You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2015/07/25 17:37:42 UTC
svn commit: r1692630 -
/directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
Author: elecharny
Date: Sat Jul 25 15:37:42 2015
New Revision: 1692630
URL: http://svn.apache.org/r1692630
Log:
A bit of cleanup :
- the long modify method has been reduced by calling private sub-methods
- added some comments
Modified:
directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
Modified: directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java?rev=1692630&r1=1692629&r2=1692630&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java (original)
+++ directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java Sat Jul 25 15:37:42 2015
@@ -866,7 +866,7 @@ public class AuthenticationInterceptor e
}
}
-
+
/**
* {@inheritDoc}
*/
@@ -881,86 +881,67 @@ public class AuthenticationInterceptor e
if ( !directoryService.isPwdPolicyEnabled() || modifyContext.isReplEvent() )
{
- next( modifyContext );
-
- List<Modification> modifications = modifyContext.getModItems();
-
- for ( Modification modification : modifications )
- {
- if ( USER_PASSWORD_AT.equals( modification.getAttribute().getAttributeType() ) )
- {
- invalidateAuthenticatorCaches( modifyContext.getDn() );
- break;
- }
- }
-
+ processStandardModify( modifyContext );
return;
}
+ else
+ {
+ processPasswordPolicydModify( modifyContext );
+ }
+ }
- // handle the case where pwdPolicySubentry AT is about to be deleted in thid modify()
- PasswordPolicyConfiguration policyConfig = getPwdPolicy( modifyContext.getEntry() );
-
- boolean isPPolicyReqCtrlPresent = modifyContext.hasRequestControl( PasswordPolicy.OID );
-
- PwdModDetailsHolder pwdModDetails = null;
+
+ /**
+ * Proceed with the Modification operation when the PasswordPolicy is not activated.
+ */
+ private void processStandardModify( ModifyOperationContext modifyContext ) throws LdapException
+ {
+ next( modifyContext );
- pwdModDetails = getPwdModDetails( modifyContext, policyConfig );
+ List<Modification> modifications = modifyContext.getModItems();
- CoreSession userSession = modifyContext.getSession();
-
- if ( pwdModDetails.isPwdModPresent() )
+ for ( Modification modification : modifications )
{
- if ( userSession.isPwdMustChange() && !pwdModDetails.isDelete() )
+ if ( USER_PASSWORD_AT.equals( modification.getAttribute().getAttributeType() ) )
{
- if ( pwdModDetails.isOtherModExists() )
- {
- if ( isPPolicyReqCtrlPresent )
- {
- PasswordPolicyDecorator responseControl =
- new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
- responseControl.getResponse().setPasswordPolicyError(
- PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
- modifyContext.addResponseControl( responseControl );
- }
-
- throw new LdapNoPermissionException(
- "Password should be reset before making any changes to this entry" );
- }
+ invalidateAuthenticatorCaches( modifyContext.getDn() );
+ break;
}
+ }
- if ( policyConfig.isPwdSafeModify() && !pwdModDetails.isDelete() )
- {
- if ( pwdModDetails.isAddOrReplace() && !pwdModDetails.isDelete() )
- {
- String msg = "trying to update password attribute without the supplying the old password";
- LOG.debug( msg );
+ return;
+ }
- if ( isPPolicyReqCtrlPresent )
- {
- PasswordPolicyDecorator responseControl =
- new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
- responseControl.getResponse().setPasswordPolicyError(
- PasswordPolicyErrorEnum.MUST_SUPPLY_OLD_PASSWORD );
- modifyContext.addResponseControl( responseControl );
- }
+
+ /**
+ * Proceed with the Modification operation when the PasswordPolicy is activated.
+ */
+ private void processPasswordPolicydModify( ModifyOperationContext modifyContext ) throws LdapException
+ {
+ // handle the case where pwdPolicySubentry AT is about to be deleted in this modify()
+ PasswordPolicyConfiguration policyConfig = getPwdPolicy( modifyContext.getEntry() );
- throw new LdapNoPermissionException( msg );
- }
- }
+ PwdModDetailsHolder pwdModDetails = getPwdModDetails( modifyContext, policyConfig );
- if ( !policyConfig.isPwdAllowUserChange() && !modifyContext.getSession().isAnAdministrator() )
- {
- if ( isPPolicyReqCtrlPresent )
- {
- PasswordPolicyDecorator responseControl =
- new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
- responseControl.getResponse().setPasswordPolicyError(
- PasswordPolicyErrorEnum.PASSWORD_MOD_NOT_ALLOWED );
- modifyContext.addResponseControl( responseControl );
- }
+ if ( !pwdModDetails.isPwdModPresent() )
+ {
+ // We can going on, the password attribute is not present in the Modifications.
