Spring LdapContextSource 忽略 SSLSocketFactory
Spring LdapContextSource ignores SSLSocketFactory
Spring-Ldap 1.3.1
为了使用 TLS 测试 spring-ldap,我创建了一个接受所有证书的 CustomSSLSocketFactory-class(我知道这个的安全问题)。
运行 测试结果
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
启用 SSL 调试后,会记录标准信任库:
trustStore is: [path_to_jre]\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
测试是这样进行的:
LdapContextSource lcs = new LdapContextSource();
lcs.setBase("[base]");
lcs.setUserDn("[userDn]");
lcs.setPassword("[password]");
lcs.setPooled(false);
lcs.setUrl("ldaps://[server-address]:636");
DefaultTlsDirContextAuthenticationStrategy strategy = new DefaultTlsDirContextAuthenticationStrategy();
strategy.setShutdownTlsGracefully(true);
strategy.setSslSocketFactory(new CustomSSLSocketFactory()); // <-- not considered at all
strategy.setHostnameVerifier(new HostnameVerifier(){
@Override
public boolean verify(String hostname, SSLSession session){
return true;
}
});
lcs.setAuthenticationStrategy(strategy);
lcs.afterPropertiesSet();
lcs.getContext("[principal]", "[credential]");
为了另一个测试,我像这样扩展了 LdapContextSource:
public class ExtLdapContextSource extends LdapContextSource{
public DirContext getContext(String principal, String credentials) {
getAnonymousEnv().put("java.naming.security.protocol", "ssl");
getAnonymousEnv().put("java.naming.ldap.factory.socket", "[package].CustomSSLSocketFactory");
return super.getContext(principal, credentials);
}
}
握手比预期的更有效,但出现另一个错误:
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090DF2, comment: TLS or SSL already in effect, data 0, v1db1
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.extendedOperation(Unknown Source)
at javax.naming.ldap.InitialLdapContext.extendedOperation(Unknown Source)
at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:133)
at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:109)
所以问题是:如何正确设置 spring-ldap 以使其使用提供的 SSLSocketFactory?
实际上由于 ldaps-URL 而失败。如果相应地设置了信任库,则异常显示无法建立 TLS/SSL,因为它已经是 运行(因此无法组合 ldaps-URL 和 DefaultTlsDirContextAuthenticationStrategy)。
此外,StartTLS 是否在端口 389 上工作似乎与目录有关。
要修复错误,请使用 SimpleDirContextAuthenticationStrategy
而不是 DefaultTlsDirContextAuthenticationStrategy
Spring-Ldap 1.3.1
为了使用 TLS 测试 spring-ldap,我创建了一个接受所有证书的 CustomSSLSocketFactory-class(我知道这个的安全问题)。
运行 测试结果
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
启用 SSL 调试后,会记录标准信任库:
trustStore is: [path_to_jre]\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
测试是这样进行的:
LdapContextSource lcs = new LdapContextSource();
lcs.setBase("[base]");
lcs.setUserDn("[userDn]");
lcs.setPassword("[password]");
lcs.setPooled(false);
lcs.setUrl("ldaps://[server-address]:636");
DefaultTlsDirContextAuthenticationStrategy strategy = new DefaultTlsDirContextAuthenticationStrategy();
strategy.setShutdownTlsGracefully(true);
strategy.setSslSocketFactory(new CustomSSLSocketFactory()); // <-- not considered at all
strategy.setHostnameVerifier(new HostnameVerifier(){
@Override
public boolean verify(String hostname, SSLSession session){
return true;
}
});
lcs.setAuthenticationStrategy(strategy);
lcs.afterPropertiesSet();
lcs.getContext("[principal]", "[credential]");
为了另一个测试,我像这样扩展了 LdapContextSource:
public class ExtLdapContextSource extends LdapContextSource{
public DirContext getContext(String principal, String credentials) {
getAnonymousEnv().put("java.naming.security.protocol", "ssl");
getAnonymousEnv().put("java.naming.ldap.factory.socket", "[package].CustomSSLSocketFactory");
return super.getContext(principal, credentials);
}
}
握手比预期的更有效,但出现另一个错误:
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090DF2, comment: TLS or SSL already in effect, data 0, v1db1
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.extendedOperation(Unknown Source)
at javax.naming.ldap.InitialLdapContext.extendedOperation(Unknown Source)
at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:133)
at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:109)
所以问题是:如何正确设置 spring-ldap 以使其使用提供的 SSLSocketFactory?
实际上由于 ldaps-URL 而失败。如果相应地设置了信任库,则异常显示无法建立 TLS/SSL,因为它已经是 运行(因此无法组合 ldaps-URL 和 DefaultTlsDirContextAuthenticationStrategy)。
此外,StartTLS 是否在端口 389 上工作似乎与目录有关。
要修复错误,请使用 SimpleDirContextAuthenticationStrategy
而不是 DefaultTlsDirContextAuthenticationStrategy