[SECURITY] CVE-2021-30640 Apache Tomcat JNDI realm authentication weakness

CVE-2021-30640 JNDI Realm Authentication Weakness Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.5 Apache Tomcat 9.0.0.M1 to 9.0.45 Apache Tomcat 8.5.0 to 8.5.65 Apache Tomcat 7.0.0 to 7.0.108 Description: Queries made by the JNDI Realm

Re: Tomcat 7 JNDI Realm credential password update availability

entials used to > connect to the AD server must have the password updated > every 180 days, and therefore updated in the JNDI Realm configuration. Is > there a way to update the password in server.xml > that would allow it to be recognized as changed without restarting the >

RE: Tomcat 7 JNDI Realm credential password update availability

> From: John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at > Cisco) > [mailto:jbeau...@cisco.com] > Subject: RE: Tomcat 7 JNDI Realm credential password update availability > So you're saying the change via JMX would update in-memory representation of >

RE: Tomcat 7 JNDI Realm credential password update availability

to:ch...@christopherschultz.net] Sent: Wednesday, May 13, 2015 1:28 PM To: Tomcat Users List Subject: Re: Tomcat 7 JNDI Realm credential password update availability -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/13/15 2:45 PM, Mark Thomas wrote: > On 13/05/2015 19:13, John Beaula

Re: Tomcat 7 JNDI Realm credential password update availability

to the AD server must have the password updated every 180 days, and therefore updated in the JNDI Realm configuration. Is there a way to update the password in server.xml that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever it

Re: Tomcat 7 JNDI Realm credential password update availability

use LDAP >> over SSL to connect to an AD server for user authentication. >> This configuration we have working. The issue is the credentials >> used to connect to the AD server must have the password updated >> every 180 days, and therefore updated in the JNDI Realm >> c

Re: Tomcat 7 JNDI Realm credential password update availability

he issue is the credentials used to connect > to the AD server must have the password updated > every 180 days, and therefore updated in the JNDI Realm configuration. Is > there a way to update the password in server.xml > that would allow it to be recognized as changed without restarti

Tomcat 7 JNDI Realm credential password update availability

updated in the JNDI Realm configuration. Is there a way to update the password in server.xml that would allow it to be recognized as changed without restarting the Tomcat server. Or some other configuration what ever it may be that would achieve this. The goal is to update the password and have it

Re: JNDI realm Global Catalog question

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neil, On 4/29/15 12:01 PM, Lazarow, Neil wrote: > -Original Message- From: Felix Schumacher > [mailto:felix.schumac...@internetallee.de] Sent: Tuesday, April 28, > 2015 10:18 AM To: Tomcat Users List Subject: Re: JNDI realm Global

RE: JNDI realm Global Catalog question

-Original Message- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: Tuesday, April 28, 2015 10:18 AM To: Tomcat Users List Subject: Re: JNDI realm Global Catalog question Am 28. April 2015 17:11:55 MESZ, schrieb Christopher Schultz : >-BEGIN PGP SIG

RE: JNDI realm Global Catalog question

-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, April 28, 2015 10:12 AM To: Tomcat Users List Subject: Re: JNDI realm Global Catalog question -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neil, On 4/28/15 9:48 AM, Lazarow, Neil wrote

Re: JNDI realm Global Catalog question

Am 28. April 2015 17:11:55 MESZ, schrieb Christopher Schultz : >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA256 > >Neil, > >On 4/28/15 9:48 AM, Lazarow, Neil wrote: >> I have multiple domain controllers, all of which are set to >> function as global catalog servers. >> >> Is it possible to put

Re: JNDI realm Global Catalog question

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neil, On 4/28/15 9:48 AM, Lazarow, Neil wrote: > I have multiple domain controllers, all of which are set to > function as global catalog servers. > > Is it possible to put multiple alternateURL entires into your > JNDIRealm confiugration (see exam

JNDI realm Global Catalog question

I have multiple domain controllers, all of which are set to function as global catalog servers. Is it possible to put multiple alternateURL entires into your JNDIRealm confiugration (see example below)? Tomcat Version: 6.0.33 on Red Hat Enterprise Linux 5 -- Neil Lazarow Sys

