Hello Michael, > -----Ursprüngliche Nachricht----- > Von: Michael Osipov <micha...@apache.org> > Gesendet: Dienstag, 18. März 2025 22:50 > An: users@tomcat.apache.org > Betreff: Re: JNDIRealm with required ChannelBindingToken fails > > On 2025/03/18 16:22:42 "Thomas Hoffmann (Speed4Trade GmbH)" wrote: > > Hello Tomcat-Team, > > we are currently using a JNDIRealm to authenticate against an > ActiveDirectory via LDAPs. > > For security reasons, the LDAP-Server should be configured to enforce > channel binding token (CBT). > > > > If CBT is set to enforced however, the JNDIRealm fails with this exception: > > > > org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing > authentication > > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: > LdapErr: DSID-0C0906AD, comment: AcceptSecurityContext error, data > 80090346, v4563 ]; remaining name 'ou=xxx,dc=com' > > at > java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3260 > ) > > ... > > > > Java should support CBT since version 16 according to these pages: > https://bugs.openjdk.org/browse/JDK-8258824 > https://bugs.openjdk.org/browse/JDK-8247311 > > > > It mentions, that a JNDI environment property > "com.sun.jndi.ldap.tls.cbtype" should be set, to make JNDI work with CBT. > > > > Looking at the class JNDIRealm.java --> > getDirectoryContextEnvironment() I can't find any property with this name > or any way to inject additional properties. > > > > The realm configuration in Tomcat is quite common, nothing special: > > <Realm className="org.apache.catalina.realm.JNDIRealm" > > adCompat="true" > > allRolesMode ="authOnly" > > connectionTimeout="3000" > > connectionURL="ldaps://server1:636" > > ... > > useDelegatedCredential="true" > > spnegoDelegationQop="auth" > > /> > > > > Does anybody have succeeded in JNDIReal with CBT? > > Could the connection issue be solved with standard methods? > > There is none and the JNDIRealm does not provide a way to pass arbitrary > properties to the DirContext. you best shot is to extend the class, override > getDirectoryContextEnvironment() and pass the desired property. > > It was actually backported to older versions: > https://bugs.openjdk.org/browse/JDK-8245527 > > My recommendation is to test it in an isolated environment first: > * Plain DirContext > * ldapsearch(1) + Cyrus SASL > > In our huge interprise this isn't enforced, I guess that qop-auth is still > good > enough with aes256-cts-hmac-sha1-96 (SSF 256). Even back then when I > co-reviewed the PR I did not fully understand what the huge benefit of TLS- > CB is if you have AES-256 and auth-conf with Kerberos, but I am not a > security expert. > > Michael >
Thank you for your quick reply and confirmation of the current situation. I can test if overriding the getDirectoryContextEnvironment() works. As far as I understood the CBT is created by some connection parameters and prevents MITM attacks via an SSL-Proxy (like Strict-Transport-Security for HTTP does on a higher level). Would it be worth to create a feature request for Tomcat? Companies get more sensitive about security features nowadays and the complexity of the feature doesn’t look very high. Thanks! Thomas