+ next( modifyContext );
+ }
+ else
+ {
+ // The password is present in the modifications. Deal with the various use cases.
+ CoreSession userSession = modifyContext.getSession();
+ boolean isPPolicyReqCtrlPresent = modifyContext.hasRequestControl( PasswordPolicy.OID );
+
+ // First, check if the password must be changed, and if the operation allows it
+ checkPwdMustChange( modifyContext, userSession, pwdModDetails, isPPolicyReqCtrlPresent );
- throw new LdapNoPermissionException();
- }
+ // Check the the old password is present if it's required by the PP config
+ checkOldPwdRequired( modifyContext, policyConfig, pwdModDetails, isPPolicyReqCtrlPresent );
+
+ // Check that we can't update the password if it's not allowed
+ checkChangePwdAllowed( modifyContext, policyConfig, isPPolicyReqCtrlPresent );
Entry entry = modifyContext.getEntry();
@@ -1173,13 +1154,86 @@ public class AuthenticationInterceptor e
userSession.setPwdMustChange( false );
}
}
- else
- {
- next( modifyContext );
+ }
+
+
+ /**
+ * Check if the password has to be changed, but can't.
+ */
+ private void checkPwdMustChange( ModifyOperationContext modifyContext, CoreSession userSession,
+ PwdModDetailsHolder pwdModDetails, boolean isPPolicyReqCtrlPresent ) throws LdapNoPermissionException
+ {
+ if ( userSession.isPwdMustChange() &&
+ !pwdModDetails.isDelete() &&
+ pwdModDetails.isOtherModExists() )
+ {
+ if ( isPPolicyReqCtrlPresent )
+ {
+ PasswordPolicyDecorator responseControl =
+ new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+ responseControl.getResponse().setPasswordPolicyError(
+ PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
+ modifyContext.addResponseControl( responseControl );
+ }
+
+ throw new LdapNoPermissionException(
+ "Password should be reset before making any changes to this entry" );
+ }
+ }
+
+
+ /**
+ * If the PP config request it, the old password must be supplied in the modifications. Check that it
+ * is present.
+ */
+ private void checkOldPwdRequired( ModifyOperationContext modifyContext, PasswordPolicyConfiguration policyConfig,
+ PwdModDetailsHolder pwdModDetails, boolean isPPolicyReqCtrlPresent ) throws LdapNoPermissionException
+ {
+ if ( policyConfig.isPwdSafeModify() &&
+ !pwdModDetails.isDelete() &&
+ pwdModDetails.isAddOrReplace() )
+ {
+ String msg = "trying to update password attribute without the supplying the old password";
+ LOG.debug( msg );
+
+ if ( isPPolicyReqCtrlPresent )
+ {
+ PasswordPolicyDecorator responseControl =
+ new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+ responseControl.getResponse().setPasswordPolicyError(
+ PasswordPolicyErrorEnum.MUST_SUPPLY_OLD_PASSWORD );
+ modifyContext.addResponseControl( responseControl );
+ }
+
+ throw new LdapNoPermissionException( msg );
}
}
+
+
+ /**
+ * check that if the password modification is allowed by the PP config, or if the session is
+ * the admin.
+ */
+ private void checkChangePwdAllowed( ModifyOperationContext modifyContext, PasswordPolicyConfiguration policyConfig,
+ boolean isPPolicyReqCtrlPresent ) throws LdapNoPermissionException
+ {
+ if ( !policyConfig.isPwdAllowUserChange() && !modifyContext.getSession().isAnAdministrator() )
+
+ {
+ if ( isPPolicyReqCtrlPresent )
+ {
+ PasswordPolicyDecorator responseControl =
+ new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+ responseControl.getResponse().setPasswordPolicyError(
+ PasswordPolicyErrorEnum.PASSWORD_MOD_NOT_ALLOWED );
+ modifyContext.addResponseControl( responseControl );
+ }
+ throw new LdapNoPermissionException();
+ }
+ }
+
/**
* {@inheritDoc}
*/
@@ -1680,6 +1734,7 @@ public class AuthenticationInterceptor e
Dn configDn = dnFactory.create( pwdPolicySubentry.getString() );
PasswordPolicyConfiguration custom = pwdPolicyContainer.getPolicyConfig( configDn );
+
if ( custom != null )
{
return custom;