You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2008/06/02 16:00:26 UTC
svn commit: r662440 [2/8] - in /directory:
apacheds/branches/bigbang/core-integ/src/main/java/org/apache/directory/server/core/integ/
apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authn/
apacheds/branches/bigbang/c...
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java Mon Jun 2 07:00:23 2008
@@ -34,9 +34,6 @@
import org.apache.directory.shared.ldap.ldif.LdifEntry;
import org.apache.directory.shared.ldap.name.LdapDN;
-import javax.naming.Context;
-import javax.naming.directory.Attributes;
-import javax.naming.ldap.LdapContext;
import java.io.File;
import java.util.List;
import java.util.Set;
@@ -140,68 +137,38 @@
*/
boolean isStarted();
-
- /**
- * Gets a JNDI {@link Context} to the RootDSE as an anonymous user.
- * This bypasses authentication within the server.
- *
- * @return a JNDI context to the RootDSE
- * @throws Exception if failed to create a context
- */
- LdapContext getJndiContext() throws Exception;
-
-
+
/**
- * Gets a JNDI {@link Context} to a specific entry as an anonymous user.
- * This bypasses authentication within the server.
+ * Gets a logical session to perform operations on this DirectoryService
+ * as the anonymous user. This bypasses authentication without
+ * propagating a bind operation into the core.
*
- * @param dn the distinguished name of the entry
- * @return a JNDI context to the entry at the specified DN
- * @throws Exception if failed to create a context
+ * @return a logical session as the anonymous user
*/
- LdapContext getJndiContext( String dn ) throws Exception;
-
+ CoreSession getSession() throws Exception;
+
/**
- * Gets a JNDI {@link Context} to the RootDSE as a specific LDAP user principal.
- * This bypasses authentication within the server.
+ * Gets a logical session to perform operations on this DirectoryService
+ * as a specific user. This bypasses authentication without propagating
+ * a bind operation into the core.
*
- * @param principal the user to associate with the context
- * @return a JNDI context to the RootDSE as a specific user
- * @throws Exception if failed to create a context
+ * @return a logical session as a specific user
*/
- LdapContext getJndiContext( LdapPrincipal principal ) throws Exception;
-
+ CoreSession getSession( LdapPrincipal principal ) throws Exception;
+
/**
- * Gets a JNDI {@link Context} to a specific entry as a specific LDAP user principal.
- * This bypasses authentication within the server.
+ * Gets a logical session to perform operations on this DirectoryService
+ * as a specific user with a separate authorization principal. This
+ * bypasses authentication without propagating a bind operation into the
+ * core.
*
- * @param principal the user to associate with the context
- * @param dn the distinguished name of the entry
- * @return a JNDI context to the specified entry as a specific user
- * @throws Exception if failed to create a context
+ * @return a logical session as a specific user
*/
- LdapContext getJndiContext( LdapPrincipal principal, String dn ) throws Exception;
-
-
- /**
- * Returns a JNDI {@link Context} with the specified authentication information
- * (<tt>principal</tt>, <tt>credential</tt>, and <tt>authentication</tt>) and
- * <tt>baseName</tt>.
- *
- * @param principalDn the distinguished name of the bind principal
- * @param principal {@link Context#SECURITY_PRINCIPAL} value
- * @param credential {@link Context#SECURITY_CREDENTIALS} value
- * @param authentication {@link Context#SECURITY_AUTHENTICATION} value
- * @param dn the distinguished name of the entry
- * @return a JNDI context to the specified entry as a specific user
- * @throws Exception if failed to create a context
- */
- LdapContext getJndiContext( LdapDN principalDn, String principal, byte[] credential,
- String authentication, String dn ) throws Exception;
-
+ CoreSession getSession( LdapDN principalDn, byte[] credentials, String authentication ) throws Exception;
+
void setInstanceId( String instanceId );
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/OperationManager.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/OperationManager.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/OperationManager.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/OperationManager.java Mon Jun 2 07:00:23 2008
@@ -20,7 +20,6 @@
package org.apache.directory.server.core;
-import java.util.Collection;
import java.util.Iterator;
import org.apache.directory.server.core.entry.ClonedServerEntry;
@@ -154,106 +153,4 @@
* TODO document after determining if this method should be here.
*/
void unbind( UnbindOperationContext opContext ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- ClonedServerEntry getRootDSE( GetRootDSEOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- LdapDN getMatchedName( GetMatchedNameOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- LdapDN getSuffix ( GetSuffixOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- Iterator<String> listSuffixes( ListSuffixOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- boolean compare( CompareOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- void delete( DeleteOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- void add( AddOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- void modify( ModifyOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- EntryFilteringCursor list( ListOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- EntryFilteringCursor search( SearchOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- ClonedServerEntry lookup( LookupOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- boolean hasEntry( EntryOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- void rename( RenameOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- void move( MoveOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- void moveAndRename( MoveAndRenameOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- void bind( BindOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
- /**
- * TODO document after determining if this method should be here.
