You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2005/10/18 12:59:50 UTC
svn commit: r326083 - in
/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz:
AuthorizationService.java support/ACDFEngine.java
support/MaxImmSubFilter.java
Author: akarasulu
Date: Tue Oct 18 03:59:38 2005
New Revision: 326083
URL: http://svn.apache.org/viewcvs?rev=326083&view=rev
Log:
changes ...
o reviewed calls in filters to proxy to bypass even more interceptors for efficiency
o replaced all nextInterceptor.xxxx() calls with calls to the nexus proxy with bypasses
o replaced some calls to nexus to call the proxy instead
Modified:
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java?rev=326083&r1=326082&r2=326083&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java Tue Oct 18 03:59:38 2005
@@ -127,7 +127,9 @@
* @param entry the target entry that access to is being controled
* @throws NamingException if there are problems accessing attribute values
*/
- private void addPerscriptiveAciTuples( Collection tuples, Name dn, Attributes entry ) throws NamingException
+ private void addPerscriptiveAciTuples( DirectoryPartitionNexusProxy proxy, Collection tuples,
+ Name dn, Attributes entry )
+ throws NamingException
{
/*
* If the protected entry is a subentry, then the entry being evaluated
@@ -142,7 +144,7 @@
{
Name parentDn = ( Name ) dn.clone();
parentDn.remove( dn.size() - 1 );
- entry = nexus.lookup( parentDn );
+ entry = proxy.lookup( parentDn, LOOKUP_BYPASS );
}
Attribute subentries = entry.get( AC_SUBENTRY_ATTR );
@@ -204,7 +206,8 @@
* @param entry the target entry that access to is being regulated
* @throws NamingException if there are problems accessing attribute values
*/
- private void addSubentryAciTuples( Collection tuples, Name dn, Attributes entry ) throws NamingException
+ private void addSubentryAciTuples( DirectoryPartitionNexusProxy proxy, Collection tuples,
+ Name dn, Attributes entry ) throws NamingException
{
// only perform this for subentries
if ( ! entry.get("objectClass").contains("subentry") )
@@ -216,7 +219,7 @@
// will contain the subentryACI attributes that effect subentries
Name parentDn = ( Name ) dn.clone();
parentDn.remove( dn.size() - 1 );
- Attributes administrativeEntry = nexus.lookup( parentDn );
+ Attributes administrativeEntry = proxy.lookup( parentDn, LOOKUP_BYPASS );
Attribute subentryAci = administrativeEntry.get( SUBENTRYACI_ATTR );
if ( subentryAci == null )
@@ -294,8 +297,8 @@
// Build the total collection of tuples to be considered for add rights
// NOTE: entryACI are NOT considered in adds (it would be a security breech)
- addPerscriptiveAciTuples( tuples, normName, subentryAttrs );
- addSubentryAciTuples( tuples, normName, subentryAttrs );
+ addPerscriptiveAciTuples( invocation.getProxy(), tuples, normName, subentryAttrs );
+ addSubentryAciTuples( invocation.getProxy(), tuples, normName, subentryAttrs );
Collection perms = Collections.singleton( MicroOperation.ADD );
// check if entry scope permission is granted
@@ -329,8 +332,9 @@
public void delete( NextInterceptor next, Name name ) throws NamingException
{
// Access the principal requesting the operation, and bypass checks if it is the admin
- Attributes entry = nexus.lookup( name );
Invocation invocation = InvocationStack.getInstance().peek();
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
+ Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
@@ -341,11 +345,10 @@
}
Set userGroups = groupCache.getGroups( user.getName() );
- DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Collection tuples = new HashSet();
- addPerscriptiveAciTuples( tuples, name, entry );
+ addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( tuples, name, entry );
+ addSubentryAciTuples( proxy, tuples, name, entry );
engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.REMOVE ), tuples, entry );
@@ -356,11 +359,27 @@
}
+ private static final Collection LOOKUP_BYPASS;
+ static
+ {
+ Collection c = new HashSet();
+ c.add( "normalizationService" );
+ c.add( "authenticationService" );
+ c.add( "authorizationService" );
+ c.add( "oldAuthorizationService" );
+ c.add( "schemaService" );
+ c.add( "subentryService" );
+ c.add( "operationalAttributeService" );
+ c.add( "eventService" );
+ LOOKUP_BYPASS = Collections.unmodifiableCollection( c );
+ }
+
public void modify( NextInterceptor next, Name name, int modOp, Attributes mods ) throws NamingException
{
// Access the principal requesting the operation, and bypass checks if it is the admin
- Attributes entry = nexus.lookup( name );
Invocation invocation = InvocationStack.getInstance().peek();
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
+ Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
@@ -370,12 +389,11 @@
return;
}
- DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
- addPerscriptiveAciTuples( tuples, name, entry );
+ addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( tuples, name, entry );
+ addSubentryAciTuples( proxy, tuples, name, entry );
engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
@@ -416,8 +434,9 @@
public void modify( NextInterceptor next, Name name, ModificationItem[] mods ) throws NamingException
{
// Access the principal requesting the operation, and bypass checks if it is the admin
- Attributes entry = nexus.lookup( name );
Invocation invocation = InvocationStack.getInstance().peek();
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
+ Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
@@ -427,12 +446,11 @@
return;
}
- DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
- addPerscriptiveAciTuples( tuples, name, entry );
+ addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( tuples, name, entry );
+ addSubentryAciTuples( proxy, tuples, name, entry );
engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
@@ -475,8 +493,9 @@
public boolean hasEntry( NextInterceptor next, Name name ) throws NamingException
{
- Attributes entry = nexus.lookup( name );
