javatomcatjartomcat9server.xml

Decrypt/Modify Password of Realm Tag in Server.xml file of Tomcat - LDAP


I have tried extending the JNDIRealm class to first print/get connection password by override getPassword() method and then using getConnectionPassword method. However, its not working and different set of errors.

Requirement: Decrypt the password on the fly in Realm Tag of server.xml file for Tomcat 9. I'm able to do that for Resource Tag using BasicDataSourceFactory but not for Realm Tag. Note: I dont want decrypting logic, just basic functionality to print current connectionPassword and replace with decrypted password.

Below the Realm Tag in Server.xml

***<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false" /> 
<Realm className="org.test.CustomJNDIRealm"
connectionURL="ldap://ldap.TEST.com:3268"
authentication="simple"
referrals="follow"
connectionName="SA-TEST-Archival"
connectionPassword="encrypted_password"
roleSearchAsUser="false"
userSearch=" (sAMAccountName={0})"
userBase="dc-test,dc=com"
userSubtree="true"
roleSearch" (member={0})"
roleName="cn"
roleSubtree="true"|
roleBase="OU=Service Accounts, OU=Services, OU=TEST Resources,DC=TEST,DC=com"/>***

Below is the Java Class which is being compiled into JAR file and being pasted in Tomcat/lib folder.

import org.apache.catalina.realm.JNDIRealm;
import java.security.Principal;
import java.util.List;

public class CustomJNDIRealm extends JNDIRealm {
@Override
protected String getPassword (String username) { 

//String password= super.getPassword (username);
String password = getConnectionPassword();
System.out.println("++++++The current password LDAP Realm Tag "+password);
return password; 
}
}

Error: Now I'm getting errors like CombinedRealm not configured with CredentialHandler and SetPropetiesRule.begin Match .. failed to set property for all the properties inside realm tag.

Note: This is vendor based application and we have no control over application code. Only we have control over Tomcat and we need to implement the masking of password in LDAP connectivity in Realm tag.


Solution

  • Here's the answer, it was solved by overriding setConnectionPassword method instead I was trying previously to directly modify in constructor and other methods.

    import org.apache.catalina.realm.JNDIRealm;
    
    public class CustomJNDIRealm extends JNDIRealm {
    @Override
    protected void setConnectionPassword(String connectionPassword) {
    
        String realmTagPassword = connectionPassword;
    
        System.out.println(realmTagPassword);
    
        return super.setConnectionPassword("newPassword); 
        }
    }