Re: [OT] JNDI Realm and GSSAPI problems with TC 7

"André Warnier" wrote: >Mark Thomas wrote: >... > >> >> It *should* work with those but it has only been tested with: >> - Windows domain controller >> - Windows client >> - Tomcat running on Windows Server >> - Tomcat running on Ubuntu Server >> >.. >Ah ! To my knowledge, this is the first indi

Re: [OT] JNDI Realm and GSSAPI problems with TC 7

Mark Thomas wrote: ... It *should* work with those but it has only been tested with: - Windows domain controller - Windows client - Tomcat running on Windows Server - Tomcat running on Ubuntu Server .. Ah ! To my knowledge, this is the first indication *ever* that this also works on Unix/Lin

Re: JNDI Realm and GSSAPI problems with TC 7

and provide the appropriate user name and password in the connectionName and connectionPassword attributes. > 2) After temporarily solving issue 1) How? > the JNDI Realm prompt me for username and password. Do you mean Tomcat tells your browser to display the BASIC auth password dialog? Or do

JNDI Realm and GSSAPI problems with TC 7

ne 2225) 2) After temporarily solving issue 1) the JNDI Realm prompt me for username and password. This seems to be originating from the SASL Client default callback. I tried to register my own callbackhandler (setting java.naming.security.sasl.callback) but it’s ignored. Inspecting the code of JNDIR

Re: Urgent -- Need help configuring JNDI realm

Thanks for the link. On Tue, Sep 13, 2011 at 2:46 PM, Pid wrote: > On 13/09/2011 19:20, Savitha Akella wrote: > > Hi, > > > Any help is appreciated. > > http://catb.org/~esr/faqs/smart-questions.html > > > p > >

Re: Urgent -- Need help configuring JNDI realm

nectionPassword is the password for that user/admin. > > Rudy > > > On Tue, Sep 13, 2011 at 11:20 AM, Savitha Akella > wrote: > > Hi, > > > > I need help in configuring the JNDI Realm to connect to LDAP Server and > > authenticate users. Here are the details

Re: Urgent -- Need help configuring JNDI realm

the password for that user/admin. Rudy On Tue, Sep 13, 2011 at 11:20 AM, Savitha Akella wrote: > Hi, > > I need help in configuring the JNDI Realm to connect to LDAP Server and > authenticate users. Here are the details: > > CN=,OU=XYZ,OU=Application > Managed,OU=Groups,DC=

Re: Urgent -- Need help configuring JNDI realm

On 13/09/2011 19:20, Savitha Akella wrote: > Hi, > Any help is appreciated. http://catb.org/~esr/faqs/smart-questions.html p signature.asc Description: OpenPGP digital signature

Urgent -- Need help configuring JNDI realm

Hi, I need help in configuring the JNDI Realm to connect to LDAP Server and authenticate users. Here are the details: CN=,OU=XYZ,OU=Application Managed,OU=Groups,DC=rma,DC=corp,DC=ABC,DC=com - *AUTH is the group in which i have to search if the user is a member of or not. All the members in this

Re: authentication fail (JNDI Realm with Tomcat )

untName" property. I changed this to "CN={0}" and "userPrincipalName={0}" and also failed to pass the authentication. On Nov 30, 2010, at 12:29 PM, Caldarale, Charles R wrote: >> From: long hong [mailto:longhong1...@gmail.com] >> Subject: Re: authentication

RE: authentication fail (JNDI Realm with Tomcat )

> From: long hong [mailto:longhong1...@gmail.com] > Subject: Re: authentication fail (JNDI Realm with Tomcat ) > the web root context of my web app is "/fs". As I suspected. Again, remove the /fs from the ; the webapp name is never part of any in web.xml. - Chuck THI

Re: authentication fail (JNDI Realm with Tomcat )

ubject: authentication fail (JNDI Realm with Tomcat ) > >> >> >>Entire Application >>/fs/* > > You probably want just /* in the above ; what you have now > protects only the path /fs *under* your webapp. (Either that, or your > is very wrong

