You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/04/13 15:21:21 UTC
[tomcat] branch 7.0.x updated (7115dc3 -> e21eb47)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 7115dc3 Corrected instructions to reduce unit tests verbosity
new 0f544f1 Code alignment with 8.5.x - no functional change
new e21eb47 Fix BZ 65224. Correct escaping in JNDIRealm
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/catalina/realm/JNDIRealm.java | 875 +++++++++++++-------------
webapps/docs/changelog.xml | 4 +
2 files changed, 447 insertions(+), 432 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/02: Fix BZ 65224. Correct escaping in JNDIRealm
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit e21eb4764ccda55e5a35a5a7c19a6fd2b0757fe9
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Apr 13 16:09:56 2021 +0100
Fix BZ 65224. Correct escaping in JNDIRealm
---
java/org/apache/catalina/realm/JNDIRealm.java | 161 ++++++++++++++++++++++----
webapps/docs/changelog.xml | 4 +
2 files changed, 142 insertions(+), 23 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java
index a9032cf..6425194 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -205,13 +205,11 @@ public class JNDIRealm extends RealmBase {
*/
protected String connectionURL = null;
-
/**
* The directory context linking us to our directory server.
*/
protected DirContext context = null;
-
/**
* The JNDI context factory used to acquire our InitialContext. By
* default, assumes use of an LDAP server using the standard JNDI LDAP
@@ -291,7 +289,6 @@ public class JNDIRealm extends RealmBase {
*/
protected MessageFormat userSearchFormat = null;
-
/**
* Should we search the entire subtree for matching users?
*/
@@ -915,8 +912,7 @@ public class JNDIRealm extends RealmBase {
int len = this.userPatternArray.length;
userPatternFormatArray = new MessageFormat[len];
for (int i=0; i < len; i++) {
- userPatternFormatArray[i] =
- new MessageFormat(userPatternArray[i]);
+ userPatternFormatArray[i] = new MessageFormat(userPatternArray[i]);
}
}
}
@@ -1462,7 +1458,7 @@ public class JNDIRealm extends RealmBase {
* @exception NamingException if a directory server error occurs
*/
protected User getUser(DirContext context, String username, String credentials, int curUserPattern)
- throws NamingException {
+ throws NamingException {
User user = null;
@@ -1589,8 +1585,11 @@ public class JNDIRealm extends RealmBase {
return null;
}
- // Form the dn from the user pattern
- String dn = userPatternFormatArray[curUserPattern].format(new String[] { username });
+ // Form the DistinguishedName from the user pattern.
+ // Escape in case username contains a character with special meaning in
+ // an attribute value.
+ String dn = userPatternFormatArray[curUserPattern].format(
+ new String[] { doAttributeValueEscaping(username) });
try {
user = getUserByPattern(context, username, attrIds, dn);
@@ -1630,7 +1629,9 @@ public class JNDIRealm extends RealmBase {
}
// Form the search filter
- String filter = userSearchFormat.format(new String[] { username });
+ // Escape in case username contains a character with special meaning in
+ // a search filter.
+ String filter = userSearchFormat.format(new String[] { doFilterEscaping(username) });
// Set up the search controls
SearchControls constraints = new SearchControls();
@@ -1798,6 +1799,8 @@ public class JNDIRealm extends RealmBase {
return false;
}
+ // This is returned from the directory so will be attribute value
+ // escaped if required
String dn = user.getDN();
if (dn == null) {
return false;
@@ -1888,7 +1891,11 @@ public class JNDIRealm extends RealmBase {
return null;
}
+ // This is returned from the directory so will be attribute value
+ // escaped if required
String dn = user.getDN();
+ // This is the name the user provided to the authentication process so
+ // it will not be escaped
String username = user.getUserName();
String userRoleId = user.getUserRoleId();
@@ -1920,8 +1927,13 @@ public class JNDIRealm extends RealmBase {
return list;
}
- // Set up parameters for an appropriate search
- String filter = roleFormat.format(new String[] { doRFC2254Encoding(dn), username, userRoleId });
+ // Set up parameters for an appropriate search filter
+ // The dn is already attribute value escaped but the others are not
+ // This is a filter so all input will require filter escaping
+ String filter = roleFormat.format(new String[] {
+ doFilterEscaping(dn),
+ doFilterEscaping(doAttributeValueEscaping(username)),
+ doFilterEscaping(doAttributeValueEscaping(userRoleId)) });
SearchControls controls = new SearchControls();
if (roleSubtree) {
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
@@ -1936,7 +1948,9 @@ public class JNDIRealm extends RealmBase {
Name name = np.parse(dn);
String nameParts[] = new String[name.size()];
for (int i = 0; i < name.size(); i++) {
- nameParts[i] = name.get(i);
+ // May have been returned with \<char> escaping rather than
+ // \<hex><hex>. Make sure it is \<hex><hex>.
+ nameParts[i] = convertToHexEscape(name.get(i));
}
base = roleBaseFormat.format(nameParts);
} else {
@@ -1959,7 +1973,7 @@ public class JNDIRealm extends RealmBase {
if (attrs == null) {
continue;
}
- String dname = getDistinguishedName(context, roleBase, result);
+ String dname = getDistinguishedName(context, base, result);
String name = getAttributeValue(roleName, attrs);
if (name != null && dname != null) {
groupMap.put(dname, name);
@@ -1993,14 +2007,20 @@ public class JNDIRealm extends RealmBase {
Map<String, String> newThisRound = new HashMap<String, String>(); // Stores the groups we find in this iteration
for (Entry<String, String> group : newGroups.entrySet()) {
- filter = roleFormat.format(new String[] { doRFC2254Encoding(group.getKey()),
- group.getValue(), group.getValue() });
+ // Group key is already value escaped if required
+ // Group value is not value escaped
+ // Everything needs to be filter escaped
+ filter = roleFormat.format(new String[] {
+ doFilterEscaping(group.getKey()),
+ doFilterEscaping(doAttributeValueEscaping(group.getValue())),
+ doFilterEscaping(doAttributeValueEscaping(group.getValue())) });
if (containerLog.isTraceEnabled()) {
- containerLog.trace("Perform a nested group search with base "+ roleBase + " and filter " + filter);
+ containerLog.trace("Perform a nested group search with base "+ roleBase +
+ " and filter " + filter);
}
- results = searchAsUser(context, user, roleBase, filter, controls, isRoleSearchAsUser());
+ results = searchAsUser(context, user, base, filter, controls, isRoleSearchAsUser());
try {
while (results.hasMore()) {
@@ -2501,11 +2521,9 @@ public class JNDIRealm extends RealmBase {
}
return sslContext.getSocketFactory();
} catch (NoSuchAlgorithmException e) {
- List<String> allowedProtocols = Arrays
- .asList(getSupportedSslProtocols());
- throw new IllegalArgumentException(
- sm.getString("jndiRealm.invalidSslProtocol", protocol,
- allowedProtocols), e);
+ List<String> allowedProtocols = Arrays.asList(getSupportedSslProtocols());
+ throw new IllegalArgumentException(sm.getString("jndiRealm.invalidSslProtocol",
+ protocol, allowedProtocols), e);
} catch (KeyManagementException e) {
List<String> allowedProtocols = Arrays.asList(getSupportedSslProtocols());
throw new IllegalArgumentException(sm.getString("jndiRealm.invalidSslProtocol",
@@ -2607,7 +2625,6 @@ public class JNDIRealm extends RealmBase {
}
return env;
-
}
@@ -2722,10 +2739,36 @@ public class JNDIRealm extends RealmBase {
* ) -> \29
* \ -> \5c
* \0 -> \00
+ *
* @param inString string to escape according to RFC 2254 guidelines
+ *
* @return String the escaped/encoded result
+ *
+ * @deprecated Will be removed in Tomcat 10.1.x onwards
*/
+ @Deprecated
protected String doRFC2254Encoding(String inString) {
+ return doFilterEscaping(inString);
+ }
+
+
+ /**
+ * Given an LDAP search string, returns the string with certain characters
+ * escaped according to RFC 2254 guidelines.
+ * The character mapping is as follows:
+ * char -> Replacement
+ * ---------------------------
+ * * -> \2a
+ * ( -> \28
+ * ) -> \29
+ * \ -> \5c
+ * \0 -> \00
+ *
+ * @param inString string to escape according to RFC 2254 guidelines
+ *
+ * @return String the escaped/encoded result
+ */
+ protected String doFilterEscaping(String inString) {
StringBuilder buf = new StringBuilder(inString.length());
for (int i = 0; i < inString.length(); i++) {
char c = inString.charAt(i);
@@ -2810,6 +2853,78 @@ public class JNDIRealm extends RealmBase {
}
+ /**
+ * Implements the necessary escaping to represent an attribute value as a
+ * String as per RFC 4514.