Invocation invocation = InvocationStack.getInstance().peek();
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
+ Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
@@ -484,12 +503,11 @@
return next.hasEntry( name );
}
- DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
- addPerscriptiveAciTuples( tuples, name, entry );
+ addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( tuples, name, entry );
+ addSubentryAciTuples( proxy, tuples, name, entry );
// check that we have browse access to the entry
engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
@@ -520,9 +538,9 @@
DirectoryPartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
- addPerscriptiveAciTuples( tuples, dn, entry );
+ addPerscriptiveAciTuples( proxy, tuples, dn, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( tuples, dn, entry );
+ addSubentryAciTuples( proxy, tuples, dn, entry );
Collection perms = new HashSet();
perms.add( MicroOperation.READ );
@@ -549,8 +567,9 @@
public Attributes lookup( NextInterceptor next, Name dn, String[] attrIds ) throws NamingException
{
- Attributes entry = nexus.lookup( dn );
Invocation invocation = InvocationStack.getInstance().peek();
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
+ Attributes entry = proxy.lookup( dn, LOOKUP_BYPASS );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
@@ -566,8 +585,9 @@
public Attributes lookup( NextInterceptor next, Name name ) throws NamingException
{
- Attributes entry = nexus.lookup( name );
Invocation invocation = InvocationStack.getInstance().peek();
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
+ Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
@@ -584,8 +604,9 @@
public void modifyRn( NextInterceptor next, Name name, String newRn, boolean deleteOldRn ) throws NamingException
{
// Access the principal requesting the operation, and bypass checks if it is the admin
- Attributes entry = nexus.lookup( name );
Invocation invocation = InvocationStack.getInstance().peek();
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
+ Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
Name newName = ( Name ) name.clone();
newName.remove( name.size() - 1 );
@@ -598,12 +619,11 @@
return;
}
- DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
- addPerscriptiveAciTuples( tuples, name, entry );
+ addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( tuples, name, entry );
+ addSubentryAciTuples( proxy, tuples, name, entry );
engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.RENAME ), tuples, entry );
@@ -645,8 +665,9 @@
throws NamingException
{
// Access the principal requesting the operation, and bypass checks if it is the admin
- Attributes entry = nexus.lookup( oriChildName );
Invocation invocation = InvocationStack.getInstance().peek();
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
+ Attributes entry = proxy.lookup( oriChildName, LOOKUP_BYPASS );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
Name newName = ( Name ) newParentName.clone();
newName.add( newRn );
@@ -658,12 +679,11 @@
return;
}
- DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
- addPerscriptiveAciTuples( tuples, oriChildName, entry );
+ addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( tuples, oriChildName, entry );
+ addSubentryAciTuples( proxy, tuples, oriChildName, entry );
Collection perms = new HashSet();
perms.add( MicroOperation.IMPORT );
@@ -673,9 +693,9 @@
oriChildName, null, null, perms, tuples, entry );
Collection destTuples = new HashSet();
- addPerscriptiveAciTuples( destTuples, oriChildName, entry );
+ addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
addEntryAciTuples( destTuples, entry );
- addSubentryAciTuples( destTuples, oriChildName, entry );
+ addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
oriChildName, null, null, Collections.singleton( MicroOperation.IMPORT ), tuples, entry );
@@ -717,7 +737,7 @@
// Access the principal requesting the operation, and bypass checks if it is the admin
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
- Attributes entry = nexus.lookup( oriChildName );
+ Attributes entry = proxy.lookup( oriChildName, LOOKUP_BYPASS );
Name newName = ( Name ) newParentName.clone();
newName.add( oriChildName.get( oriChildName.size() - 1 ) );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
@@ -731,17 +751,17 @@
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
- addPerscriptiveAciTuples( tuples, oriChildName, entry );
+ addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( tuples, oriChildName, entry );
+ addSubentryAciTuples( proxy, tuples, oriChildName, entry );
engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
oriChildName, null, null, Collections.singleton( MicroOperation.EXPORT ), tuples, entry );
Collection destTuples = new HashSet();
- addPerscriptiveAciTuples( destTuples, oriChildName, entry );
+ addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
addEntryAciTuples( destTuples, entry );
- addSubentryAciTuples( destTuples, oriChildName, entry );
+ addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
oriChildName, null, null, Collections.singleton( MicroOperation.IMPORT ), tuples, entry );
@@ -790,7 +810,7 @@
// Access the principal requesting the operation, and bypass checks if it is the admin
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
- Attributes entry = nexus.lookup( name );
+ Attributes entry = proxy.lookup( name, LOOKUP_BYPASS );
LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
@@ -799,9 +819,9 @@
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
- addPerscriptiveAciTuples( tuples, name, entry );
+ addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( tuples, name, entry );
+ addSubentryAciTuples( proxy, tuples, name, entry );
engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.READ ), tuples, entry );
@@ -837,14 +857,14 @@
* tests. If we hasPermission() returns false we immediately short the
* process and return false.
*/
- Attributes entry = nexus.lookup( normName );
+ Attributes entry = invocation.getProxy().lookup( normName, LOOKUP_BYPASS );
ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
Name userDn = ctx.getPrincipal().getJndiName();
Set userGroups = groupCache.getGroups( userDn.toString() );
Collection tuples = new HashSet();
- addPerscriptiveAciTuples( tuples, normName, entry );
+ addPerscriptiveAciTuples( invocation.getProxy(), tuples, normName, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( tuples, normName, entry );
+ addSubentryAciTuples( invocation.getProxy(), tuples, normName, entry );
if ( ! engine.hasPermission( invocation.getProxy(), userGroups, userDn,
ctx.getPrincipal().getAuthenticationLevel(),
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java?rev=326083&r1=326082&r2=326083&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java Tue Oct 18 03:59:38 2005
@@ -18,10 +18,7 @@
*/
package org.apache.ldap.server.authz.support;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Iterator;
-import java.util.Collections;
+import java.util.*;
import javax.naming.Name;
import javax.naming.NamingException;
@@ -130,6 +127,23 @@
}
}
+
+ public static final Collection USER_LOOKUP_BYPASS;
+ static
+ {
+ Collection c = new HashSet();
+ c.add( "normalizationService" );
+ c.add( "authenticationService" );
+ c.add( "authorizationService" );
+ c.add( "oldAuthorizationService" );
+ c.add( "schemaService" );
+ c.add( "subentryService" );
+ c.add( "operationalAttributeService" );
+ c.add( "eventService" );
+ USER_LOOKUP_BYPASS = Collections.unmodifiableCollection( c );
+ }
+
+
/**
* Returns <tt>true</tt> if the user with the specified name can access the specified resource
* (entry, attribute type, or attribute value) and throws {@link LdapNoPermissionException}
@@ -157,7 +171,7 @@
throw new NullPointerException( "entryName" );
}
- Attributes userEntry = proxy.lookup( userName, Collections.singleton( "authorizationService" ) );
+ Attributes userEntry = proxy.lookup( userName, USER_LOOKUP_BYPASS );
// Determine the scope of the requested operation.
OperationScope scope;
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java?rev=326083&r1=326082&r2=326083&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java Tue Oct 18 03:59:38 2005
@@ -18,10 +18,7 @@
*/
package org.apache.ldap.server.authz.support;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.Collections;
+import java.util.*;
import javax.naming.Name;
import javax.naming.NamingEnumeration;
@@ -106,6 +103,23 @@
return tuples;
}
+
+ public static final Collection SEARCH_BYPASS;
+ static
+ {
+ Collection c = new HashSet();
+ c.add( "normalizationService" );
+ c.add( "authenticationService" );
+ c.add( "authorizationService" );
+ c.add( "oldAuthorizationService" );
+ c.add( "schemaService" );
+ c.add( "subentryService" );
+ c.add( "operationalAttributeService" );
+ c.add( "eventService" );
+ SEARCH_BYPASS = Collections.unmodifiableCollection( c );
+ }
+
+
private int getImmSubCount( DirectoryPartitionNexusProxy proxy, Name entryName ) throws NamingException
{
int cnt = 0;
@@ -114,7 +128,7 @@
{
e = proxy.search(
entryName.getPrefix( 1 ), new HashMap(),
- childrenFilter, childrenSearchControls, Collections.singleton( "authorizationService" ) );
+ childrenFilter, childrenSearchControls, SEARCH_BYPASS );
while( e.hasMore() )
{