RE: authentication fail (JNDI Realm with Tomcat )

> From: long hong [mailto:longhong1...@gmail.com] > Subject: authentication fail (JNDI Realm with Tomcat ) > > > Entire Application > /fs/* You probably want just /* in the above ; what you have now protects only the path /fs *under* your webapp. (Either that,

authentication fail (JNDI Realm with Tomcat )

in" with the dn= "cn=admin, o=University,c=World" and password="111". "admin" is in the group(role) named: "Administrators" with the dn="cn= Administrators, cn=Roles, o=University,c=World". I used tomcat 7.0.4 and wrote the JNDI

How to bind jndi realm datasource so that my hibernate can find it can find it

Hello tomcats !! I learnt a lot since last discussion(problems at thejarbar.org) and am moving on... I now wish to configure the datasource used by the realm to also be used by hibernate Currently my server.xml looks as follows:

RE: JNDI Realm question

And thank you everyone for your help! -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Tuesday, March 09, 2010 3:18 PM To: 'Tomcat Users List' Subject: RE: JNDI Realm question Ok, it's working. I changed too many things at o

RE: JNDI Realm question

https://servername:8080/sample welcome page. I don't have a lock icon which bothers me, but that is IE7 for you. The address bar is pink. What can I tell you. Firefox gives me a lock icon. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent

RE: JNDI Realm question

rson) (sAMAccountName=*) (memberOf=CN=arcgisserver_reader,OU=Groups,OU=PLANDEV Dept,DC=plandev,DC=maricopa,DC=gov) ) This query returns the three user accounts with the role "arcgisserver_reader", which is right. I think my issue is that I don't understand what I'm supposed to be supp

Re: JNDI Realm question

Hi Leo, in general I would recommend to use an LDAP tool like Apache Directory Studio in order to develop and verify the JNDI Realm specific parameters. http://directory.apache.org/studio/ If this works (authentication, authorization searches), add the parameters to your tomcat

Re: JNDI Realm question

Hi Leo, On Mon, 8 Mar 2010 14:11:50 -0700, Leo Donahue - PLANDEVX wrote: > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > > > Using Tomcat 6.0.24 on Windows Server 2003 Standard R2 SP2 > > 1. We use MS Active Dire

RE: JNDI Realm question

he.org > Date: Mon, 8 Mar 2010 14:11:50 -0700 > Subject: JNDI Realm question > > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > <http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html> > > Using Tomcat 6.0.24 on Windows Server 2003 Standar

JNDI Realm question

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm Using Tomcat 6.0.24 on Windows Server 2003 Standard R2 SP2 1. We use MS Active Directory, is the "uid" in the following example for userPattern the same as the "sAMAcco

Re: Authentication without Authorization ( JNDI Realm ) - Resolved

n seems to fail ( error 403 > forbidden ) > > Regards > Shashank > > > On Wed, 2009-12-02 at 19:16 -0800, Robert Koberg wrote: > > On Dec 2, 2009, at 6:01 PM, Christopher Schultz wrote: > > > > > -BEGIN PGP SIGNED MESSAGE- > > > Ha

Re: Authentication without Authorization ( JNDI Realm )

PM, Caldarale, Charles R wrote: > >>> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > >>> Subject: Re: Authentication without Authorization ( JNDI Realm ) > >>> > >>> Technically speaking, this will require authentication but then let &

Re: Authentication without Authorization ( JNDI Realm )

Authentication without Authorization ( JNDI Realm ) >>> >>> Technically speaking, this will require authentication but then let >>> anyone holding any role defined in web.xml to access any page on your >>> site. >> >> But the valid roles still have to

Re: Authentication without Authorization ( JNDI Realm )

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 12/2/2009 5:15 PM, Caldarale, Charles R wrote: >> From: Christopher Schultz [mailto:ch...@christopherschultz.net] >> Subject: Re: Authentication without Authorization ( JNDI Realm ) >> >> Technically spe