+ *
+ * @param input The original attribute value
+ * @return The string representation of the attribute value
+ */
+ protected String doAttributeValueEscaping(String input) {
+ int len = input.length();
+ StringBuilder result = new StringBuilder();
+
+ for (int i = 0; i < len; i++) {
+ char c = input.charAt(i);
+ switch (c) {
+ case ' ': {
+ if (i == 0 || i == (len -1)) {
+ result.append("\\20");
+ } else {
+ result.append(c);
+ }
+ break;
+ }
+ case '#': {
+ if (i == 0 ) {
+ result.append("\\23");
+ } else {
+ result.append(c);
+ }
+ break;
+ }
+ case '\"': {
+ result.append("\\22");
+ break;
+ }
+ case '+': {
+ result.append("\\2B");
+ break;
+ }
+ case ',': {
+ result.append("\\2C");
+ break;
+ }
+ case ';': {
+ result.append("\\3B");
+ break;
+ }
+ case '<': {
+ result.append("\\3C");
+ break;
+ }
+ case '>': {
+ result.append("\\3E");
+ break;
+ }
+ case '\\': {
+ result.append("\\5C");
+ break;
+ }
+ case '\u0000': {
+ result.append("\\00");
+ break;
+ }
+ default:
+ result.append(c);
+ }
+
+ }
+
+ return result.toString();
+ }
+
+
protected static String convertToHexEscape(String input) {
if (input.indexOf('\\') == -1) {
// No escaping present. Return original.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 54255ef..b5fa4ef 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -122,6 +122,10 @@
<subsection name="Catalina">
<changelog>
<fix>
+ <bug>65224</bug>: Ensure the correct escaping of attribute values and
+ search filters in the JNDIRealm. (markt)
+ </fix>
+ <fix>
<bug>65226</bug>: Fix extraction of JAR name in some cases in
StandardJarScanner. Submitted by Lynx. (remm)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/02: Code alignment with 8.5.x - no functional change
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 0f544f1b9a8f686346135a3cc8765c3179a6af2b
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Apr 13 16:01:13 2021 +0100
Code alignment with 8.5.x - no functional change
---
java/org/apache/catalina/realm/JNDIRealm.java | 718 +++++++++++---------------
1 file changed, 307 insertions(+), 411 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java
index aef4053..a9032cf 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -183,7 +183,6 @@ import org.ietf.jgss.GSSName;
*/
public class JNDIRealm extends RealmBase {
-
// ----------------------------------------------------- Instance Variables
/**
@@ -196,13 +195,11 @@ public class JNDIRealm extends RealmBase {
*/
protected String connectionName = null;
-
/**
* The connection password for the server we will contact.
*/
protected String connectionPassword = null;
-
/**
* The connection URL for the server we will contact.
*/
@@ -222,7 +219,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String contextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
-
/**
* How aliases should be dereferenced during search operations.
*/
@@ -237,13 +233,13 @@ public class JNDIRealm extends RealmBase {
/**
* Descriptive information about this Realm implementation.
*/
- protected static final String info =
- "org.apache.catalina.realm.JNDIRealm/1.0";
-
+ protected static final String info = "org.apache.catalina.realm.JNDIRealm/1.0";
/**
* Descriptive information about this Realm implementation.
+ * @deprecated This will be removed in Tomcat 9 onwards.
*/
+ @Deprecated
protected static final String name = "JNDIRealm";
@@ -253,7 +249,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String protocol = null;
-
/**
* Should we ignore PartialResultExceptions when iterating over NamingEnumerations?
* Microsoft Active Directory often returns referrals, which lead
@@ -263,7 +258,6 @@ public class JNDIRealm extends RealmBase {
*/
protected boolean adCompat = false;
-
/**
* How should we handle referrals? Microsoft Active Directory often returns
* referrals. If you need to follow them set referrals to "follow".
@@ -272,20 +266,17 @@ public class JNDIRealm extends RealmBase {
*/
protected String referrals = null;
-
/**
* The base element for user searches.
*/
protected String userBase = "";
-
/**
* The message format used to search for a user, with "{0}" marking
* the spot where the username goes.
*/
protected String userSearch = null;
-
/**
* When searching for users, should the search be performed as the user
* currently being authenticated? If false, {@link #connectionName} and
@@ -294,7 +285,6 @@ public class JNDIRealm extends RealmBase {
*/
private boolean userSearchAsUser = false;
-
/**
* The MessageFormat object associated with the current
* <code>userSearch</code>.
@@ -307,7 +297,6 @@ public class JNDIRealm extends RealmBase {
*/
protected boolean userSubtree = false;
-
/**
* The attribute name used to retrieve the user password.
*/
@@ -321,7 +310,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String userRoleAttribute = null;
-
/**
* A string of LDAP user patterns or paths, ":"-separated
* These will be used to form the distinguished name of a
@@ -332,7 +320,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String[] userPatternArray = null;
-
/**
* The message format used to form the distinguished name of a
* user, with "{0}" marking the spot where the specified username
@@ -340,7 +327,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String userPattern = null;
-
/**
* An array of MessageFormat objects associated with the current
* <code>userPatternArray</code>.
@@ -352,34 +338,29 @@ public class JNDIRealm extends RealmBase {
*/
protected String roleBase = "";
-
/**
* The MessageFormat object associated with the current
* <code>roleBase</code>.
*/
protected MessageFormat roleBaseFormat = null;
-
/**
* The MessageFormat object associated with the current
* <code>roleSearch</code>.
*/
protected MessageFormat roleFormat = null;
-
/**
* The name of an attribute in the user's entry containing
* roles for that user
*/
protected String userRoleName = null;
-
/**
* The name of the attribute containing roles held elsewhere
*/
protected String roleName = null;
-
/**
* The message format used to select roles for a user, with "{0}" marking
* the spot where the distinguished name of the user goes. The "{1}"
@@ -387,7 +368,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String roleSearch = null;
-
/**
* Should we search the entire subtree for matching memberships?
*/
@@ -422,7 +402,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String commonRole = null;
-
/**
* The timeout, in milliseconds, to use when trying to create a connection
* to the directory. The default is 5000 (5 seconds).
@@ -447,14 +426,12 @@ public class JNDIRealm extends RealmBase {
*/
protected int timeLimit = 0;
-
/**
* Should delegated credentials from the SPNEGO authenticator be used if
* available
*/
protected boolean useDelegatedCredential = true;
-
/**
* The QOP that should be used for the connection to the LDAP server after
* authentication. This value is used to set the
@@ -519,37 +496,35 @@ public class JNDIRealm extends RealmBase {
return forceDnHexEscape;
}
+
public void setForceDnHexEscape(boolean forceDnHexEscape) {
this.forceDnHexEscape = forceDnHexEscape;
}
+
/**
* @return the type of authentication to use.
*/
public String getAuthentication() {
-
return authentication;
-
}
+
/**
* Set the type of authentication to use.
*
* @param authentication The authentication
*/
public void setAuthentication(String authentication) {
-
this.authentication = authentication;
-
}
+
/**
* @return the connection username for this Realm.
*/
public String getConnectionName() {
-
return this.connectionName;
-
}
@@ -559,9 +534,7 @@ public class JNDIRealm extends RealmBase {
* @param connectionName The new connection username
*/
public void setConnectionName(String connectionName) {
-
this.connectionName = connectionName;
-
}
@@ -569,9 +542,7 @@ public class JNDIRealm extends RealmBase {
* @return the connection password for this Realm.
*/
public String getConnectionPassword() {
-
return this.connectionPassword;
-
}
@@ -581,9 +552,7 @@ public class JNDIRealm extends RealmBase {
* @param connectionPassword The new connection password
*/
public void setConnectionPassword(String connectionPassword) {
-
this.connectionPassword = connectionPassword;
-
}
@@ -591,9 +560,7 @@ public class JNDIRealm extends RealmBase {
* @return the connection URL for this Realm.
*/
public String getConnectionURL() {
-
return this.connectionURL;
-
}
@@ -603,9 +570,7 @@ public class JNDIRealm extends RealmBase {
* @param connectionURL The new connection URL
*/
public void setConnectionURL(String connectionURL) {
-
this.connectionURL = connectionURL;
-
}
@@ -613,9 +578,7 @@ public class JNDIRealm extends RealmBase {
* @return the JNDI context factory for this Realm.
