.

ldapRealm.contextFactory.environment[key] = value

will now work.
                
> Connect to a SSL secured LDAP
> -----------------------------
>
>                 Key: SHIRO-305
>                 URL: https://issues.apache.org/jira/browse/SHIRO-305
>             Project: Shiro
>          Issue Type: Bug
>          Components: Realms 
>    Affects Versions: 1.1.0
>         Environment: Windows 7, Tomcat 6.x
>            Reporter: Peter Diefenthäler
>            Assignee: Les Hazlewood
>             Fix For: 1.2.0
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair.  This must be the case for all map entries. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (SHIRO-305) Connect to a SSL secured LDAP

Posted by "Jaakko Saari (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13071038#comment-13071038 ] 

Jaakko Saari commented on SHIRO-305:
------------------------------------

There's a workaround if you can use spring integration. Configure your securitymanager, realm etc beans in and set the environment variables as a map property on the contextfactory bean.

> Connect to a SSL secured LDAP
> -----------------------------
>
>                 Key: SHIRO-305
>                 URL: https://issues.apache.org/jira/browse/SHIRO-305
>             Project: Shiro
>          Issue Type: Bug
>          Components: Realms 
>    Affects Versions: 1.1.0
>         Environment: Windows 7, Tomcat 6.x
>            Reporter: Peter Diefenthäler
>             Fix For: 1.1.1
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair.  This must be the case for all map entries. 

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (SHIRO-305) Connect to a SSL secured LDAP

Posted by "Jeff Muller (Commented) (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163440#comment-13163440 ] 

Jeff Muller commented on SHIRO-305:
-----------------------------------

I'm new to shiro so I might have missed something, but it looks like the problem is larger than just the key/value tokenization.

My use case is Vaadin +  Shiro + LDAP + SSL.

The following configuration will work:
-----------------------------------------------------
#Config A
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = <user-dn-string>

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"

 ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
 ldapRealm.contextFactory.authenticationMechanism = none

The following will not work:
---------------------------------------
#Config B
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = <user-dn-string>

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl"
 ldapRealm.contextFactory.environment = "java.naming.referral":"follow"

 ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
 ldapRealm.contextFactory.authenticationMechanism = none

Neither will this:
-----------------------
#Config C
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = <user-dn-string>

 ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
 ldapRealm.contextFactory.authenticationMechanism = none

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"


There are two problems:
1. The string tokenizer for maps doesn't deal with the documented beanProperty[key]=value syntax properly.  It does work properly with the beanProperty = key:value I use above.
2. ldapRealm.contextFactory.environment call JndiLdapContextFactory.setEnvironment(...) which wipes out any environment variables stored there currently.  This is why Config A and Config C doesn't.

Issue 1 seems best fixed with a change in the documentation.
Issue 2 should either be much better documented (removing erroneous documentation) or there should be a mergeEnvironment that gets used in place of setEnvironment.

I'd be happy to provide a documentation patch for both.  I don't have time to do the mergeEnvironment patch of sufficient quality.

Cheers,
Jeff

                
> Connect to a SSL secured LDAP
> -----------------------------
>
>                 Key: SHIRO-305
>                 URL: https://issues.apache.org/jira/browse/SHIRO-305
>             Project: Shiro
>          Issue Type: Bug
>          Components: Realms 
>    Affects Versions: 1.1.0
>         Environment: Windows 7, Tomcat 6.x
>            Reporter: Peter Diefenthäler
>             Fix For: 1.1.1
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair.  This must be the case for all map entries. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Closed] (SHIRO-305) Connect to a SSL secured LDAP

Posted by "Les Hazlewood (Closed) (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood closed SHIRO-305.
-------------------------------


Closing with the 1.2.0 release.
                
> Connect to a SSL secured LDAP
> -----------------------------
>
>                 Key: SHIRO-305
>                 URL: https://issues.apache.org/jira/browse/SHIRO-305
>             Project: Shiro
>          Issue Type: Bug
>          Components: Realms 
>    Affects Versions: 1.1.0
>         Environment: Windows 7, Tomcat 6.x
>            Reporter: Peter Diefenthäler
>            Assignee: Les Hazlewood
>             Fix For: 1.2.0
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair.  This must be the case for all map entries. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (SHIRO-305) Connect to a SSL secured LDAP

Posted by "Les Hazlewood (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13049810#comment-13049810 ] 

Les Hazlewood commented on SHIRO-305:
-------------------------------------

I wonder if BeanUtils is interpreting the text inside the brackets as an OGNL expression thinking it should navigate an object graph (like the other properties).  We'll have to investigate how to ensure they are interpreted as Strings.  Thanks for the issue Peter.

> Connect to a SSL secured LDAP
> -----------------------------
>
>                 Key: SHIRO-305
>                 URL: https://issues.apache.org/jira/browse/SHIRO-305
>             Project: Shiro
>          Issue Type: Bug
>          Components: Realms 
>    Affects Versions: 1.1.0
>         Environment: Windows 7, Tomcat 6.x
>            Reporter: Peter Diefenthäler
>             Fix For: 1.1.1
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair.  This must be the case for all map entries. 