RE: Authentication without Authorization ( JNDI Realm )

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Authentication without Authorization ( JNDI Realm ) > > Technically speaking, this will require authentication but then let > anyone holding any role defined in web.xml to access any page on your &

Re: Authentication without Authorization ( JNDI Realm )

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shashank, On 12/2/2009 10:48 AM, shashank@wipro.com wrote: > Is there any way to use a Realm only for authentication and disable > authorization ( do not check for roles ) ? If you are using Tomcat's container-managed authentication and authoriza

Authentication without Authorization ( JNDI Realm )

Hi Is there any way to use a Realm only for authentication and disable authorization ( do not check for roles ) ? Regards, Shashank. Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are

Re: Tomcat6 JNDI Realm

Have a look at http://www.jspwiki.org/wiki/ActiveDirectoryIntegration Regards, Rainer On 26.05.2009 12:16, Geofrey Rainey wrote: > I'm trying to setup a tomcat6 realm to authenticate against an active > directory server. I got a > > JDBC realm working okay with a MySQL database. > > > > I'

Tomcat6 JNDI Realm

Hi, I'm trying to setup a tomcat6 realm to authenticate against an active directory server. I got a JDBC realm working okay with a MySQL database. I'm receiving the following error and thought it might be wise to try and get ldapsearch working First. However I'm not having much luck with

ssha digest in jndi realm

Hi, I've read that Salted SHA (SSHA) realm was added to tomcat realms. http://emsp.em.doe.gov/tomcat-docs/changelog.html https://issues.apache.org/bugzilla/show_bug.cgi?id=32938 So I've set digest=SSHA in my realm configuration. However when I try to start tomcat I get tomcat SSHA MessageDiges

Re: JNDI realm strange problem(Tomcat 6.0.16)

hello chris, yes, our ldap server and tomcat server are both up for 24 hours and 7 days. yes, restarting tomcat server, problem vanishes. thank you, On Fri, 2008-06-20 at 10:20 -0400, Christopher Schultz wrote: > king again? -- Kumar Gaurav Srivastava A B Technologies SDF Building

Re: JNDI realm strange problem(Tomcat 6.0.16)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kuman, Kumar Gaurav Srivastava wrote: | i have my realm configuration in server.xml, every thing is fine i can | login. but when i try to login the next morning it gives error | | SEVERE: Exception performing authentication | javax.naming.NoInitialCo

JNDI realm strange problem(Tomcat 6.0.16)

hello , i will be really grateful if someone can help me on this. i have my realm configuration in server.xml, every thing is fine i can login. but when i try to login the next morning it gives error SEVERE: Exception performing authentication javax.naming.NoInitialContextException: Need to sp

Re: JNDI Realm

- Original Message - From: "Jim Willeke" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Wednesday, May 28, 2008 11:39 PM Subject: JNDI Realm We had this working with Tomcat 5.5 and now with Tomcat 6 we are having issues. The Docs (http://tomcat.apach

JNDI Realm

We had this working with Tomcat 5.5 and now with Tomcat 6 we are having issues. The Docs (http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm) "Place a copy of the JNDI driver you will be using (typically ldap.jar available with JNDI) inside the $CATALINA_HOME/lib directory." Where

Re: JNDI Realm nor returning LDAP error codes/exceptions

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard, Gundersen, Richard wrote: | Urgh, humble apologies. No worries. I'm not insulted ;) | BTW do you have an opinion on JOSSO? Was playing around with that | today and it seems to integrate with Tomcat very nicely. I have never used it. Lots o

RE: JNDI Realm nor returning LDAP error codes/exceptions

lto:[EMAIL PROTECTED] Sent: Thu 24/04/2008 17:04 To: Tomcat Users List Subject: Re: JNDI Realm nor returning LDAP error codes/exceptions -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard, Gundersen, Richard wrote: | Can anyone help me with the problem below please? Did you bother to read m