*/
public String getContextFactory() {
-
return this.contextFactory;
-
}
@@ -625,11 +588,10 @@ public class JNDIRealm extends RealmBase {
* @param contextFactory The new context factory
*/
public void setContextFactory(String contextFactory) {
-
this.contextFactory = contextFactory;
-
}
+
/**
* @return the derefAliases setting to be used.
*/
@@ -637,33 +599,32 @@ public class JNDIRealm extends RealmBase {
return derefAliases;
}
+
/**
* Set the value for derefAliases to be used when searching the directory.
*
* @param derefAliases New value of property derefAliases.
*/
public void setDerefAliases(java.lang.String derefAliases) {
- this.derefAliases = derefAliases;
+ this.derefAliases = derefAliases;
}
+
/**
* @return the protocol to be used.
*/
public String getProtocol() {
-
return protocol;
-
}
+
/**
* Set the protocol for this Realm.
*
* @param protocol The new protocol.
*/
public void setProtocol(String protocol) {
-
this.protocol = protocol;
-
}
@@ -707,9 +668,7 @@ public class JNDIRealm extends RealmBase {
* @return the base element for user searches.
*/
public String getUserBase() {
-
return this.userBase;
-
}
@@ -719,9 +678,7 @@ public class JNDIRealm extends RealmBase {
* @param userBase The new base element
*/
public void setUserBase(String userBase) {
-
this.userBase = userBase;
-
}
@@ -729,9 +686,7 @@ public class JNDIRealm extends RealmBase {
* @return the message format pattern for selecting users in this Realm.
*/
public String getUserSearch() {
-
return this.userSearch;
-
}
@@ -741,13 +696,12 @@ public class JNDIRealm extends RealmBase {
* @param userSearch The new user search pattern
*/
public void setUserSearch(String userSearch) {
-
this.userSearch = userSearch;
- if (userSearch == null)
+ if (userSearch == null) {
userSearchFormat = null;
- else
+ } else {
userSearchFormat = new MessageFormat(userSearch);
-
+ }
}
@@ -765,9 +719,7 @@ public class JNDIRealm extends RealmBase {
* @return the "search subtree for users" flag.
*/
public boolean getUserSubtree() {
-
return this.userSubtree;
-
}
@@ -777,9 +729,7 @@ public class JNDIRealm extends RealmBase {
* @param userSubtree The new search flag
*/
public void setUserSubtree(boolean userSubtree) {
-
this.userSubtree = userSubtree;
-
}
@@ -787,7 +737,6 @@ public class JNDIRealm extends RealmBase {
* @return the user role name attribute name for this Realm.
*/
public String getUserRoleName() {
-
return userRoleName;
}
@@ -798,9 +747,7 @@ public class JNDIRealm extends RealmBase {
* @param userRoleName The new userRole name attribute name
*/
public void setUserRoleName(String userRoleName) {
-
this.userRoleName = userRoleName;
-
}
@@ -808,9 +755,7 @@ public class JNDIRealm extends RealmBase {
* @return the base element for role searches.
*/
public String getRoleBase() {
-
return this.roleBase;
-
}
@@ -820,13 +765,12 @@ public class JNDIRealm extends RealmBase {
* @param roleBase The new base element
*/
public void setRoleBase(String roleBase) {
-
this.roleBase = roleBase;
- if (roleBase == null)
+ if (roleBase == null) {
roleBaseFormat = null;
- else
+ } else {
roleBaseFormat = new MessageFormat(roleBase);
-
+ }
}
@@ -834,9 +778,7 @@ public class JNDIRealm extends RealmBase {
* @return the role name attribute name for this Realm.
*/
public String getRoleName() {
-
return this.roleName;
-
}
@@ -846,9 +788,7 @@ public class JNDIRealm extends RealmBase {
* @param roleName The new role name attribute name
*/
public void setRoleName(String roleName) {
-
this.roleName = roleName;
-
}
@@ -856,9 +796,7 @@ public class JNDIRealm extends RealmBase {
* @return the message format pattern for selecting roles in this Realm.
*/
public String getRoleSearch() {
-
return this.roleSearch;
-
}
@@ -868,13 +806,12 @@ public class JNDIRealm extends RealmBase {
* @param roleSearch The new role search pattern
*/
public void setRoleSearch(String roleSearch) {
-
this.roleSearch = roleSearch;
- if (roleSearch == null)
+ if (roleSearch == null) {
roleFormat = null;
- else
+ } else {
roleFormat = new MessageFormat(roleSearch);
-
+ }
}
@@ -892,9 +829,7 @@ public class JNDIRealm extends RealmBase {
* @return the "search subtree for roles" flag.
*/
public boolean getRoleSubtree() {
-
return this.roleSubtree;
-
}
@@ -904,18 +839,15 @@ public class JNDIRealm extends RealmBase {
* @param roleSubtree The new search flag
*/
public void setRoleSubtree(boolean roleSubtree) {
-
this.roleSubtree = roleSubtree;
-
}
+
/**
* @return the "The nested group search flag" flag.
*/
public boolean getRoleNested() {
-
return this.roleNested;
-
}
@@ -925,9 +857,7 @@ public class JNDIRealm extends RealmBase {
* @param roleNested The nested group search flag
*/
public void setRoleNested(boolean roleNested) {
-
this.roleNested = roleNested;
-
}
@@ -935,9 +865,7 @@ public class JNDIRealm extends RealmBase {
* @return the password attribute used to retrieve the user password.
*/
public String getUserPassword() {
-
return this.userPassword;
-
}
@@ -947,9 +875,7 @@ public class JNDIRealm extends RealmBase {
* @param userPassword The new password attribute
*/
public void setUserPassword(String userPassword) {
-
this.userPassword = userPassword;
-
}
@@ -957,6 +883,7 @@ public class JNDIRealm extends RealmBase {
return userRoleAttribute;
}
+
public void setUserRoleAttribute(String userRoleAttribute) {
this.userRoleAttribute = userRoleAttribute;
}
@@ -965,14 +892,10 @@ public class JNDIRealm extends RealmBase {
* @return the message format pattern for selecting users in this Realm.
*/
public String getUserPattern() {
-
return this.userPattern;
-
}
-
-
/**
* Set the message format pattern for selecting users in this Realm.
* This may be one simple pattern, or multiple patterns to be tried,
@@ -984,11 +907,10 @@ public class JNDIRealm extends RealmBase {
* @param userPattern The new user pattern
*/
public void setUserPattern(String userPattern) {
-
this.userPattern = userPattern;
- if (userPattern == null)
+ if (userPattern == null) {
userPatternArray = null;
- else {
+ } else {
userPatternArray = parseUserPatternString(userPattern);
int len = this.userPatternArray.length;
userPatternFormatArray = new MessageFormat[len];
@@ -1006,9 +928,7 @@ public class JNDIRealm extends RealmBase {
* @return Value of property alternateURL.
*/
public String getAlternateURL() {
-
return this.alternateURL;
-
}
@@ -1018,9 +938,7 @@ public class JNDIRealm extends RealmBase {
* @param alternateURL New value of property alternateURL.
*/
public void setAlternateURL(String alternateURL) {
-
this.alternateURL = alternateURL;
-
}
@@ -1028,9 +946,7 @@ public class JNDIRealm extends RealmBase {
* @return the common role
*/
public String getCommonRole() {
-
return commonRole;
-
}
@@ -1040,9 +956,7 @@ public class JNDIRealm extends RealmBase {
* @param commonRole The common role
*/
public void setCommonRole(String commonRole) {
-
this.commonRole = commonRole;
-
}
@@ -1050,9 +964,7 @@ public class JNDIRealm extends RealmBase {
* @return the connection timeout.
*/
public String getConnectionTimeout() {
-
return connectionTimeout;
-
}
@@ -1062,18 +974,15 @@ public class JNDIRealm extends RealmBase {
* @param timeout The new connection timeout
*/
public void setConnectionTimeout(String timeout) {
-
this.connectionTimeout = timeout;
-
}
+
/**
* @return the read timeout.
*/
public String getReadTimeout() {
-
return readTimeout;
-
}
@@ -1083,9 +992,7 @@ public class JNDIRealm extends RealmBase {
* @param timeout The new read timeout
*/
public void setReadTimeout(String timeout) {
-
this.readTimeout = timeout;
-
}
@@ -1113,6 +1020,7 @@ public class JNDIRealm extends RealmBase {
return useDelegatedCredential;
}
+
public void setUseDelegatedCredential(boolean useDelegatedCredential) {
this.useDelegatedCredential = useDelegatedCredential;
}
@@ -1122,6 +1030,7 @@ public class JNDIRealm extends RealmBase {
return spnegoDelegationQop;
}
+
public void setSpnegoDelegationQop(String spnegoDelegationQop) {
this.spnegoDelegationQop = spnegoDelegationQop;
}
@@ -1145,6 +1054,7 @@ public class JNDIRealm extends RealmBase {
return useStartTls;
}
+
/**
* Flag whether StartTLS should be used when connecting to the ldap server
*
@@ -1156,6 +1066,7 @@ public class JNDIRealm extends RealmBase {
this.useStartTls = useStartTls;
}
+
/**
* @return list of the allowed cipher suites when connections are made using
* StartTLS
@@ -1175,6 +1086,7 @@ public class JNDIRealm extends RealmBase {
return this.cipherSuitesArray;
}
+
/**
* Set the allowed cipher suites when opening a connection using StartTLS.
* The cipher suites are expected as a comma separated list.
@@ -1198,6 +1110,7 @@ public class JNDIRealm extends RealmBase {
return this.hostnameVerifier.getClass().getCanonicalName();
}
+
/**
* Set the {@link HostnameVerifier} to be used when opening connections
* using StartTLS. An instance of the given class name will be constructed
@@ -1214,6 +1127,7 @@ public class JNDIRealm extends RealmBase {
}
}
+
/**
* @return the {@link HostnameVerifier} to use for peer certificate
* verification when opening connections using StartTLS.
@@ -1222,8 +1136,7 @@ public class JNDIRealm extends RealmBase {
if (this.hostnameVerifier != null) {
return this.hostnameVerifier;
}
- if (this.hostNameVerifierClassName == null
- || hostNameVerifierClassName.equals("")) {
+ if (this.hostNameVerifierClassName == null || hostNameVerifierClassName.equals("")) {
return null;
}
try {
@@ -1267,6 +1180,7 @@ public class JNDIRealm extends RealmBase {
}
}
+
/**
* Set the {@link SSLSocketFactory} to be used when opening connections
* using StartTLS. An instance of the factory with the given name will be
@@ -1280,6 +1194,7 @@ public class JNDIRealm extends RealmBase {
this.sslSocketFactoryClassName = factoryClassName;
}
+
/**
* Set the ssl protocol to be used for connections using StartTLS.
*
@@ -1290,6 +1205,7 @@ public class JNDIRealm extends RealmBase {
this.sslProtocol = protocol;
}
+
/**
* @return the list of supported ssl protocols by the default
* {@link SSLContext}
@@ -1303,6 +1219,7 @@ public class JNDIRealm extends RealmBase {
}
}
+
private Object constructInstance(String className)
throws ClassNotFoundException, InstantiationException,
IllegalAccessException, IllegalArgumentException, SecurityException, InvocationTargetException, NoSuchMethodException {
@@ -1310,6 +1227,7 @@ public class JNDIRealm extends RealmBase {
return clazz.getConstructor().newInstance();
}
+
// ---------------------------------------------------------- Realm Methods
/**
@@ -1337,10 +1255,11 @@ public class JNDIRealm extends RealmBase {
// Ensure that we have a directory context available
context = open();
- // Occasionally the directory context will timeout. Try one more
- // time before giving up.
try {
+ // Occasionally the directory context will timeout. Try one more
+ // time before giving up.
+
// Authenticate the specified username if possible
principal = authenticate(context, username, credentials);
@@ -1378,8 +1297,9 @@ public class JNDIRealm extends RealmBase {
containerLog.info(sm.getString("jndiRealm.exception.retry"), e);
// close the connection so we know it will be reopened.
- if (context != null)
+ if (context != null) {
close(context);
+ }
// open a new directory context.
context = open();
@@ -1400,26 +1320,20 @@ public class JNDIRealm extends RealmBase {
// Log the problem for posterity
containerLog.error(sm.getString("jndiRealm.exception"), e);
- // Close the connection so that it gets reopened next time
- if (context != null)
+ // close the connection so we know it will be reopened.
+ if (context != null) {
close(context);
+ }
// Return "not authenticated" for this request
- if (containerLog.isDebugEnabled())
+ if (containerLog.isDebugEnabled()) {
containerLog.debug("Returning null principal.");
+ }
return null;
-
}
-
}
- // -------------------------------------------------------- Package Methods
-
-
- // ------------------------------------------------------ Protected Methods
-
-
/**
* Return the Principal associated with the specified username and
* credentials, if there is one; otherwise return <code>null</code>.
@@ -1432,22 +1346,18 @@ public class JNDIRealm extends RealmBase {
*
* @exception NamingException if a directory server error occurs
*/
- public synchronized Principal authenticate(DirContext context,
- String username,
- String credentials)
+ public synchronized Principal authenticate(DirContext context, String username, String credentials)
throws NamingException {
- if (username == null || username.equals("")
- || credentials == null || credentials.equals("")) {
- if (containerLog.isDebugEnabled())
+ if (username == null || username.equals("") || credentials == null || credentials.equals("")) {
+ if (containerLog.isDebugEnabled()) {
containerLog.debug("username null or empty: returning null principal.");
+ }
return null;
}
if (userPatternArray != null) {
- for (int curUserPattern = 0;
- curUserPattern < userPatternFormatArray.length;
- curUserPattern++) {
+ for (int curUserPattern = 0; curUserPattern < userPatternFormatArray.length; curUserPattern++) {
// Retrieve user information
User user = getUser(context, username, credentials, curUserPattern);
if (user != null) {
@@ -1475,12 +1385,14 @@ public class JNDIRealm extends RealmBase {
} else {
// Retrieve user information
User user = getUser(context, username, credentials);
- if (user == null)
+ if (user == null) {
return null;
+ }
// Check the user's credentials
- if (!checkCredentials(context, user, credentials))
+ if (!checkCredentials(context, user, credentials)) {
return null;
+ }
// Search for additional roles
List<String> roles = getRoles(context, user);
@@ -1494,6 +1406,8 @@ public class JNDIRealm extends RealmBase {
}
+ // ------------------------------------------------------ Protected Methods
+
/**
* Return a User object containing information about the user
* with the specified username, if found in the directory;
@@ -1506,9 +1420,7 @@ public class JNDIRealm extends RealmBase {
*
* @see #getUser(DirContext, String, String, int)
*/
- protected User getUser(DirContext context, String username)
- throws NamingException {
-
+ protected User getUser(DirContext context, String username) throws NamingException {
return getUser(context, username, null, -1);
}
@@ -1526,9 +1438,7 @@ public class JNDIRealm extends RealmBase {
*
* @see #getUser(DirContext, String, String, int)
*/
- protected User getUser(DirContext context, String username, String credentials)
- throws NamingException {
-
+ protected User getUser(DirContext context, String username, String credentials) throws NamingException {
return getUser(context, username, credentials, -1);
}
@@ -1551,18 +1461,19 @@ public class JNDIRealm extends RealmBase {
* @return the User object
* @exception NamingException if a directory server error occurs
*/
- protected User getUser(DirContext context, String username,
- String credentials, int curUserPattern)
- throws NamingException {
+ protected User getUser(DirContext context, String username, String credentials, int curUserPattern)
+ throws NamingException {
User user = null;
// Get attributes to retrieve from user entry
- ArrayList<String> list = new ArrayList<String>();
- if (userPassword != null)
+ List<String> list = new ArrayList<String>();
+ if (userPassword != null) {
list.add(userPassword);
- if (userRoleName != null)
+ }
+ if (userRoleName != null) {
list.add(userRoleName);
+ }
if (userRoleAttribute != null) {
list.add(userRoleAttribute);
}
@@ -1594,8 +1505,7 @@ public class JNDIRealm extends RealmBase {
if (userPassword == null && credentials != null && user != null) {
// The password is available. Insert it since it may be required for
// role searches.
