Abstract superclass for
DirContextAuthenticationStrategyimplementations that apply TLS security to the connections. The supported TLS
behavior differs between servers. E.g., some servers expect the TLS
connection be shut down gracefully before the actual target context is
closed, whereas other servers do not support that. The
shutdownTlsGracefully
property controls this behavior; the
property defaults to
false
.
The SSLSocketFactory
used for TLS negotiation can be customized
using the sslSocketFactory
property. This allows for example a
socket factory that can load the keystore/truststore using the Spring
Resource abstraction. This provides a much more Spring-like strategy for
configuring PKI credentials for authentication, in addition to allowing
application-specific keystores and truststores running in the same JVM.
In some rare occasions there is a need to supply a
HostnameVerifier
to the TLS processing instructions in order to
have the returned certificate properly validated. If a
HostnameVerifier
is supplied to
#setHostnameVerifier(HostnameVerifier), that will be applied to the
processing.
For further information regarding TLS, refer to this
page.
NB: TLS negotiation is an expensive process, which is why you will
most likely want to use connection pooling, to make sure new connections are
not created for each individual request. It is imperative however, that the
built-in LDAP connection pooling is not used in combination with the TLS
AuthenticationStrategy implementations - this will not work. You should use
the Spring LDAP PoolingContextSource instead.