shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Muller (Issue Comment Edited) (JIRA)" <j...@apache.org>
Subject [jira] [Issue Comment Edited] (SHIRO-305) Connect to a SSL secured LDAP
Date Tue, 06 Dec 2011 08:47:39 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163440#comment-13163440
] 

Jeff Muller edited comment on SHIRO-305 at 12/6/11 8:46 AM:
------------------------------------------------------------

I'm new to shiro so I might have missed something, but it looks like the problem is larger
than just the key/value tokenization.

My use case is Vaadin +  Shiro + LDAP + SSL.

The following configuration will work:
-----------------------------------------------------
#Config A
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = {user-dn-string}

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"

 ldapRealm.contextFactory.url = ldaps://{ldap-host}:{ldap-port}
 ldapRealm.contextFactory.authenticationMechanism = none

The following will not work:
---------------------------------------
#Config B
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = {user-dn-string}

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl"
 ldapRealm.contextFactory.environment = "java.naming.referral":"follow"

 ldapRealm.contextFactory.url = ldaps://{ldap-host}:{ldap-port}
 ldapRealm.contextFactory.authenticationMechanism = none

Neither will this:
-----------------------
#Config C
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = {user-dn-string}

 ldapRealm.contextFactory.url = ldaps://{ldap-host}:{ldap-port}
 ldapRealm.contextFactory.authenticationMechanism = none

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"


There are two problems:
1. The string tokenizer for maps doesn't deal with the documented beanProperty[key]=value
syntax properly.  It does work properly with the beanProperty = key:value I use above.
2. ldapRealm.contextFactory.environment call JndiLdapContextFactory.setEnvironment(...) which
wipes out any environment variables stored there currently.  This is why Config A and Config
C doesn't.

Issue 1 seems best fixed with a change in the documentation.
Issue 2 should either be much better documented (removing erroneous documentation) or there
should be a mergeEnvironment that gets used in place of setEnvironment.

I'd be happy to provide a documentation patch for both.  I don't have time to do the mergeEnvironment
patch of sufficient quality.

Cheers,
Jeff

                
      was (Author: jcmuller):
    I'm new to shiro so I might have missed something, but it looks like the problem is larger
than just the key/value tokenization.

My use case is Vaadin +  Shiro + LDAP + SSL.

The following configuration will work:
-----------------------------------------------------
#Config A
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = <user-dn-string>

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"

 ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
 ldapRealm.contextFactory.authenticationMechanism = none

The following will not work:
---------------------------------------
#Config B
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = <user-dn-string>

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl"
 ldapRealm.contextFactory.environment = "java.naming.referral":"follow"

 ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
 ldapRealm.contextFactory.authenticationMechanism = none

Neither will this:
-----------------------
#Config C
 [main]
 ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 ldapRealm.userDnTemplate = <user-dn-string>

 ldapRealm.contextFactory.url = ldaps://<ldap-host>:<ldap-port>
 ldapRealm.contextFactory.authenticationMechanism = none

#this line has to be the first in the contextFactory configuration
# because it wipes out the enironment in ldapRealm.contextFactory
 ldapRealm.contextFactory.environment = "java.naming.security.protocol":"ssl","java.naming.referral":"follow"


There are two problems:
1. The string tokenizer for maps doesn't deal with the documented beanProperty[key]=value
syntax properly.  It does work properly with the beanProperty = key:value I use above.
2. ldapRealm.contextFactory.environment call JndiLdapContextFactory.setEnvironment(...) which
wipes out any environment variables stored there currently.  This is why Config A and Config
C doesn't.

Issue 1 seems best fixed with a change in the documentation.
Issue 2 should either be much better documented (removing erroneous documentation) or there
should be a mergeEnvironment that gets used in place of setEnvironment.

I'd be happy to provide a documentation patch for both.  I don't have time to do the mergeEnvironment
patch of sufficient quality.

Cheers,
Jeff

                  
> Connect to a SSL secured LDAP
> -----------------------------
>
>                 Key: SHIRO-305
>                 URL: https://issues.apache.org/jira/browse/SHIRO-305
>             Project: Shiro
>          Issue Type: Bug
>          Components: Realms 
>    Affects Versions: 1.1.0
>         Environment: Windows 7, Tomcat 6.x
>            Reporter: Peter Diefenthäler
>             Fix For: 1.1.1
>
>
> Configuration for connecting the Shiro framework with a SSL secured LDAP (LDAPv2 &
LDAPv3 on SSLv3 port) fails.
> Parameters for LDAP in the shiro.ini file:
> [main]
> ...
> ldapRealm.contextFactory.environment[java.naming.security.protocol] = ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool.protocol] = plain
ssl
> ldapRealm.contextFactory.environment[com.sun.jndi.ldap.connect.pool] = true
> These entries lead to following error message:
> org.apache.shiro.config.ConfigurationException: Map property value [ssl] contained key-value
pair token [ssl] that does not properly split to a single key and pair.  This must be the
case for all map entries. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message