- return new User(user.getUserName(), user.getDN(), credentials,
- user.getRoles(), user.getUserRoleId());
+ return new User(user.getUserName(), user.getDN(), credentials, user.getRoles(), user.getUserRoleId());
}
return user;
@@ -1615,11 +1525,8 @@ public class JNDIRealm extends RealmBase {
* @return the User object
* @exception NamingException if a directory server error occurs
*/
- protected User getUserByPattern(DirContext context,
- String username,
- String[] attrIds,
- String dn)
- throws NamingException {
+ protected User getUserByPattern(DirContext context, String username, String[] attrIds, String dn)
+ throws NamingException {
// If no attributes are requested, no need to look for them
if (attrIds == null || attrIds.length == 0) {
@@ -1633,13 +1540,15 @@ public class JNDIRealm extends RealmBase {
} catch (NameNotFoundException e) {
return null;
}
- if (attrs == null)
+ if (attrs == null) {
return null;
+ }
// Retrieve value of userPassword
String password = null;
- if (userPassword != null)
+ if (userPassword != null) {
password = getAttributeValue(userPassword, attrs);
+ }
String userRoleAttrValue = null;
if (userRoleAttribute != null) {
@@ -1648,8 +1557,9 @@ public class JNDIRealm extends RealmBase {
// Retrieve values of userRoleName attribute
ArrayList<String> roles = null;
- if (userRoleName != null)
+ if (userRoleName != null) {
roles = addAttributeValues(userRoleName, attrs, roles);
+ }
return new User(username, dn, password, roles, userRoleAttrValue);
}
@@ -1670,17 +1580,14 @@ public class JNDIRealm extends RealmBase {
* @exception NamingException if a directory server error occurs
* @see #getUserByPattern(DirContext, String, String[], String)
*/
- protected User getUserByPattern(DirContext context,
- String username,
- String credentials,
- String[] attrIds,
- int curUserPattern)
- throws NamingException {
+ protected User getUserByPattern(DirContext context, String username, String credentials, String[] attrIds,
+ int curUserPattern) throws NamingException {
User user = null;
- if (username == null || userPatternFormatArray[curUserPattern] == null)
+ if (username == null || userPatternFormatArray[curUserPattern] == null) {
return null;
+ }
// Form the dn from the user pattern
String dn = userPatternFormatArray[curUserPattern].format(new String[] { username });
@@ -1715,13 +1622,12 @@ public class JNDIRealm extends RealmBase {
* @return the User object
* @exception NamingException if a directory server error occurs
*/
- protected User getUserBySearch(DirContext context,
- String username,
- String[] attrIds)
- throws NamingException {
+ protected User getUserBySearch(DirContext context, String username, String[] attrIds)
+ throws NamingException {
- if (username == null || userSearchFormat == null)
+ if (username == null || userSearchFormat == null) {
return null;
+ }
// Form the search filter
String filter = userSearchFormat.format(new String[] { username });
@@ -1739,12 +1645,12 @@ public class JNDIRealm extends RealmBase {
constraints.setTimeLimit(timeLimit);
// Specify the attributes to be retrieved
- if (attrIds == null)
+ if (attrIds == null) {
attrIds = new String[0];
+ }
constraints.setReturningAttributes(attrIds);
- NamingEnumeration<SearchResult> results =
- context.search(userBase, filter, constraints);
+ NamingEnumeration<SearchResult> results = context.search(userBase, filter, constraints);
try {
// Fail if no entries found
@@ -1753,10 +1659,11 @@ public class JNDIRealm extends RealmBase {
return null;
}
} catch (PartialResultException ex) {
- if (!adCompat)
+ if (!adCompat) {
throw ex;
- else
+ } else {
return null;
+ }
}
// Get result for the first entry found
@@ -1765,29 +1672,34 @@ public class JNDIRealm extends RealmBase {
// Check no further entries were found
try {
if (results.hasMore()) {
- if(containerLog.isInfoEnabled())
+ if (containerLog.isInfoEnabled()) {
containerLog.info("username " + username + " has multiple entries");
+ }
return null;
}
} catch (PartialResultException ex) {
- if (!adCompat)
+ if (!adCompat) {
throw ex;
+ }
}
String dn = getDistinguishedName(context, userBase, result);
- if (containerLog.isTraceEnabled())
+ if (containerLog.isTraceEnabled()) {
containerLog.trace(" entry found for " + username + " with dn " + dn);
+ }
// Get the entry's attributes
Attributes attrs = result.getAttributes();
- if (attrs == null)
+ if (attrs == null) {
return null;
+ }
// Retrieve value of userPassword
String password = null;
- if (userPassword != null)
+ if (userPassword != null) {
password = getAttributeValue(userPassword, attrs);
+ }
String userRoleAttrValue = null;
if (userRoleAttribute != null) {
@@ -1796,8 +1708,9 @@ public class JNDIRealm extends RealmBase {
// Retrieve values of userRoleName attribute
ArrayList<String> roles = null;
- if (userRoleName != null)
+ if (userRoleName != null) {
roles = addAttributeValues(userRoleName, attrs, roles);
+ }
return new User(username, dn, password, roles, userRoleAttrValue);
} finally {
@@ -1823,30 +1736,25 @@ public class JNDIRealm extends RealmBase {
* @return <code>true</code> if the credentials are validated
* @exception NamingException if a directory server error occurs
*/
- protected boolean checkCredentials(DirContext context,
- User user,
- String credentials)
- throws NamingException {
+ protected boolean checkCredentials(DirContext context, User user, String credentials) throws NamingException {
- boolean validated = false;
+ boolean validated = false;
- if (userPassword == null) {
- validated = bindAsUser(context, user, credentials);
- } else {
- validated = compareCredentials(context, user, credentials);
- }
+ if (userPassword == null) {
+ validated = bindAsUser(context, user, credentials);
+ } else {
+ validated = compareCredentials(context, user, credentials);
+ }
- if (containerLog.isTraceEnabled()) {
- if (validated) {
- containerLog.trace(sm.getString("jndiRealm.authenticateSuccess",
- user.getUserName()));
- } else {
- containerLog.trace(sm.getString("jndiRealm.authenticateFailure",
- user.getUserName()));
- }
- }
- return validated;
- }
+ if (containerLog.isTraceEnabled()) {
+ if (validated) {
+ containerLog.trace(sm.getString("jndiRealm.authenticateSuccess", user.getUserName()));
+ } else {
+ containerLog.trace(sm.getString("jndiRealm.authenticateFailure", user.getUserName()));
+ }
+ }
+ return validated;
+ }
/**
@@ -1859,17 +1767,15 @@ public class JNDIRealm extends RealmBase {
* @return <code>true</code> if the credentials are validated
* @exception NamingException if a directory server error occurs
*/
- protected boolean compareCredentials(DirContext context,
- User info,
- String credentials)
- throws NamingException {
-
+ protected boolean compareCredentials(DirContext context, User info, String credentials) throws NamingException {
// Validate the credentials specified by the user
- if (containerLog.isTraceEnabled())
+ if (containerLog.isTraceEnabled()) {
containerLog.trace(" validating credentials");
+ }
- if (info == null || credentials == null)
+ if (info == null || credentials == null) {
return false;
+ }
String password = info.getPassword();
@@ -1886,21 +1792,20 @@ public class JNDIRealm extends RealmBase {
* @return <code>true</code> if the credentials are validated
* @exception NamingException if a directory server error occurs
*/
- protected boolean bindAsUser(DirContext context,
- User user,
- String credentials)
- throws NamingException {
+ protected boolean bindAsUser(DirContext context, User user, String credentials) throws NamingException {
- if (credentials == null || user == null)
- return false;
+ if (credentials == null || user == null) {
+ return false;
+ }
- String dn = user.getDN();
- if (dn == null)
- return false;
+ String dn = user.getDN();
+ if (dn == null) {
+ return false;
+ }
- // Validate the credentials specified by the user
- if (containerLog.isTraceEnabled()) {
- containerLog.trace(" validating credentials by binding as the user");
+ // Validate the credentials specified by the user
+ if (containerLog.isTraceEnabled()) {
+ containerLog.trace(" validating credentials by binding as the user");
}
userCredentialsAdd(context, dn, credentials);
@@ -1925,48 +1830,47 @@ public class JNDIRealm extends RealmBase {
return validated;
}
- /**
- * Configure the context to use the provided credentials for
- * authentication.
- *
- * @param context DirContext to configure
- * @param dn Distinguished name of user
- * @param credentials Credentials of user
- * @exception NamingException if a directory server error occurs
- */
- private void userCredentialsAdd(DirContext context, String dn,
- String credentials) throws NamingException {
+
+ /**
+ * Configure the context to use the provided credentials for
+ * authentication.
+ *
+ * @param context DirContext to configure
+ * @param dn Distinguished name of user
+ * @param credentials Credentials of user
+ * @exception NamingException if a directory server error occurs
+ */
+ private void userCredentialsAdd(DirContext context, String dn, String credentials) throws NamingException {
// Set up security environment to bind as the user
context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
context.addToEnvironment(Context.SECURITY_CREDENTIALS, credentials);
}
+
/**
* Configure the context to use {@link #connectionName} and
* {@link #connectionPassword} if specified or an anonymous connection if
* those attributes are not specified.
*
- * @param context DirContext to configure
- * @exception NamingException if a directory server error occurs
+ * @param context DirContext to configure
+ * @exception NamingException if a directory server error occurs
*/
- private void userCredentialsRemove(DirContext context)
- throws NamingException {
+ private void userCredentialsRemove(DirContext context) throws NamingException {
// Restore the original security environment
if (connectionName != null) {
- context.addToEnvironment(Context.SECURITY_PRINCIPAL,
- connectionName);
+ context.addToEnvironment(Context.SECURITY_PRINCIPAL, connectionName);
} else {
context.removeFromEnvironment(Context.SECURITY_PRINCIPAL);
}
if (connectionPassword != null) {
- context.addToEnvironment(Context.SECURITY_CREDENTIALS,
- connectionPassword);
+ context.addToEnvironment(Context.SECURITY_CREDENTIALS, connectionPassword);
} else {
context.removeFromEnvironment(Context.SECURITY_CREDENTIALS);
}
}
+
/**
* Return a List of roles associated with the given User. Any
* roles present in the user's directory entry are supplemented by
@@ -1978,21 +1882,23 @@ public class JNDIRealm extends RealmBase {
* @return the list of role names
* @exception NamingException if a directory server error occurs
*/
- protected List<String> getRoles(DirContext context, User user)
- throws NamingException {
+ protected List<String> getRoles(DirContext context, User user) throws NamingException {
- if (user == null)
+ if (user == null) {
return null;
+ }
String dn = user.getDN();
String username = user.getUserName();
String userRoleId = user.getUserRoleId();
- if (dn == null || username == null)
+ if (dn == null || username == null) {
return null;
+ }
- if (containerLog.isTraceEnabled())
+ if (containerLog.isTraceEnabled()) {
containerLog.trace(" getRoles(" + dn + ")");
+ }
// Start with roles retrieved from the user entry
List<String> list = new ArrayList<String>();
@@ -2000,8 +1906,9 @@ public class JNDIRealm extends RealmBase {
if (userRoles != null) {
list.addAll(userRoles);
}
- if (commonRole != null)
+ if (commonRole != null) {
list.add(commonRole);
+ }
if (containerLog.isTraceEnabled()) {
containerLog.trace(" Found " + list.size() + " user internal roles");
@@ -2009,16 +1916,18 @@ public class JNDIRealm extends RealmBase {
}
// Are we configured to do role searches?
- if ((roleFormat == null) || (roleName == null))
+ if ((roleFormat == null) || (roleName == null)) {
return list;
+ }
// Set up parameters for an appropriate search
String filter = roleFormat.format(new String[] { doRFC2254Encoding(dn), username, userRoleId });
SearchControls controls = new SearchControls();
- if (roleSubtree)
+ if (roleSubtree) {
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
- else
+ } else {
controls.setSearchScope(SearchControls.ONELEVEL_SCOPE);
+ }
controls.setReturningAttributes(new String[] {roleName});
String base = null;
@@ -2038,16 +1947,18 @@ public class JNDIRealm extends RealmBase {
NamingEnumeration<SearchResult> results = searchAsUser(context, user, base, filter, controls,
isRoleSearchAsUser());
- if (results == null)
+ if (results == null) {
return list; // Should never happen, but just in case ...
+ }
- HashMap<String, String> groupMap = new HashMap<String, String>();
+ Map<String, String> groupMap = new HashMap<String, String>();
try {
while (results.hasMore()) {
SearchResult result = results.next();
Attributes attrs = result.getAttributes();
- if (attrs == null)
+ if (attrs == null) {
continue;
+ }
String dname = getDistinguishedName(context, roleBase, result);
String name = getAttributeValue(roleName, attrs);
if (name != null && dname != null) {
@@ -2055,8 +1966,9 @@ public class JNDIRealm extends RealmBase {
}
}
} catch (PartialResultException ex) {
- if (!adCompat)
+ if (!adCompat) {
throw ex;
+ }
} finally {
results.close();
}
@@ -2088,15 +2000,15 @@ public class JNDIRealm extends RealmBase {
containerLog.trace("Perform a nested group search with base "+ roleBase + " and filter " + filter);
}
- results = searchAsUser(context, user, roleBase, filter, controls,
- isRoleSearchAsUser());
+ results = searchAsUser(context, user, roleBase, filter, controls, isRoleSearchAsUser());
try {
while (results.hasMore()) {
SearchResult result = results.next();
Attributes attrs = result.getAttributes();
- if (attrs == null)
+ if (attrs == null) {
continue;
+ }
String dname = getDistinguishedName(context, roleBase, result);
String name = getAttributeValue(roleName, attrs);
if (name != null && dname != null && !groupMap.keySet().contains(dname)) {
@@ -2106,12 +2018,12 @@ public class JNDIRealm extends RealmBase {
if (containerLog.isTraceEnabled()) {
containerLog.trace(" Found nested role " + dname + " -> " + name);
}
-
}
- }
+ }
} catch (PartialResultException ex) {
- if (!adCompat)
+ if (!adCompat) {
throw ex;
+ }
} finally {
results.close();
}
@@ -2125,6 +2037,7 @@ public class JNDIRealm extends RealmBase {
return list;
}
+
/**
* Perform the search on the context as the {@code dn}, when
* {@code searchAsUser} is {@code true}, otherwise search the context with
@@ -2147,8 +2060,7 @@ public class JNDIRealm extends RealmBase {
* @throws NamingException
* if a directory server error occurs
*/
- private NamingEnumeration<SearchResult> searchAsUser(DirContext context,
- User user, String base, String filter,
+ private NamingEnumeration<SearchResult> searchAsUser(DirContext context, User user, String base, String filter,
SearchControls controls, boolean searchAsUser) throws NamingException {
NamingEnumeration<SearchResult> results;
try {
@@ -2173,26 +2085,30 @@ public class JNDIRealm extends RealmBase {
* @return the attribute value
* @exception NamingException if a directory server error occurs
*/
- private String getAttributeValue(String attrId, Attributes attrs)
- throws NamingException {
+ private String getAttributeValue(String attrId, Attributes attrs) throws NamingException {
- if (containerLog.isTraceEnabled())
+ if (containerLog.isTraceEnabled()) {
containerLog.trace(" retrieving attribute " + attrId);
+ }
- if (attrId == null || attrs == null)
+ if (attrId == null || attrs == null) {
return null;
+ }
Attribute attr = attrs.get(attrId);
- if (attr == null)
+ if (attr == null) {
return null;
+ }
Object value = attr.get();
- if (value == null)
+ if (value == null) {
return null;
+ }
String valueString = null;
- if (value instanceof byte[])
+ if (value instanceof byte[]) {
valueString = new String((byte[]) value);
- else
+ } else {
valueString = value.toString();
+ }
return valueString;
}
@@ -2207,20 +2123,22 @@ public class JNDIRealm extends RealmBase {
* @return the list of attribute values
* @exception NamingException if a directory server error occurs
*/
- private ArrayList<String> addAttributeValues(String attrId,
- Attributes attrs,
- ArrayList<String> values)
- throws NamingException{
+ private ArrayList<String> addAttributeValues(String attrId, Attributes attrs, ArrayList<String> values)
+ throws NamingException {
- if (containerLog.isTraceEnabled())
+ if (containerLog.isTraceEnabled()) {
containerLog.trace(" retrieving values for attribute " + attrId);
- if (attrId == null || attrs == null)
+ }
+ if (attrId == null || attrs == null) {
return values;
- if (values == null)
+ }
+ if (values == null) {
values = new ArrayList<String>();
+ }
Attribute attr = attrs.get(attrId);
- if (attr == null)
+ if (attr == null) {
return values;
+ }
NamingEnumeration<?> e = attr.getAll();
try {
while(e.hasMore()) {
@@ -2228,8 +2146,9 @@ public class JNDIRealm extends RealmBase {
values.add(value);
}
} catch (PartialResultException ex) {
- if (!adCompat)
+ if (!adCompat) {
throw ex;
+ }
} finally {
e.close();
}
@@ -2245,8 +2164,9 @@ public class JNDIRealm extends RealmBase {
protected void close(DirContext context) {
// Do nothing if there is no opened connection
- if (context == null)
+ if (context == null) {
return;
+ }
// Close tls startResponse if used
if (tls != null) {
@@ -2258,14 +2178,14 @@ public class JNDIRealm extends RealmBase {
}
// Close our opened connection
try {
- if (containerLog.isDebugEnabled())
+ if (containerLog.isDebugEnabled()) {
containerLog.debug("Closing directory context");
+ }
context.close();
} catch (NamingException e) {
containerLog.error(sm.getString("jndiRealm.close"), e);
}
this.context = null;
-
}
@@ -2299,9 +2219,9 @@ public class JNDIRealm extends RealmBase {
} catch (NamingException e) {
return null;
}
-
}
+
/**
* Get the principal associated with the specified certificate.
