SpringLdap 2 over ldaps - ssl

I've followed an interesting webinar about springLdap and I'm planning to migrate my current Ldap interface to SpringLdap. However I haven't seen any easy way to connect to an LDAPS server. In my current implementation I had to do something like:
String nextToken = stCc.nextToken();
Properties envP = initializeEnv(nextToken, userPassword);
try
{
LdapContext ctx = new InitialLdapContext(envP, null);
//System.out.println(nextToken + " successfully validation");
return ctx;
}
and
private Properties initializeEnv(String userName, String userPassword) throws IOException
{
Properties envP = new Properties();
envP.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
envP.put(Context.PROVIDER_URL, (String) properties.get("ldap.server.url"));
if (userName != null)
envP.setProperty(Context.SECURITY_PRINCIPAL, userName);
if (userPassword != null)
envP.setProperty(Context.SECURITY_CREDENTIALS, userPassword);
envP.setProperty(Context.SECURITY_AUTHENTICATION, "simple");
envP.setProperty("java.naming.security.protocol", "ssl");
envP.setProperty("com.sun.jndi.ldap.connect.pool", "true");
envP.put("java.naming.ldap.factory.socket", "org.mycompany.ldap.CustSSLSocketFactory");
return envP;
}
and more:
public EmblSSLSocketFactory()
{
try
{
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, new TrustManager[]
{
new DummyTrustmanager()
}, new SecureRandom());
socketFactory = ctx.getSocketFactory();
}
catch (Exception ex)
{
ex.printStackTrace(System.err); /* handle exception */
}
}
Which is the equivalent (and possibly easier) way to do such authentication over TLS with SPRING-LDAP 2?
Thanks

Related

javax.net.ssl.sslpeerunverifiedexception no peer certificate Error In lifelogApi

We are getting SSL peer unverified error while fetching the access token from Lifelog api. I am able to get the authcode, but when i am trying to get access token, it is giving me SSL peer error. It works fine with few device, but most of the device it is giving SSL error.
private void getAccessToken(final String authCode)
{
final String finalUrl = String.format("https://platform.lifelog.sonymobile.com/oauth/2/token?client_id=%s&client_secret=%s&code=%s",CLIENT_ID,CLIENT_SECRET,authCode);
Thread networkThread = new Thread(new Runnable() {
public void run() {
try {
HttpClient client = new DefaultHttpClient();
HttpPost post = new HttpPost(finalUrl);
// Add your data
ArrayList<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(4);
nameValuePairs.add(new BasicNameValuePair("client_id", CLIENT_ID));
nameValuePairs.add(new BasicNameValuePair("client_secret", CLIENT_SECRET));
nameValuePairs.add(new BasicNameValuePair("grant_type", "authorization_code"));
nameValuePairs.add(new BasicNameValuePair("code", authCode));
AbstractHttpEntity ent=new UrlEncodedFormEntity(nameValuePairs, HTTP.UTF_8);
ent.setContentType("application/x-www-form-urlencoded; charset=UTF-8");
post.setEntity(ent);
// Execute HTTP Post Request
HttpResponse response =null;
try {
response = client.execute(post);
Log.d("Response:" , response.toString());
} catch (IOException e) {
e.printStackTrace();
}
String dataObject = response.toString();
JSONObject obj;
if(dataObject != null) {
obj = null;
try {
String json_string = EntityUtils.toString(response.getEntity());
// displayToast(json_string);
obj = new JSONObject(json_string);
SharedPreferences prefs =getSharedPreferences("Myprefs", Context.MODE_PRIVATE);
prefs.edit().putString("Access_token", obj.getString("access_token"));
// prefs.edit().putString(AUTH_REFRESH_TOKEN, obj.getString(AUTH_REFRESH_TOKEN));
} catch (JSONException e) {
e.printStackTrace();
}
}
} catch (IOException e) {
// TODO Auto-generated catch block
}
}
});
networkThread.start(); }
The problem may be with your use of HttpClient. It looks like Google has removed support for this call in Android 6.0.
http://developer.android.com/about/versions/marshmallow/android-6.0-changes.html#behavior-apache-http-client
You should be able to use HttpsURLConnection instead of Httpclient to access the Lifelog Web Service.
I'm using google-oauth-client, I was able to use on Android 5.x with this initialization for
import com.google.api.client.http.HttpTransport;
private void initializeSocketFactory() {
if (Build.VERSION.SDK_INT >= 23) {
HTTP_TRANSPORT = new NetHttpTransport();
} else {
//Android 5 and bellow needs this SSL Socket factory initialization
try {
SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(null, null, null);
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
NetHttpTransport.Builder netTransportBuilder = new NetHttpTransport.Builder();
netTransportBuilder.setSslSocketFactory(socketFactory);
HTTP_TRANSPORT = netTransportBuilder.build();
} catch (NoSuchAlgorithmException | KeyManagementException e) {
Log.e(LOG_TAG, "Problem instantiating cipher for ssl socket", e);
}
}
}
You use HTTP_TRANSPORT to instantiate:
import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;

javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset]; remaining name

I am getting socket exception when I try to connect LDAP. Here is my sample code. I am seeing this issue in java 8. I never observed this issue in the earlier java versions.
public static DirContext getDirectoryContext() throws NamingException {
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY,
Common.getProperty("ldap.context.factory"));
env.put(Context.PROVIDER_URL,
Common.getProperty("ldap.provider.url"));
env.put(Context.SECURITY_AUTHENTICATION,
Common.getProperty("ldap.security.authentication"));
env.put(Context.SECURITY_PRINCIPAL,
Common.getProperty("ldap.security.principal"));
env.put(Context.SECURITY_CREDENTIALS,
Common.getProperty("ldap.security.credential"));
context = new InitialDirContext(env);
log.debug("NamingContext Initialized");
return context;
}
context = getDirectoryContext();
I am using the same context for all LDAP calls.
private NamingEnumeration getResultsFromLdap(String searchFilter) {
NamingEnumeration results = null;
try {
// Getting the list from LDAP matching the given filter
SearchControls sControls = new SearchControls();
sControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String baseContext = Common.getProperty("ldap.base.context");
results = context.search(baseContext, searchFilter, sControls);
} catch (Exception e) {
log.error("EXCEPTION IN getLDAPConnection METHOD, searchFilter : "
+ searchFilter + " : Exception Message : " + e.getMessage());
}
return results;
} // End of getLDAPConnection_SearchResults
Can someone help?

SSL Ldap Connection (ldaps)

I want to connect to ldap over SSL using truststore file.
I'm using the following code:
private DirContext ctxtDir = null;
Attributes attributes = null;
ldap_server_url = "ldaps://" + getLdapHostName() + ":"
+ getPort() + "/";
ldap_base_dn = getBaseDn();
ldap_user = getLogin();
ldap_password = getPwd();
ldap_trust_store_file = "C:\\truststore.jks";
ldap_trust_store_pwd = getStoreJKSPwd();
// Set the parameters
env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, ldap_context_factory);
env.put(Context.PROVIDER_URL, ldap_server_url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, ldap_user);
env.put(Context.SECURITY_CREDENTIALS, ldap_password);
env.put(Context.SECURITY_PROTOCOL, "SSL");
// Set SSL parameters for Ldaps connection
System.setProperty("javax.net.ssl.trustStore", ldap_trust_store_file);
System.setProperty("javax.net.ssl.trustStorePassword",
ldap_trust_store_pwd);
// Try to establish the connection
try {
// create initial context
ctxtDir = new InitialDirContext(env);
attributes = getLdapattributes(ldap_base_dn);
if (null != attributes) {
isAvailable = true;
}
} catch (Exception e) {
isAvailable = false;
}
The problem is that i don't want to use the location of the truststore file, i want to use the inputstream (file content), is there any way to do that? like when using SSLContext to esbabish a https connection.
Unbound Ldap SDK is best latest LDAP API. It also offers SSLSocketFactory to establish SSL connection.
TrustAllTrustManager manager = new TrustAllTrustManager();
SSLUtil sslUtil = new SSLUtil(manager);
SSLSocketFactory socketFactory;
try {
socketFactory = sslUtil.createSSLSocketFactory("TLSv1");
}
catch (GeneralSecurityException e) {
throw new LDAPException(ResultCode.CANCELED, "An error occured while creating SSL socket factory.");
}
and use this socketFactory as
new RoundRobinServerSet(addressesArray, portsArray, socketFactory);

