Support property replacement in LDAP JAAS module
Description
Environment
Activity
Daniel FisherOctober 25, 2016 at 4:10 AM
Stand pat with support for replacement of only the ldap credential.
Daniel FisherJuly 1, 2016 at 3:15 PM
Implement credential indirection directly in ldaptive if none of these options pan out.
Daniel FisherJune 24, 2016 at 3:28 AM
After some research I've identified (3) potential solutions for this issue:
Export ldap.properties as system properties
JAAS natively support system properties of the form ${foo.bar} in configuration options.
Note this may cause confusion as the IDP uses properties of the form %{foo.bar}
I'm not quite comfortable dumping the LDAP properties into System properties.
But it does seem like the easiest solution.Rewrite the JAAS configuration file
The IDP could read in the configuration file and perform string substitution on the properties.
A new configuration file would then have to be written.
IDP would have to use the newly written configuration file, not the old one.
This implementation would use a spring bean that post processes the file as a string.Use a custom implementation of javax.security.auth.login.Configuration
Overload #getAppConfigurationEntry, check if property replacement should occur and perform as necessary.
The difficulty with this implementation is getting access to the Spring property replacement machinery in the validation action.
It's not clear to me how that would get injected, but I'll do some more research.
Details
Assignee
Daniel FisherDaniel FisherReporter
Daniel FisherDaniel FisherComponents
Fix versions
Details
Details
Assignee
Daniel FisherReporter
Daniel Fisher
JAAS configuration should support property replacement so that password can be consolidated externally.