inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-10-08 14:51:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.1/Cloud)

Browse Source 
99768: Merged 5.0.N (5.0.2) to HEAD-BUG-FIX (5.1/Cloud)
      99699: Merged V4.2-BUG-FIX (4.2.5) to 5.0.N (5.0.2)
         99634: Merged V4.1-BUG-FIX (4.1.10) to V4.2-BUG-FIX (4.2.5)
            99442: Merged DEV to V4.1-BUG-FIX (4.1.10)
               99036:   MNT-13357: LDAP SSL Certificate not checked.
                 - Create custom socket factory for LDAPS.


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@100495 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
2015-03-27 22:56:51 +00:00
parent accd81fc21
commit 40d0ff9f62
5 changed files with 146 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
config/alfresco/subsystems/Authentication/common-ldap-context.xml
View File

@@ -127,6 +127,12 @@
<value>${ldap.authentication.java.naming.provider.url}</value> <value>${ldap.authentication.java.naming.provider.url}</value>
</entry> </entry>
<!-- Custom Socket factory -->
<entry key="java.naming.ldap.factory.socket">
<value>${ldap.java.naming.ldap.factory.socket:#{null}}</value>
</entry>
<!-- The authentication mechanism to use for password validation --> <!-- The authentication mechanism to use for password validation -->
<!-- Some sasl authentication mechanisms may require a realm to be set --> <!-- Some sasl authentication mechanisms may require a realm to be set -->
<!-- java.naming.security.sasl.realm --> <!-- java.naming.security.sasl.realm -->
@@ -165,6 +171,13 @@
<value>${ldap.authentication.java.naming.provider.url}</value> <value>${ldap.authentication.java.naming.provider.url}</value>
</entry> </entry>
<!-- Custom Socket factory -->
<entry key="java.naming.ldap.factory.socket">
<value>${ldap.java.naming.ldap.factory.socket:#{null}}</value>
</entry>
<!-- The authentication mechanism to use for SYNCHRONIZATION --> <!-- The authentication mechanism to use for SYNCHRONIZATION -->
<!-- Some sasl authentication mechanisms may require a realm to be set --> <!-- Some sasl authentication mechanisms may require a realm to be set -->
<!-- java.naming.security.sasl.realm --> <!-- java.naming.security.sasl.realm -->

3
config/alfresco/subsystems/Authentication/ldap-ad/ldap-ad-authentication.properties
View File

@@ -19,6 +19,9 @@ ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server # The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://domaincontroller.company.com:389 ldap.authentication.java.naming.provider.url=ldap://domaincontroller.company.com:389
#Custom Socket Factory.
#ldap.java.naming.ldap.factory.socket=org.alfresco.repo.security.authentication.ldap.AlfrescoLdapSSLSocketFactory
# The authentication mechanism to use for password validation # The authentication mechanism to use for password validation
ldap.authentication.java.naming.security.authentication=simple ldap.authentication.java.naming.security.authentication=simple

3
config/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties
View File

@@ -25,6 +25,9 @@ ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server # The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://openldap.domain.com:389 ldap.authentication.java.naming.provider.url=ldap://openldap.domain.com:389
#Custom Socket Factory.
#ldap.java.naming.ldap.factory.socket=org.alfresco.repo.security.authentication.ldap.AlfrescoLdapSSLSocketFactory
# The authentication mechanism to use for password validation # The authentication mechanism to use for password validation
ldap.authentication.java.naming.security.authentication=simple ldap.authentication.java.naming.security.authentication=simple

125
source/java/org/alfresco/repo/security/authentication/ldap/AlfrescoLdapSSLSocketFactory.java Executable file
View File

@@ -0,0 +1,125 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.security.authentication.ldap;
import java.io.IOException;
import java.lang.reflect.Method;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import javax.net.SocketFactory;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* SSL Socket Factory that adds Hostname Verification to sockets
*/
public class AlfrescoLdapSSLSocketFactory extends SocketFactory
{
private static Log logger = LogFactory.getLog(AlfrescoLdapSSLSocketFactory.class);
private static Boolean useJava6CodeBase = null;
private static Boolean useJava7CodeBase = null;
public static SocketFactory getDefault()
{
return new AlfrescoLdapSSLSocketFactory();
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException
{
SSLSocket sslSocket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port);
addHostNameVerification(sslSocket);
return sslSocket;
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException
{
SSLSocket sslSocket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port);
addHostNameVerification(sslSocket);
return sslSocket;
}
@Override
public Socket createSocket(String address, int port, InetAddress localAddress, int localPort) throws IOException, UnknownHostException
{
SSLSocket sslSocket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(address, port, localAddress, localPort);
addHostNameVerification(sslSocket);
return sslSocket;
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException
{
SSLSocket sslSocket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(address, port, localAddress, localPort);
addHostNameVerification(sslSocket);
return sslSocket;
}
private void addHostNameVerification(SSLSocket sslSocket)
{
if (useJava6CodeBase == null || useJava6CodeBase)
{
//Try to use SSLSocketImpl.trySetHostnameVerification method that is supported by java6 and lower
try
{
Method m = sslSocket.getClass().getMethod("trySetHostnameVerification", String.class);
m.invoke(sslSocket, "LDAP");
useJava6CodeBase = true;
useJava7CodeBase = false;
}
catch (Throwable e)
{
useJava6CodeBase = false;
}
}
if (useJava7CodeBase == null || useJava7CodeBase)
{
//Try to use sslParams.setEndpointIdentificationAlgorithm method that is supported by java 7 and higher
try
{
SSLParameters sslParams = new SSLParameters();
Method m = sslParams.getClass().getMethod("setEndpointIdentificationAlgorithm", String.class);
m.invoke(sslParams, "LDAPS");
sslSocket.setSSLParameters(sslParams);
useJava6CodeBase = false;
useJava7CodeBase = true;
}
catch (Throwable ee)
{
useJava7CodeBase = false;
if(useJava6CodeBase == false && logger.isWarnEnabled())
{
logger.warn("AlfrescoLdapSSLSocketFactory: Unable to turn on Hostname Verification");
}
}
}
}
}

2
source/java/org/alfresco/repo/security/authentication/ldap/LDAPInitialDirContextFactoryImpl.java
View File

@@ -123,6 +123,7 @@ public class LDAPInitialDirContextFactoryImpl implements LDAPInitialDirContextFa
public void setInitialDirContextEnvironment(Map<String, String> initialDirContextEnvironment) public void setInitialDirContextEnvironment(Map<String, String> initialDirContextEnvironment)
{ {
this.authenticatedEnvironment = initialDirContextEnvironment; this.authenticatedEnvironment = initialDirContextEnvironment;
this.authenticatedEnvironment.values().removeAll(Collections.singleton(null));
} }
public Map<String, String> getInitialDirContextEnvironment() public Map<String, String> getInitialDirContextEnvironment()
@@ -133,6 +134,7 @@ public class LDAPInitialDirContextFactoryImpl implements LDAPInitialDirContextFa
public void setDefaultIntialDirContextEnvironment(Map<String, String> defaultEnvironment) public void setDefaultIntialDirContextEnvironment(Map<String, String> defaultEnvironment)
{ {
this.defaultEnvironment = defaultEnvironment; this.defaultEnvironment = defaultEnvironment;
this.defaultEnvironment.values().removeAll(Collections.singleton(null));
} }
public InitialDirContext getDefaultIntialDirContext() throws AuthenticationException public InitialDirContext getDefaultIntialDirContext() throws AuthenticationException