httpcomponents's ssl connection results in socket is closed

I am trying to get some data from webserver which works fine with http.
But when I try https(ssl connection), I get the exceptions like below.
I get the http status code 200 and response content length 2230 which is correct.
java.net.SocketException: Socket is closed
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1483)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:92)
at org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:166)
at org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketInputBuffer.java:90)
at org.apache.http.impl.io.AbstractSessionInputBuffer.read(AbstractSessionInputBuffer.java:183)
at org.apache.http.impl.io.ContentLengthInputStream.read(ContentLengthInputStream.java:144)
at org.apache.http.conn.EofSensorInputStream.read(EofSensorInputStream.java:121)
My code is like below with apache httpcomponents httpclient(4.2.5) library.
try {
HttpPost httppost = new HttpPost(uri);
HttpHost targetHost = new HttpHost(HOST_NAME, HOST_PORT, PROTOCOL);
InputStreamEntity reqEntity = new InputStreamEntity(new ByteArrayInputStream(request), -1);
String contentType = TSPConstants.CONST_TSA_CONTENT_TYPE_TSREQUEST;
reqEntity.setContentType(contentType);
reqEntity.setChunked(true);
// It may be more appropriate to use FileEntity class in this particular
// instance but we are using a more generic InputStreamEntity to demonstrate
// the capability to stream out data from any arbitrary source
//
// FileEntity entity = new FileEntity(file, "binary/octet-stream");
httppost.setEntity(reqEntity);
//Authentication
httpclient.getCredentialsProvider().setCredentials(
new AuthScope(targetHost.getHostName(), targetHost.getPort()),
new UsernamePasswordCredentials(id, password));
// Create AuthCache instance
AuthCache authCache = new BasicAuthCache();
// Generate BASIC scheme object and add it to the local
// auth cache
BasicScheme basicAuth = new BasicScheme();
authCache.put(targetHost, basicAuth);
// Add AuthCache to the execution context
BasicHttpContext httpContext = new BasicHttpContext();
httpContext.setAttribute(ClientContext.AUTH_CACHE, authCache);
httpContext.setAttribute(ClientContext.COOKIE_STORE, cookieStore);
//SSL
SSLContext ctx = SSLContext.getInstance("TLS");
X509TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException { }
public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException { }
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
ctx.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory ssf = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
Scheme sch = new Scheme("https", HOST_PORT, ssf);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
System.out.println("executing request " + httppost.getRequestLine());
httpclient.execute(httppost, httpContext);
HttpResponse response = send(request);
HttpEntity resEntity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (resEntity != null) {
System.out.println("Response content length: " + resEntity.getContentLength());
System.out.println("Chunked?: " + resEntity.isChunked());
}
EntityUtils.consume(resEntity);
resEntity.getContent()
} finally {
// When HttpClient instance is no longer needed,
// shut down the connection manager to ensure
// immediate deallocation of all system resources
httpclient.getConnectionManager().shutdown();
}
Basically the answer gave #Avner in the comment.
The problem (for me) was, that the response was closed before the entity was read.
I did something like this, which was wrong:
HttpEntity entity = null;
try (CloseableHttpResponse response = client.execute(request)) {
entity = response.getEntity();
}
read(entity);
The following worked:
try (CloseableHttpResponse response = client.execute(request)) {
HttpEntity entity = response.getEntity();
read(entity);
}
The maybe not so obvious part: The try-with-resources block in the first example closed the stream, before it was read.

SSL connection to ldap using certitificates and custom ssl socket factory

This is my scenario , i want to connect to ldap usign jndi , i am using custom SSLSOcketfactory which reads the truststore and keystore . The context is created successful but when i try to authenticate using the same credentials it throws an error telling that the authentication method is not supported.
here is my code of the custom ssl socket -
try {
StringBuffer trustStore = new StringBuffer("c:/Temp/certs/TrustStore");
StringBuffer keyStore = new StringBuffer("c:/Temp/certs/keystore.arun");
StringBuffer keyStorePass = new StringBuffer("xxxxx");
StringBuffer keyAlias = new StringBuffer("user");
StringBuffer keyPass = new StringBuffer("XXXX");
TrustManagerFactory tmf =TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
FileInputStream fis = new FileInputStream(trustStore.toString());
KeyStore ks1 = KeyStore.getInstance("jks");
ks1.load(fis, trustStorePass.toString().toCharArray());
fis.close();
tmf.init(ks1);
TrustManager[] tms = tmf.getTrustManagers();
FileInputStream fin = new FileInputStream(keyStore.toString());
KeyStore ks2 = KeyStore.getInstance("jks");
ks2.load(fin, keyStorePass.toString().toCharArray());
fin.close();
KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks2, keyStorePass.toString().toCharArray());
KeyManager[] kms = kmf.getKeyManagers();
if (keyAlias != null && keyAlias.length() > 0) {
for (int i = 0; i < kms.length; i++) {
// We can only deal with instances of X509KeyManager
if (kms[i] instanceof X509KeyManager)
kms[i] = new CustomKeyManager(
(X509KeyManager) kms[i], keyAlias.toString());
}
}
SSLContext context = SSLContext.getInstance("TLS");
context.init(kms,tms, null);
ssf = context.getSocketFactory();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public static SocketFactory getDefault() {
return new CustomSSLSocketFactory();
}
And the jndi code which uses this CustomSSLSocketFactory is as follows
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://wx64ads01a.vapps.esca.com:636");
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.derefAliases", "always");
env.put("java.naming.ldap.factory.socket","com.eterra.security.authz.dao.CustomSSLSocketFactory" );
try {
ctx = new InitialLdapContext(env, null);
// start ssl session for server authentication
}catch(Exception e ){
System.out.println(e);
}
try{
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION,
"EXTERNAL");
String path = "CN=domain,DC=casa,DC=com"
String inFilter = "(&(objectClass=*))";
SearchControls sc = new SearchControls();
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = null;
results = ctx.search(path, inFilter, sc);
}
My Context is created perfectly but when i try to authenticate and bind to the ldap , i get Invalid Authentication method . ANy help will be appreciated , Struggling with these error over a long time now . Thanks in advance .
Context.SECURITY_AUTHENTICATION, "EXTERNAL"
when i try to authenticate and bind to the ldap , i get Invalid Authentication method
So your LDAP server doesn't support EXTERNAL authentication.