You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2020/09/09 16:10:04 UTC
[directory-server] 01/01: DIRSERVER-2328 - CreateAuthenticator annotation trust manager improvements

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch DIRSERVER-2328
in repository https://gitbox.apache.org/repos/asf/directory-server.git

commit 66138a7e557f563723e196ebe82176ad653b5f49
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Sep 9 17:09:41 2020 +0100

    DIRSERVER-2328 - CreateAuthenticator annotation trust manager improvements
---
 .../core/annotations/CreateAuthenticator.java      |  4 +--
 .../server/core/authn/DelegatingAuthenticator.java | 35 ++++++++++++++++++++--
 .../operations/bind/DelegatedAuthOverSslIT.java    |  4 ++-
 .../operations/bind/DelegatedAuthOverTlsIT.java    |  3 +-
 4 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java b/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java
index 2ceaa6a..0708c63 100644
--- a/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java
+++ b/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java
@@ -70,9 +70,9 @@ public @interface CreateAuthenticator
 
 
     /** @return The SSL TrustManager FQCN */
-    String delegateSslTrustManagerFQCN() default "org.apache.directory.ldap.client.api.NoVerificationTrustManager";
+    String delegateSslTrustManagerFQCN() default "";
 
 
     /** @return The startTls TrustManager FQCN */
-    String delegateTlsTrustManagerFQCN() default "org.apache.directory.ldap.client.api.NoVerificationTrustManager";
+    String delegateTlsTrustManagerFQCN() default "";
 }
diff --git a/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java b/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java
index b58e6c5..f9ce77b 100644
--- a/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java
+++ b/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java
@@ -22,6 +22,8 @@ package org.apache.directory.server.core.authn;
 
 import java.net.SocketAddress;
 
+import javax.net.ssl.TrustManager;
+
 import org.apache.directory.api.ldap.model.constants.AuthenticationLevel;
 import org.apache.directory.api.ldap.model.entry.Entry;
 import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
@@ -30,7 +32,6 @@ import org.apache.directory.api.ldap.model.name.Dn;
 import org.apache.directory.api.util.Strings;
 import org.apache.directory.ldap.client.api.LdapConnectionConfig;
 import org.apache.directory.ldap.client.api.LdapNetworkConnection;
-import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
 import org.apache.directory.server.core.api.LdapPrincipal;
 import org.apache.directory.server.core.api.interceptor.context.BindOperationContext;
 import org.apache.directory.server.i18n.I18n;
@@ -248,7 +249,21 @@ public class DelegatingAuthenticator extends AbstractAuthenticator
             connectionConfig = new LdapConnectionConfig();
             connectionConfig.setLdapHost( delegateHost );
             connectionConfig.setLdapPort( delegatePort );
-            connectionConfig.setTrustManagers( new NoVerificationTrustManager() );
+            if ( delegateTlsTrustManagerFQCN != null && !"".equals( delegateTlsTrustManagerFQCN ) )
+            {
+                try
+                {
+                    Class<?> trustManagerClass = Class.forName( delegateTlsTrustManagerFQCN );
+                    TrustManager trustManager = ( TrustManager ) trustManagerClass.newInstance();
+                    connectionConfig.setTrustManagers( trustManager );
+                }
+                catch ( ClassNotFoundException | InstantiationException | IllegalAccessException e )
+                {
+                    String message = "Cannot load " + delegateTlsTrustManagerFQCN;
+                    LOG.error( message );
+                    throw new LdapException( message );
+                }
+            }
 
             ldapConnection = new LdapNetworkConnection( connectionConfig );
             ldapConnection.connect();
@@ -260,7 +275,21 @@ public class DelegatingAuthenticator extends AbstractAuthenticator
             connectionConfig.setLdapHost( delegateHost );
             connectionConfig.setUseSsl( true );
             connectionConfig.setLdapPort( delegatePort );
-            connectionConfig.setTrustManagers( new NoVerificationTrustManager() );
+            if ( delegateSslTrustManagerFQCN != null && !"".equals( delegateSslTrustManagerFQCN ) )
+            {
+                try
+                {
+                    Class<?> trustManagerClass = Class.forName( delegateSslTrustManagerFQCN );
+                    TrustManager trustManager = ( TrustManager ) trustManagerClass.newInstance();
+                    connectionConfig.setTrustManagers( trustManager );
+                }
+                catch ( ClassNotFoundException | InstantiationException | IllegalAccessException e )
+                {
+                    String message = "Cannot load " + delegateSslTrustManagerFQCN;
+                    LOG.error( message );
+                    throw new LdapException( message );
+                }
+            }
 
             ldapConnection = new LdapNetworkConnection( connectionConfig );
             ldapConnection.connect();
diff --git a/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java b/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java
index 43d461b..9e7774b 100644
--- a/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java
+++ b/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java
@@ -56,7 +56,9 @@ import org.junit.runner.RunWith;
                 type = DelegatingAuthenticator.class,
                 delegatePort = 10201,
                 delegateSsl = true,
-                delegateTls = false) })
+                delegateTls = false,
+                delegateSslTrustManagerFQCN = "org.apache.directory.ldap.client.api.NoVerificationTrustManager"
+                ) })
 @ApplyLdifs(
     {
         // Entry # 1
diff --git a/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java b/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java
index 32bd581..333ea41 100644
--- a/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java
+++ b/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java
@@ -56,7 +56,8 @@ import org.junit.runner.RunWith;
                 type = DelegatingAuthenticator.class,
                 delegatePort = 10201,
                 delegateSsl = false,
-                delegateTls = true) })
+                delegateTls = true,
+                delegateTlsTrustManagerFQCN = "org.apache.directory.ldap.client.api.NoVerificationTrustManager") })
 @ApplyLdifs(
     {
         // Entry # 1