* @param username The user name
@@ -2312,9 +2232,9 @@ public class JNDIRealm extends RealmBase {
return getPrincipal(username, null);
}
+
@Override
- protected Principal getPrincipal(GSSName gssName,
- GSSCredential gssCredential) {
+ protected Principal getPrincipal(GSSName gssName, GSSCredential gssCredential) {
String name = gssName.toString();
if (isStripRealmForGss()) {
@@ -2328,15 +2248,14 @@ public class JNDIRealm extends RealmBase {
return getPrincipal(name, gssCredential);
}
+
@Override
- protected Principal getPrincipal(String username,
- GSSCredential gssCredential) {
+ protected Principal getPrincipal(String username, GSSCredential gssCredential) {
DirContext context = null;
Principal principal = null;
try {
-
// Ensure that we have a directory context available
context = open();
@@ -2353,8 +2272,9 @@ public class JNDIRealm extends RealmBase {
containerLog.info(sm.getString("jndiRealm.exception.retry"), e);
// close the connection so we know it will be reopened.
- if (context != null)
+ if (context != null) {
close(context);
+ }
// open a new directory context.
context = open();
@@ -2368,8 +2288,9 @@ public class JNDIRealm extends RealmBase {
containerLog.info(sm.getString("jndiRealm.exception.retry"), e);
// close the connection so we know it will be reopened.
- if (context != null)
+ if (context != null) {
close(context);
+ }
// open a new directory context.
context = open();
@@ -2379,7 +2300,6 @@ public class JNDIRealm extends RealmBase {
}
-
// Release this context
release(context);
@@ -2387,7 +2307,6 @@ public class JNDIRealm extends RealmBase {
return principal;
} catch (NamingException e) {
-
// Log the problem for posterity
containerLog.error(sm.getString("jndiRealm.exception"), e);
@@ -2397,10 +2316,7 @@ public class JNDIRealm extends RealmBase {
// Return "not authenticated" for this request
return null;
-
}
-
-
}
@@ -2412,9 +2328,8 @@ public class JNDIRealm extends RealmBase {
* @return the Principal associated with the given certificate.
* @exception NamingException if a directory server error occurs
*/
- protected synchronized Principal getPrincipal(DirContext context,
- String username, GSSCredential gssCredential)
- throws NamingException {
+ protected synchronized Principal getPrincipal(DirContext context, String username, GSSCredential gssCredential)
+ throws NamingException {
User user = null;
List<String> roles = null;
@@ -2425,12 +2340,9 @@ public class JNDIRealm extends RealmBase {
// Preserve the current context environment parameters
preservedEnvironment = context.getEnvironment();
// Set up context
- context.addToEnvironment(
- Context.SECURITY_AUTHENTICATION, "GSSAPI");
- context.addToEnvironment(
- "javax.security.sasl.server.authentication", "true");
- context.addToEnvironment(
- "javax.security.sasl.qop", spnegoDelegationQop);
+ context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "GSSAPI");
+ context.addToEnvironment("javax.security.sasl.server.authentication", "true");
+ context.addToEnvironment("javax.security.sasl.qop", spnegoDelegationQop);
// Note: Subject already set in SPNEGO authenticator so no need
// for Subject.doAs() here
}
@@ -2440,23 +2352,20 @@ public class JNDIRealm extends RealmBase {
}
} finally {
if (gssCredential != null && isUseDelegatedCredential()) {
- restoreEnvironmentParameter(context,
- Context.SECURITY_AUTHENTICATION, preservedEnvironment);
- restoreEnvironmentParameter(context,
- "javax.security.sasl.server.authentication", preservedEnvironment);
- restoreEnvironmentParameter(context, "javax.security.sasl.qop",
- preservedEnvironment);
+ restoreEnvironmentParameter(context, Context.SECURITY_AUTHENTICATION, preservedEnvironment);
+ restoreEnvironmentParameter(context, "javax.security.sasl.server.authentication", preservedEnvironment);
+ restoreEnvironmentParameter(context, "javax.security.sasl.qop", preservedEnvironment);
}
}
if (user != null) {
- return new GenericPrincipal(user.getUserName(), user.getPassword(),
- roles, null, null, gssCredential);
+ return new GenericPrincipal(user.getUserName(), user.getPassword(), roles, null, null, gssCredential);
}
return null;
}
+
private void restoreEnvironmentParameter(DirContext context,
String parameterName, Hashtable<?, ?> preservedEnvironment) {
try {
@@ -2470,6 +2379,7 @@ public class JNDIRealm extends RealmBase {
}
}
+
/**
* Open (if necessary) and return a connection to the configured
* directory server for this Realm.
@@ -2479,8 +2389,9 @@ public class JNDIRealm extends RealmBase {
protected DirContext open() throws NamingException {
// Do nothing if there is a directory server connection already open
- if (context != null)
+ if (context != null) {
return context;
+ }
try {
@@ -2498,27 +2409,21 @@ public class JNDIRealm extends RealmBase {
// Not possible to reach this point and not throw an exception.
// Later versions of Java allow us to simply use "throw e" here.
}
-
connectionAttempt = 1;
-
// log the first exception.
containerLog.info(sm.getString("jndiRealm.exception.retry"), e);
-
// Try connecting to the alternate url.
context = createDirContext(getDirectoryContextEnvironment());
-
} finally {
-
// reset it in case the connection times out.
// the primary may come back.
connectionAttempt = 0;
-
}
return context;
-
}
+
private DirContext createDirContext(Hashtable<String, String> env) throws NamingException {
if (useStartTls) {
return createTlsDirContext(env);
@@ -2527,13 +2432,13 @@ public class JNDIRealm extends RealmBase {
}
}
+
private SSLSocketFactory getSSLSocketFactory() {
if (sslSocketFactory != null) {
return sslSocketFactory;
}
final SSLSocketFactory result;
- if (this.sslSocketFactoryClassName != null
- && !sslSocketFactoryClassName.trim().equals("")) {
+ if (this.sslSocketFactoryClassName != null && !sslSocketFactoryClassName.trim().equals("")) {
result = createSSLSocketFactoryFromClassName(this.sslSocketFactoryClassName);
} else {
result = createSSLContextFactoryFromProtocol(sslProtocol);
@@ -2542,6 +2447,7 @@ public class JNDIRealm extends RealmBase {
return result;
}
+
private SSLSocketFactory createSSLSocketFactoryFromClassName(String className) {
try {
Object o = constructInstance(className);
@@ -2583,6 +2489,7 @@ public class JNDIRealm extends RealmBase {
}
}
+
private SSLSocketFactory createSSLContextFactoryFromProtocol(String protocol) {
try {
SSLContext sslContext;
@@ -2600,14 +2507,13 @@ public class JNDIRealm extends RealmBase {
sm.getString("jndiRealm.invalidSslProtocol", protocol,
allowedProtocols), e);
} catch (KeyManagementException e) {
- List<String> allowedProtocols = Arrays
- .asList(getSupportedSslProtocols());
- throw new IllegalArgumentException(
- sm.getString("jndiRealm.invalidSslProtocol", protocol,
- allowedProtocols), e);
+ List<String> allowedProtocols = Arrays.asList(getSupportedSslProtocols());
+ throw new IllegalArgumentException(sm.getString("jndiRealm.invalidSslProtocol",
+ protocol, allowedProtocols), e);
}
}
+
/**
* Create a tls enabled LdapContext and set the StartTlsResponse tls
* instance variable.
@@ -2618,12 +2524,10 @@ public class JNDIRealm extends RealmBase {
* @throws NamingException
* when something goes wrong while negotiating the connection
*/
- private DirContext createTlsDirContext(
- Hashtable<String, String> env) throws NamingException {
+ private DirContext createTlsDirContext(Hashtable<String, String> env) throws NamingException {
Map<String, Object> savedEnv = new HashMap<String, Object>();
- for (String key : Arrays.asList(Context.SECURITY_AUTHENTICATION,
- Context.SECURITY_CREDENTIALS, Context.SECURITY_PRINCIPAL,
- Context.SECURITY_PROTOCOL)) {
+ for (String key : Arrays.asList(Context.SECURITY_AUTHENTICATION, Context.SECURITY_CREDENTIALS,
+ Context.SECURITY_PRINCIPAL, Context.SECURITY_PROTOCOL)) {
Object entry = env.remove(key);
if (entry != null) {
savedEnv.put(key, entry);
@@ -2632,8 +2536,7 @@ public class JNDIRealm extends RealmBase {
LdapContext result = null;
try {
result = new InitialLdapContext(env, null);
- tls = (StartTlsResponse) result
- .extendedOperation(new StartTlsRequest());
+ tls = (StartTlsResponse) result.extendedOperation(new StartTlsRequest());
if (getHostnameVerifier() != null) {
tls.setHostnameVerifier(getHostnameVerifier());
}
@@ -2642,22 +2545,21 @@ public class JNDIRealm extends RealmBase {
}
try {
SSLSession negotiate = tls.negotiate(getSSLSocketFactory());
- containerLog.debug(sm.getString("jndiRealm.negotiatedTls",
- negotiate.getProtocol()));
+ containerLog.debug(sm.getString("jndiRealm.negotiatedTls", negotiate.getProtocol()));
} catch (IOException e) {
throw new NamingException(e.getMessage());
}
} finally {
if (result != null) {
for (Map.Entry<String, Object> savedEntry : savedEnv.entrySet()) {
- result.addToEnvironment(savedEntry.getKey(),
- savedEntry.getValue());
+ result.addToEnvironment(savedEntry.getKey(), savedEntry.getValue());
}
}
}
return result;
}
+
/**
* Create our directory context configuration.
