Merge pull request DSpace#11656 from JohnnyMendesC/fix/10823-remove-insecure-jndi

tdonohue · web-flow · commit 7bf4a8719d44 · 2026-02-10T09:15:12.000-06:00
Update LDAPAuthentication to Spring LDAP in order to remove insecure JNDI usage
diff --git a/LICENSES_THIRD_PARTY b/LICENSES_THIRD_PARTY
@@ -445,6 +445,7 @@ https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines
         * Spring Expression Language (SpEL) (org.springframework:spring-expression:6.2.7 - https://github.com/spring-projects/spring-framework)
         * Spring Commons Logging Bridge (org.springframework:spring-jcl:6.2.7 - https://github.com/spring-projects/spring-framework)
         * Spring JDBC (org.springframework:spring-jdbc:6.2.7 - https://github.com/spring-projects/spring-framework)
+        * Spring LDAP Core (org.springframework.ldap:spring-ldap-core:3.2.15 - https://github.com/spring-projects/spring-ldap)
         * Spring Object/Relational Mapping (org.springframework:spring-orm:6.2.7 - https://github.com/spring-projects/spring-framework)
         * Spring TestContext Framework (org.springframework:spring-test:6.2.7 - https://github.com/spring-projects/spring-framework)
         * Spring Transaction (org.springframework:spring-tx:6.2.7 - https://github.com/spring-projects/spring-framework)
diff --git a/dspace-api/pom.xml b/dspace-api/pom.xml
@@ -379,6 +379,10 @@
             <version>${hibernate-validator.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.ldap</groupId>
+            <artifactId>spring-ldap-core</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-orm</artifactId>
diff --git a/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java b/dspace-api/src/main/java/org/dspace/authenticate/LDAPAuthentication.java
diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/utils/DSpaceKernelInitializer.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/utils/DSpaceKernelInitializer.java
@@ -81,6 +81,7 @@ public void initialize(final ConfigurableApplicationContext applicationContext)
      * Initially look for JNDI Resource called "java:/comp/env/dspace.dir".
      * If not found, use value provided in "dspace.dir" in Spring Environment
      */
+    // JNDI usage is safe here as it loads internal DSpace configuration, not user input.
     @SuppressWarnings("BanJNDI")
     private String getDSpaceHome(ConfigurableEnvironment environment) {
         // Load the "dspace.dir" property from Spring Boot's Configuration (application.properties)
diff --git a/dspace-server-webapp/src/test/resources/application-test.properties b/dspace-server-webapp/src/test/resources/application-test.properties
@@ -16,5 +16,8 @@
 ## This file is found on classpath at src/test/resources/log4j2-test.xml
 logging.config = classpath:log4j2-test.xml
 
+# Disable LDAP Health Check during tests to avoid external LDAP requirement
+management.health.ldap.enabled=false
+
 # Our integration tests expect application to be deployed at the root path (/)
-server.servlet.context-path=/
+server.servlet.context-path=/
diff --git a/dspace-services/src/main/java/org/dspace/services/email/EmailServiceImpl.java b/dspace-services/src/main/java/org/dspace/services/email/EmailServiceImpl.java
@@ -62,6 +62,7 @@ public Session getSession() {
     }
 
     @PostConstruct
+    // JNDI usage is safe here as it looks up a configured mail session resource, not user input.
     @SuppressWarnings("BanJNDI")
     public void init() {
         // See if there is already a Session in our environment
diff --git a/pom.xml b/pom.xml
@@ -20,6 +20,7 @@
         <!--=== GENERAL / DSPACE-API DEPENDENCIES ===-->
         <java.version>21</java.version>
         <spring.version>6.2.15</spring.version>
+        <spring-ldap.version>3.3.5</spring-ldap.version>
         <spring-boot.version>3.5.10</spring-boot.version>
         <spring-security.version>6.5.7</spring-security.version> <!-- sync with version used by spring-boot-->
         <hibernate.version>6.4.10.Final</hibernate.version>
@@ -1223,6 +1224,23 @@
                 <version>${spring.version}</version>
             </dependency>
 
+            <dependency>
+                <groupId>org.springframework.ldap</groupId>
+                <artifactId>spring-ldap-core</artifactId>
+                <version>${spring-ldap.version}</version>
+	    </dependency>
+            <!-- Specify the version of micrometer to use. Solves dependency convergence issues in spring-ldap-core -->
+            <dependency>
+                <groupId>io.micrometer</groupId>
+                <artifactId>micrometer-core</artifactId>
+                <version>1.14.14</version>
+            </dependency>
+            <dependency>
+                <groupId>io.micrometer</groupId>
+                <artifactId>micrometer-observation</artifactId>
+                <version>1.14.14</version>
+            </dependency>
+
             <dependency>
                 <artifactId>spring-tx</artifactId>
                 <groupId>org.springframework</groupId>

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,7 @@ public Session getSession() {`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`@PostConstruct`
	`65`	`+ // JNDI usage is safe here as it looks up a configured mail session resource, not user input.`
`65`	`66`	`@SuppressWarnings("BanJNDI")`
`66`	`67`	`public void init() {`
`67`	`68`	`// See if there is already a Session in our environment`