On 2025/03/19 08:02:43 "Thomas Hoffmann (Speed4Trade GmbH)" wrote: > Hello Michael, > > > -----Ursprüngliche Nachricht----- > > Von: Michael Osipov <micha...@apache.org> > > Gesendet: Dienstag, 18. März 2025 22:50 > > An: users@tomcat.apache.org > > Betreff: Re: JNDIRealm with required ChannelBindingToken fails > > > > On 2025/03/18 16:22:42 "Thomas Hoffmann (Speed4Trade GmbH)" wrote: > > > Hello Tomcat-Team, > > > we are currently using a JNDIRealm to authenticate against an > > ActiveDirectory via LDAPs. > > > For security reasons, the LDAP-Server should be configured to enforce > > channel binding token (CBT). > > > > > > If CBT is set to enforced however, the JNDIRealm fails with this > > > exception: > > > > > > org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing > > authentication > > > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: > > LdapErr: DSID-0C0906AD, comment: AcceptSecurityContext error, data > > 80090346, v4563 ]; remaining name 'ou=xxx,dc=com' > > > at > > java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3260 > > ) > > > ... > > > > > > Java should support CBT since version 16 according to these pages: > > https://bugs.openjdk.org/browse/JDK-8258824 > > https://bugs.openjdk.org/browse/JDK-8247311 > > > > > > It mentions, that a JNDI environment property > > "com.sun.jndi.ldap.tls.cbtype" should be set, to make JNDI work with CBT. > > > > > > Looking at the class JNDIRealm.java --> > > getDirectoryContextEnvironment() I can't find any property with this name > > or any way to inject additional properties. > > > > > > The realm configuration in Tomcat is quite common, nothing special: > > > <Realm className="org.apache.catalina.realm.JNDIRealm" > > > adCompat="true" > > > allRolesMode ="authOnly" > > > connectionTimeout="3000" > > > connectionURL="ldaps://server1:636" > > > ... > > > useDelegatedCredential="true" > > > spnegoDelegationQop="auth" > > > /> > > > > > > Does anybody have succeeded in JNDIReal with CBT? > > > Could the connection issue be solved with standard methods? > > > > There is none and the JNDIRealm does not provide a way to pass arbitrary > > properties to the DirContext. you best shot is to extend the class, override > > getDirectoryContextEnvironment() and pass the desired property. > > > > It was actually backported to older versions: > > https://bugs.openjdk.org/browse/JDK-8245527 > > > > My recommendation is to test it in an isolated environment first: > > * Plain DirContext > > * ldapsearch(1) + Cyrus SASL > > > > In our huge interprise this isn't enforced, I guess that qop-auth is still > > good > > enough with aes256-cts-hmac-sha1-96 (SSF 256). Even back then when I > > co-reviewed the PR I did not fully understand what the huge benefit of TLS- > > CB is if you have AES-256 and auth-conf with Kerberos, but I am not a > > security expert. > > > > Michael > > > > Thank you for your quick reply and confirmation of the current situation. > I can test if overriding the getDirectoryContextEnvironment() works.
Pleaso do. > As far as I understood the CBT is created by some connection parameters and > prevents MITM attacks via an SSL-Proxy (like Strict-Transport-Security for > HTTP does on a higher level). Why not just use qop="auth-conf" and avoid TLS altogether? Kerberos will give you all the security you need. I see usecases for the paranoid, but a regular r/o call. > Would it be worth to create a feature request for Tomcat? > Companies get more sensitive about security features nowadays and the > complexity of the feature doesn’t look very high. I'd prefer a generic solution for arbitrary properties like: > additionalProperties="name=value;name2=value2;…" Michael I am just curious... is this a JAVA_OPT at runtime? -Dcom.sun.jndi.ldap.tls.cbtype=enforce what are the enumerated values? -Joey --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