*
@@ -2668,31 +2570,41 @@ public class JNDIRealm extends RealmBase {
Hashtable<String,String> env = new Hashtable<String,String>();
// Configure our directory context environment.
- if (containerLog.isDebugEnabled() && connectionAttempt == 0)
+ if (containerLog.isDebugEnabled() && connectionAttempt == 0) {
containerLog.debug("Connecting to URL " + connectionURL);
- else if (containerLog.isDebugEnabled() && connectionAttempt > 0)
+ } else if (containerLog.isDebugEnabled() && connectionAttempt > 0) {
containerLog.debug("Connecting to URL " + alternateURL);
+ }
env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactory);
- if (connectionName != null)
+ if (connectionName != null) {
env.put(Context.SECURITY_PRINCIPAL, connectionName);
- if (connectionPassword != null)
+ }
+ if (connectionPassword != null) {
env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
- if (connectionURL != null && connectionAttempt == 0)
+ }
+ if (connectionURL != null && connectionAttempt == 0) {
env.put(Context.PROVIDER_URL, connectionURL);
- else if (alternateURL != null && connectionAttempt > 0)
+ } else if (alternateURL != null && connectionAttempt > 0) {
env.put(Context.PROVIDER_URL, alternateURL);
- if (authentication != null)
+ }
+ if (authentication != null) {
env.put(Context.SECURITY_AUTHENTICATION, authentication);
- if (protocol != null)
+ }
+ if (protocol != null) {
env.put(Context.SECURITY_PROTOCOL, protocol);
- if (referrals != null)
+ }
+ if (referrals != null) {
env.put(Context.REFERRAL, referrals);
- if (derefAliases != null)
+ }
+ if (derefAliases != null) {
env.put(JNDIRealm.DEREF_ALIASES, derefAliases);
- if (connectionTimeout != null)
+ }
+ if (connectionTimeout != null) {
env.put("com.sun.jndi.ldap.connect.timeout", connectionTimeout);
- if (readTimeout != null)
+ }
+ if (readTimeout != null) {
env.put("com.sun.jndi.ldap.read.timeout", readTimeout);
+ }
return env;
@@ -2705,15 +2617,12 @@ public class JNDIRealm extends RealmBase {
* @param context The directory context to release
*/
protected void release(DirContext context) {
-
// NO-OP since we are not pooling anything
-
}
// ------------------------------------------------------ Lifecycle Methods
-
/**
* Prepare for the beginning of active use of the public methods of this
* component and implement the requirements of
@@ -2748,16 +2657,15 @@ public class JNDIRealm extends RealmBase {
* @exception LifecycleException if this component detects a fatal error
* that needs to be reported
*/
- @Override
+ @Override
protected void stopInternal() throws LifecycleException {
-
super.stopInternal();
-
// Close any open directory server connection
close(this.context);
}
+
/**
* Given a string containing LDAP patterns for user locations (separated by
* parentheses in a pseudo-LDAP search string format -
@@ -2771,7 +2679,7 @@ public class JNDIRealm extends RealmBase {
protected String[] parseUserPatternString(String userPatternString) {
if (userPatternString != null) {
- ArrayList<String> pathList = new ArrayList<String>();
+ List<String> pathList = new ArrayList<String>();
int startParenLoc = userPatternString.indexOf('(');
if (startParenLoc == -1) {
// no parens here; return whole thing
@@ -2792,8 +2700,7 @@ public class JNDIRealm extends RealmBase {
while (userPatternString.charAt(endParenLoc - 1) == '\\') {
endParenLoc = userPatternString.indexOf(')', endParenLoc+1);
}
- String nextPathPart = userPatternString.substring
- (startParenLoc+1, endParenLoc);
+ String nextPathPart = userPatternString.substring(startParenLoc+1, endParenLoc);
pathList.add(nextPathPart);
startingPoint = endParenLoc+1;
startParenLoc = userPatternString.indexOf('(', startingPoint);
@@ -2801,7 +2708,6 @@ public class JNDIRealm extends RealmBase {
return pathList.toArray(new String[] {});
}
return null;
-
}
@@ -2857,49 +2763,42 @@ public class JNDIRealm extends RealmBase {
* @return String containing the distinguished name
* @exception NamingException if a directory server error occurs
*/
- protected String getDistinguishedName(DirContext context, String base,
- SearchResult result) throws NamingException {
+ protected String getDistinguishedName(DirContext context, String base, SearchResult result) throws NamingException {
// Get the entry's distinguished name. For relative results, this means
// we need to composite a name with the base name, the context name, and
// the result name. For non-relative names, use the returned name.
+ String resultName = result.getName();
Name name;
if (result.isRelative()) {
- if (containerLog.isTraceEnabled()) {
- containerLog.trace(" search returned relative name: " +
- result.getName());
- }
- NameParser parser = context.getNameParser("");
- Name contextName = parser.parse(context.getNameInNamespace());
- Name baseName = parser.parse(base);
-
- // Bugzilla 32269
- Name entryName =
- parser.parse(new CompositeName(result.getName()).get(0));
-
- name = contextName.addAll(baseName);
- name = name.addAll(entryName);
+ if (containerLog.isTraceEnabled()) {
+ containerLog.trace(" search returned relative name: " + resultName);
+ }
+ NameParser parser = context.getNameParser("");
+ Name contextName = parser.parse(context.getNameInNamespace());
+ Name baseName = parser.parse(base);
+
+ // Bugzilla 32269
+ Name entryName = parser.parse(new CompositeName(resultName).get(0));
+
+ name = contextName.addAll(baseName);
+ name = name.addAll(entryName);
} else {
- String absoluteName = result.getName();
- if (containerLog.isTraceEnabled())
- containerLog.trace(" search returned absolute name: " +
- result.getName());
- try {
- // Normalize the name by running it through the name parser.
- NameParser parser = context.getNameParser("");
- URI userNameUri = new URI(absoluteName);
- String pathComponent = userNameUri.getPath();
- // Should not ever have an empty path component, since that is /{DN}
- if (pathComponent.length() < 1 ) {
- throw new InvalidNameException(
- "Search returned unparseable absolute name: " +
- absoluteName );
- }
- name = parser.parse(pathComponent.substring(1));
- } catch ( URISyntaxException e ) {
- throw new InvalidNameException(
- "Search returned unparseable absolute name: " +
- absoluteName );
- }
+ if (containerLog.isTraceEnabled()) {
+ containerLog.trace(" search returned absolute name: " + resultName);
+ }
+ try {
+ // Normalize the name by running it through the name parser.
+ NameParser parser = context.getNameParser("");
+ URI userNameUri = new URI(resultName);
+ String pathComponent = userNameUri.getPath();
+ // Should not ever have an empty path component, since that is /{DN}
+ if (pathComponent.length() < 1 ) {
+ throw new InvalidNameException("Search returned unparseable absolute name: " + resultName);
+ }
+ name = parser.parse(pathComponent.substring(1));
+ } catch ( URISyntaxException e ) {
+ throw new InvalidNameException("Search returned unparseable absolute name: " + resultName);
+ }
}
if (getForceDnHexEscape()) {
@@ -2987,7 +2886,7 @@ public class JNDIRealm extends RealmBase {
}
- // ------------------------------------------------------ Private Classes
+ // ------------------------------------------------------ Protected Classes
/**
* A protected class representing a User
@@ -3000,9 +2899,7 @@ public class JNDIRealm extends RealmBase {
private final List<String> roles;
private final String userRoleId;
-
- public User(String username, String dn, String password,
- List<String> roles, String userRoleId) {
+ public User(String username, String dn, String password, List<String> roles, String userRoleId) {
this.username = username;
this.dn = dn;
this.password = password;
@@ -3035,4 +2932,3 @@ public class JNDIRealm extends RealmBase {
}
}
}
-
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org