You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2017/08/24 05:45:01 UTC
[jira] [Comment Edited] (DIRSERVER-2206) RefinementEvaluator fails
when "objectClass" attribute is not present in the list of attributes
[ https://issues.apache.org/jira/browse/DIRSERVER-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16139585#comment-16139585 ]
Emmanuel Lecharny edited comment on DIRSERVER-2206 at 8/24/17 5:44 AM:
-----------------------------------------------------------------------
Another idea would be to move the {{SchemaInterceptor}} filter so that it's executed at the end of the evaluations. I have tried a patch that does that, and it does the job, but it's a kind of horrible hack.
Basically, I have added a {{isLast()}} method to the {{EntryFilter}} interface, implemented it in all the filters with a {{false}} returned except for the {{TopFilter}} which belongs to the {{SchemaInterceptor}} class. Now, the filter loop in the {{EntryFilteringCursor}} class looks like :
{code:java}
EntryFilter lastFilter = null;
for ( EntryFilter filter : filters )
{
if ( filter.isLast() )
{
lastFilter = filter;
}
else
{
// if a filter rejects then short and continue with outer loop
if ( !filter.accept( operationContext, tempResult ) )
{
continue outer;
}
}
}
if ( ( lastFilter != null ) && !lastFilter.accept( operationContext, tempResult ) )
{
continue outer;
}
{code}
This is kind of ugly though, I'd rather have the filter list built properly, but it would require some changes in the way the interceptors are initialized.
Btw, integ tests are passing with such a modification.
was (Author: elecharny):
Another idea would be to move the {{SchemaInterceptor}} filter so that it's executed at the end of the evaluations. I have tried a patch that does that, and it does the job, but it's a kind of horrible hack.
Basically, I have added a {{isLast()}} method to the {{EntryFilter}} interface, implemented it in all the filters with a {{false}} returned except for the {{TopFilter}} which belongs to the {{SchemaInterceptor}} class. Now, the filter loop in the {{EntryFilteringCursor}} class looks like :
{code:java}
EntryFilter lastFilter = null;
for ( EntryFilter filter : filters )
{
if ( filter.isLast() )
{
lastFilter = filter;
}
else
{
// if a filter rejects then short and continue with outer loop
if ( !filter.accept( operationContext, tempResult ) )
{
continue outer;
}
}
}
if ( ( lastFilter != null ) && !lastFilter.accept( operationContext, tempResult ) )
{
continue outer;
}
{code}
> RefinementEvaluator fails when "objectClass" attribute is not present in the list of attributes
> -----------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-2206
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2206
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 2.0.0-M24
> Reporter: Kiran Ayyagari
> Fix For: 2.0.0-M25
>
> Attachments: allowreadusers.ldif
>
>
> I have a ACI that filters entries based on the the {{classes}} protected item but when
> the search request doesn't contain {{objectClass}} in the requested attributes the below
> exception is thrown.
> {noformat}
> org.apache.directory.api.ldap.model.message.SearchRequestImpl@c452319: ERR_296 objectClasses cannot be null:
> java.lang.IllegalArgumentException: ERR_296 objectClasses cannot be null
> at org.apache.directory.server.core.api.subtree.RefinementEvaluator.evaluate(RefinementEvaluator.java:65)
> at org.apache.directory.server.core.authz.support.RelatedProtectedItemFilter.isRelated(RelatedProtectedItemFilter.java:213)
> at org.apache.directory.server.core.authz.support.RelatedProtectedItemFilter.filter(RelatedProtectedItemFilter.java:86)
> at org.apache.directory.server.core.authz.support.ACDFEngine.hasPermission(ACDFEngine.java:160)
> at org.apache.directory.server.core.authz.AciAuthorizationInterceptor.filter(AciAuthorizationInterceptor.java:1368)
> at org.apache.directory.server.core.authz.AciAuthorizationInterceptor.access$200(AciAuthorizationInterceptor.java:91)
> at org.apache.directory.server.core.authz.AciAuthorizationInterceptor$AuthorizationFilter.accept(AciAuthorizationInterceptor.java:1428)
> at org.apache.directory.server.core.api.filtering.EntryFilteringCursorImpl.next(EntryFilteringCursorImpl.java:454)
> at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.writeResults(SearchRequestHandler.java:380)
> at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:840)
> at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1164)
> at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1258)
> at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:212)
> at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:92)
> at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:222)
> at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:243)
> at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:216)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:858)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:947)
> at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
> at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:476)
> at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:430)
> at java.lang.Thread.run(Thread.java:745)
> {noformat}
> Steps to reproduce:
> # Apply the allowreadusers.ldif
> # restart the server
> # run the command ldapsearch -H ldap://localhost:10389 -D "" -b "uid=kayyagari,ou=Users,dc=example,dc=com" -s base -a always "(objectClass=*)" "uid"
> Note that if you request "objectClass" attribute along with "uid" then the request succeeds.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)