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (SHIRO-305) Connect to a SSL secured LDAP

Posted by "Les Hazlewood (Commented) (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13181800#comment-13181800 ] 

Les Hazlewood commented on SHIRO-305:
-------------------------------------

also note that this solution allows you to append to the environment map without overwriting it.
                
> Connect to a SSL secured LDAP
> -----------------------------
>
>                 Key: SHIRO-305
>                 URL: https://issues.apache.org/jira/browse/SHIRO-305
>             Project: Shiro
>          Issue Type: Bug
>          Components: Realms 
>    Affects Versions: 1.1.0
>         Environment: Windows 7, Tomcat 6.x
>            Reporter: Peter Diefenthäler
>            Assignee: Les Hazlewood
>             Fix For: 1.2.0
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair.  This must be the case for all map entries. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Issue Comment Edited] (SHIRO-305) Connect to a SSL secured LDAP

Posted by "Jeff Muller (Issue Comment Edited) (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163440#comment-13163440 ] 

Jeff Muller edited comment on SHIRO-305 at 12/6/11 8:46 AM:
------------------------------------------------------------

I'm new to shiro so I might have missed something, but it looks like the problem is larger than just the key/value tokenization.

My use case is Vaadin +  Shiro + LDAP + SSL.

The following configuration will work:
-----------------------------------------------------
#Config A
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = {user-dn-string}

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"

 ldapRealm.contextFactory.url = ldaps://{ldap-host}:{ldap-port}
 ldapRealm.contextFactory.authenticationMechanism = none

The following will not work:
---------------------------------------
#Config B
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = {user-dn-string}

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl"
 ldapRealm.contextFactory.environment = "java.naming.referral":"follow"

 ldapRealm.contextFactory.url = ldaps://{ldap-host}:{ldap-port}
 ldapRealm.contextFactory.authenticationMechanism = none

Neither will this:
-----------------------
#Config C
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = {user-dn-string}

 ldapRealm.contextFactory.url = ldaps://{ldap-host}:{ldap-port}
 ldapRealm.contextFactory.authenticationMechanism = none

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"


There are two problems:
1. The string tokenizer for maps doesn't deal with the documented beanProperty[key]=value syntax properly.  It does work properly with the beanProperty = key:value I use above.
2. ldapRealm.contextFactory.environment call JndiLdapContextFactory.setEnvironment(...) which wipes out any environment variables stored there currently.  This is why Config A and Config C doesn't.

Issue 1 seems best fixed with a change in the documentation.
Issue 2 should either be much better documented (removing erroneous documentation) or there should be a mergeEnvironment that gets used in place of setEnvironment.

I'd be happy to provide a documentation patch for both.  I don't have time to do the mergeEnvironment patch of sufficient quality.

Cheers,
Jeff

                
      was (Author: jcmuller):
    I'm new to shiro so I might have missed something, but it looks like the problem is larger than just the key/value tokenization.

My use case is Vaadin +  Shiro + LDAP + SSL.

The following configuration will work:
-----------------------------------------------------
#Config A
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = <user-dn-string>

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"

 ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
 ldapRealm.contextFactory.authenticationMechanism = none

The following will not work:
---------------------------------------
#Config B
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = <user-dn-string>

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl"
 ldapRealm.contextFactory.environment = "java.naming.referral":"follow"

 ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
 ldapRealm.contextFactory.authenticationMechanism = none

Neither will this:
-----------------------
#Config C
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = <user-dn-string>

 ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
 ldapRealm.contextFactory.authenticationMechanism = none

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"


There are two problems:
1. The string tokenizer for maps doesn't deal with the documented beanProperty[key]=value syntax properly.  It does work properly with the beanProperty = key:value I use above.
2. ldapRealm.contextFactory.environment call JndiLdapContextFactory.setEnvironment(...) which wipes out any environment variables stored there currently.  This is why Config A and Config C doesn't.

Issue 1 seems best fixed with a change in the documentation.
Issue 2 should either be much better documented (removing erroneous documentation) or there should be a mergeEnvironment that gets used in place of setEnvironment.

I'd be happy to provide a documentation patch for both.  I don't have time to do the mergeEnvironment patch of sufficient quality.

Cheers,
Jeff

                  
> Connect to a SSL secured LDAP
> -----------------------------
>
>                 Key: SHIRO-305
>                 URL: https://issues.apache.org/jira/browse/SHIRO-305
>             Project: Shiro
>          Issue Type: Bug
>          Components: Realms 
>    Affects Versions: 1.1.0
>         Environment: Windows 7, Tomcat 6.x
>            Reporter: Peter Diefenthäler
>             Fix For: 1.1.1
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 & LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value pair token [ssl] that does not properly split to a single key and pair.  This must be the case for all map entries. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira