This week's book giveaway is in the Spring forum.
We're giving away four copies of Spring in Action (5th edition) and have Craig Walls on-line!
See this thread for details.
Win a copy of Spring in Action (5th edition) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

LDAP User Password Encryption on Tomcat 7  RSS feed

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I'm new to Tomcat LDAP Authentication.  I've configured Tomcat 7 with LDAP authentication in server.xml, and setup the security constraints and login config in application web.xml.  The user authentication works well.  But the user password is passed to LDAP in clear text.  I found some posts that might be the solutions for the issue.  I want to make sure that I'm heading to the right direction.  I need SA's help to verify if the password gets digested.  Please advise if the following options would work:

1. Add digest attribute to <Realm> element in server.xml:

<Realm className="org.apache.catalina.realm.JNDIRealm"
        digest="MD5"
        connectionURL="ldaps://ldapserver:port"
        userPattern="uid={0},ou=people,o=com"
        roleBase="ou=groups,o=com"
        roleName="cn"
        roleSearch="(uniqueMember={0})"/>

How do I find out which digest algorithm to use? SHA, MD2, or MD5?

2. Extends org.apache.catalina.realm class:

a)
package org.apache.catalina.realm;

import java.security.Principal;

public class CustomJNDIRealm extends JNDIRealm {

 @Override

 public Principal authenticate(String username, String credentials) {

     super.setDigest("MD5");
     String credent = super.digest(credentials);
     Principal principal = super.authenticate(username, credent);

     return principal;
 }

}

b) Generate the extended class as a jar file and put it in the TOMCAT_HOME/lib directory
c) Change the INDIRealm class name in server.xml
<Realm className="org.apache.catalina.realm.CustomJNDIRealm"
        digest="MD5"
        connectionURL="ldaps://ldapserver:port"
        userPattern="uid={0},ou=people,o=com"
        roleBase="ou=groups,o=com"
        roleName="cn"
        roleSearch="(uniqueMember={0})"/>
d) restart Tomcat.

thanks in advance,
Ling
 
Bartender
Posts: 19988
95
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Custom Realms are fun, but I don't think you need one here.

I also don't think that the "digest" attribute is what you need. As far as I can tell, that's a general use for pre-encrypted passwords, not an encryption directive itself.

In fact, it seems like merely using the "ldaps:" protocol in your URL should be sufficient to indicate to Tomcat that it should encrypt the connection and lookup requests over the network. Just like using "https:" in a URL indicates that the client should talk to port 443 using TLS, so "ldaps:" should indicate that an encrypted connection should be made to the LDAP server's port 636.

Note that Tomcat internally is passing the password around in clear text, because the user had to type it in in clear text. But Tomcat uses best practices to make it hard to snoop that data internally. Once it talks to LDAP, however, it's a matter of two network clients negotiating security protocols, just like ssh and https do.

There are 2 ways to validate credentials to an LDAP server. One is to connect via a general-purpose login and do an LDAP search. The other is to actually attempt to log to the LDAP server under user credentials directly. If the attempt fails, then the Tomcat Realm will also fail the login attempt. Fair warning: I know that this is a thing, but my knowledge of details is very limited.
 
Ling-yuan Tai
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It makes sense that the ldaps should get a secure connection.  I was wondering why there is no digest attribute in any of the Realm examples I found.  I don't know why I was told it's a big security issue that they saw the clear text password got passed to LDAP server...
 
Tim Holloway
Bartender
Posts: 19988
95
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It depends on where in the process the "clear text password" is. It's clear text inside Tomcat (including on the Tomcat Realm definition), it's probably briefly clear text inside the LDAP server, but on the LAN, ldaps should have it encrypted.

Note that in a real-world production environment, the fact that the Tomcat server has the password in plain text matters little. Unauthorized users should not have the ability to see the Tomcat configuration files. And encrypting the password here is meaningless, since the same encrypted password could be copied and used for malicious purposes without ever knowing its unencrypted value. However, best practices say that the credentials used to access LDAP should not be the LDAP administrator credentials, where anyone can do anything. Instead your connection should be done using a connection whose access rights are limited to only the parts of the LDAP server needed for authentication and authorization.
 
Ling-yuan Tai
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim,

Thank you for the explanation.  I recalled an online post mentions that a certificate needs to be installed on Tomcat server for the ldaps connection, is that right?  I'm not sure if we have the certificate installed on Tomcat server.
 
Tim Holloway
Bartender
Posts: 19988
95
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Ling-yuan Tai wrote:Tim,

Thank you for the explanation.  I recalled an online post mentions that a certificate needs to be installed on Tomcat server for the ldaps connection, is that right?  I'm not sure if we have the certificate installed on Tomcat server.



To the best of my knowledge, the only certs that need to be installed are the certs that might have been generated when the server OS was installed. And I might be thinking of the host's own certs for its SSL clients.

I think maybe someone's thinking of a client-side certificate, but that would not be the standard option. A client-side cert is what you use when you don't want to use userid and password to authenticate, but instead want the server to challenge for a cert over an encrypted channel, and therefore, probably would need the LDAP server to have been specially configured. At least that's how client-side certs work with webapp servers like Tomcat and Apache - they won't use a client-side cert unless you set them up to use client-side certs.

Client-side certs for desktop machines are, in my opinion, not a good idea - steal the machine and you've stolen the keys as well. For in-house DMZ servers, there's not much probability that someone will steal a machine, so they work better in that environment. But again, only when the other machine is willing to use that authentication channel.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!