Re: JNDI Realm nor returning LDAP error codes/exceptions

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard, Gundersen, Richard wrote: | Can anyone help me with the problem below please? Did you bother to read my response? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.m

JNDI Realm nor returning LDAP error codes/exceptions

x27;t find any way of doing it. ANY help would be really appreciated. Richard Gundersen Java Developer -Original Message- From: Gundersen, Richard Sent: Wednesday, April 23, 2008 4:16 PM To: 'users@tomcat.apache.org' Subject: JNDI Realm nor returning LDAP error codes/exceptio

JNDI Realm nor returning LDAP error codes/exceptions

Hi I'm using the standard JNDIRealm class to authenticate users. However if the login is unsuccessful, I am unable report the *reason* for the failure. The code for JNDIRealm.java tries to return a valid Principal object. If logging on fails - which could be for several reasons e.g. bad passwor

Re: JNDI Realm and Password Encryption

Sniffing protocol would probably give you an idea about this :) Jeff Marendo a écrit : Hello, I'm using the JNDI realm and communicating with a Novell eDirectory (LDAP) server for authentication and authorization purposes. We're communicating on port 389, which is non-secure. I kno

JNDI Realm and Password Encryption

Hello, I'm using the JNDI realm and communicating with a Novell eDirectory (LDAP) server for authentication and authorization purposes. We're communicating on port 389, which is non-secure. I know the user ID and password is stored in plain text (within /conf/server.xml), but what I&

Configure JNDI Realm

Hi all, I'm configuring a JNDI Realm with LDAP in Tomcat 5.5. The authentication process works fine but when Tomcat tries to check role this fails and it returns me a HTTP 403 page. Tomcat log is: DEBUG http-6060-Processor25 org.apache.catalina.authenticator.AuthenticatorBase - Ca

RE: JNDI Realm NPE

ocket$SocketConnection.runIt(ChannelSocket.java :876) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:684) at java.lang.Thread.run(Thread.java:595) This NPE arrived in the Realm and then tomcat doen't present any error page. I checked quickly the

RE: JNDI Realm and Active Directory root search

Matt, what do you mean with 'referrals="follow"' ? Is that a jndi configuration option ? Zsolt > -Original Message- > From: Matt Warren [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 01, 2006 6:24 PM > To: Tomcat Users List > Subject: Re: J

Re: JNDI Realm and Active Directory root search

When searching LDAP from the root, you will get a referral reply from AD that has a server DNS name of JUST the domain name (ie company.com). NOT the initial server name you used in your connectionURL. one small remark: "company.com" in your post is what you chose as root object for your AD wh

Re: JNDI Realm and Active Directory root search

S name in > the referral and point that name to your real AD. > > -- Velpi > >> I'm trying to get a JNDI Realm working as one might expect with Active >> Directory. >> >> Tomcat 5.5.20 >> Java 1.5.06 >> Windows 2000 Server >> >>

Re: JNDI Realm and Active Directory root search

I'm trying to get a JNDI Realm working as one might expect with Active Directory. Tomcat 5.5.20 Java 1.5.06 Windows 2000 Server The basic issue is that searching from a domain root "dc=company,dc=com" and using userSubtree="true" results in:

JNDI Realm and Active Directory root search

I'm trying to get a JNDI Realm working as one might expect with Active Directory. Tomcat 5.5.20 Java 1.5.06 Windows 2000 Server The basic issue is that searching from a domain root "dc=company,dc=com" and using userSubtree="true" results in:

Re: Configure JNDI Realm For Active Directory Under Tomcat 5.5.12 on OSX

you try to use the common name. Since they are not equal, your users are not members of the role. So either specify the cn in an user attribute, or use roleName, roleSearch, roleSubtree and roleBase config attributes in your jndi-Realm. HTH Felix > rolename="cn" >

Configure JNDI Realm For Active Directory Under Tomcat 5.5.12 on OSX

After having searched the MARC archives and Google for the better part of a week I do not seem to be able to duplicate others' past success with getting Tomcat to use a JNDI realm to authenticate users via Active Directory. Basically I'm just trying to get a simple web app str