tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Storing JNDI binding password using encryption
Date Wed, 19 Jul 2017 20:43:51 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alex,

On 7/19/17 3:53 PM, Alex O'Ree wrote:
> The jar file is in /tomcat/lib. The class is super simple
> 
> package org.redacted; public class JNDIRealmExt extends JNDIRealm{ 
> @Override public String getConnectionPassword(){ return
> Utility.decrypt(connectionPassword); } }
> 
> server.xml looks like this
> 
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> 
> <Realm   className="org.redacted.JNDIRealmExt" 
> connectionName="ldapUser" 
> connectionPassword="encryptedPasswordHere" 
> connectionURL="ldap://localhost:389" userBase="..." 
> userSearch="..." roleBase="..." roleName=".." roleSubtree=".." 
> roleSearch=".." referrals="follow"
> 
> />
> 
> 
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" 
> resourceName="UserDatabase"/> </Realm>
> 
> I'm attaching the debugger pretty close to tomcat's startup and
> the getConnectionPassword method never fires. I do see tons of logs
> in the console for ldap connection failures due to the password
> not functioning (pretty much immediately locks the account out at
> the ldap server). The stack trace does not included my extended
> JNDI class, only the tomcat provided JNDIRealm class.

What's the runtime data type of the realm?

If you override setConnectionPassword() does that get called by the
digester when reading your configuration?

- -chris

> On Wed, Jul 19, 2017 at 3:03 PM, Christopher Schultz 
> <chris@christopherschultz.net> wrote: Alex,
> 
> On 7/19/17 1:53 PM, Alex O'Ree wrote:
>>>> On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas
>>>> <markt@apache.org> wrote:
>>>>> On 19/07/17 16:22, Alex O'Ree wrote:
>>>>>> Assuming I had access to a reversible encryption
>>>>>> mechanism and wanted to store the JNDI binding password
>>>>>> in an encrypted form by extending the JNDIRealm class,
>>>>>> which method should i override to encrypt the password
>>>>>> stored in server.xml on the fly?
>>>>> 
>>>>> You could do this via a custom PropertySource. I wouldn't 
>>>>> recommend it.
>>>>> 
>>>>> https://wiki.apache.org/tomcat/FAQ/Password
>>>> 
>>>> I tried just extend the JDNI Realm class and overriding 
>>>> getConnectionPassword but it doesn't appear that my code
>>>> ever called, even those my fully qualified classname is
>>>> listed in the realm xml element. Any ideas?
> 
> Please post your configuration (without secrets) and as much of
> your code as is relevant.
> 
> Also, where did you place your .class file for your JNDIRealm
> subclass?
> 
> -chris
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZb8SHAAoJEBzwKT+lPKRYoHIQAMAnCqAdmY9Bhi5FehVAdkQs
M+q7nWSFoxzb+sMnce+IjmQ1uGVq3cAae7Hlc//IPDBaHaCGSlcODSXR2936osZM
S8bQZltIxLs/lx+ydjIlrhT6Y/AQsm9e+IV6ZyQGcQAZxtDLWXvUy6KDxDt/+ivr
PcuHbrC9TZZRMb7Bjyp40YuNUtMEcc1F5/Iy/Hv81B2IpJjrUpPHVBdkXscCQfOK
cdO8jg8Cjk2zJjd5ko/7H/8F2G1QlTq4WhqccwjPfoCObZOgbHXzn9N+woha/b7g
AZYSECVClygq/ip2L736Mlx/X3uQR176m3uTxxjuuLuMiRsq+ByCEa+FApyzFCNN
FGzhWcOg3NS6wF5hUKvIlndr0lVXojXukV3LAjkbr1VKevWUotfRT51cPi9CvScX
Wz8kcelNr2oqlsRn8tfMpdRteqk26njvniRM6H0Dw155Atq1hvgP9kXw91IWuFXx
wYANvQtmJDF5kZylaKTPyWLULHxazRBsQyD6hI6mJyDKslK1yn7S1M3bjwPXmeAR
3h8J093qLIJoFmNA0tXoqGPOPWBV58PMeAgl++hNgBkEfjol9Ens8izsDD+mJMl1
voh5nhFMKY2Pue+Hs+xzfZ/lAw4xukr+VHBUNWsxzG1NprFBuFo9NlpMT72XTgKT
PK+lfz917/OgpoODhX86
=v0p6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message