- */
- void unbind( UnbindOperationContext opContext, Collection<String> bypass ) throws Exception;
}
Added: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/ReferralHandlingMode.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/ReferralHandlingMode.java?rev=662440&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/ReferralHandlingMode.java (added)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/ReferralHandlingMode.java Mon Jun 2 07:00:23 2008
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.server.core;
+
+
+/**
+ * Enumeration for referral handling modes.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public enum ReferralHandlingMode
+{
+ THROW( "throw" ), FOLLOW( "follow" ), IGNORE( "ignore" ), THROW_FINDING_BASE( "throw-finding-base" );
+
+
+ private final String jndiValue;
+
+
+ private ReferralHandlingMode( String jndiValue )
+ {
+ this.jndiValue = jndiValue;
+ }
+
+
+ public String getJndiValue()
+ {
+ return jndiValue;
+ }
+}
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java Mon Jun 2 07:00:23 2008
@@ -21,11 +21,8 @@
import org.apache.directory.server.core.DirectoryService;
-import org.apache.directory.server.core.jndi.ServerContext;
import org.apache.directory.shared.ldap.name.LdapDN;
-import javax.naming.NamingException;
-
/**
* Base class for all Authenticators.
@@ -74,7 +71,7 @@
* @param directoryService the directory core for this authenticator
* @throws NamingException if there is a problem starting up the authenticator
*/
- public final void init( DirectoryService directoryService ) throws NamingException
+ public final void init( DirectoryService directoryService ) throws Exception
{
this.directoryService = directoryService;
doInit();
@@ -115,14 +112,10 @@
}
- public abstract LdapPrincipal authenticate( LdapDN bindDn, ServerContext ctx ) throws NamingException;
-
-
/**
* Does nothing leaving it so subclasses can override.
*/
public void invalidateCache( LdapDN bindDn )
{
}
-
}
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java Mon Jun 2 07:00:23 2008
@@ -22,10 +22,9 @@
import javax.naming.NamingException;
-import org.apache.directory.server.core.jndi.ServerContext;
+import org.apache.directory.server.core.interceptor.context.BindOperationContext;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
-import org.apache.directory.shared.ldap.name.LdapDN;
/**
@@ -49,7 +48,7 @@
* If the context is not configured to allow anonymous connections,
* this method throws a {@link javax.naming.NoPermissionException}.
*/
- public LdapPrincipal authenticate( LdapDN bindDn, ServerContext ctx ) throws NamingException
+ public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
{
if ( getDirectoryService().isAllowAnonymousAccess() )
{
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java Mon Jun 2 07:00:23 2008
@@ -29,6 +29,8 @@
import java.util.Map;
import java.util.Set;
+import org.apache.directory.server.core.CoreSession;
+import org.apache.directory.server.core.DefaultCoreSession;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.entry.ClonedServerEntry;
import org.apache.directory.server.core.filtering.EntryFilteringCursor;
@@ -51,17 +53,13 @@
import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
-import org.apache.directory.server.core.invocation.InvocationStack;
-import org.apache.directory.server.core.jndi.LdapJndiProperties;
-import org.apache.directory.server.core.jndi.ServerContext;
+import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.exception.LdapAuthenticationException;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.util.StringTools;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.naming.Context;
-
/**
* An {@link Interceptor} that authenticates users.
@@ -80,8 +78,12 @@
private static final boolean IS_DEBUG = LOG.isDebugEnabled();
private Set<Authenticator> authenticators;
- private final Map<String, Collection<Authenticator>> authenticatorsMapByType = new HashMap<String, Collection<Authenticator>>();
+ private final Map<String, Collection<Authenticator>> authenticatorsMapByType =
+ new HashMap<String, Collection<Authenticator>>();
+ private DirectoryService directoryService;
+
+
/**
* Creates an authentication service interceptor.
*/
@@ -89,12 +91,14 @@
{
}
+
/**
* Registers and initializes all {@link Authenticator}s to this service.
*/
public void init( DirectoryService directoryService ) throws Exception
{
-
+ this.directoryService = directoryService;
+
if ( authenticators == null )
{
setDefaultAuthenticators();
@@ -106,6 +110,7 @@
}
}
+
private void setDefaultAuthenticators()
{
Set<Authenticator> set = new HashSet<Authenticator>();
@@ -122,6 +127,7 @@
return authenticators;
}
+
/**
* @param authenticators authenticators to be used by this AuthenticationInterceptor
* @org.apache.xbean.Property nestedType="org.apache.directory.server.core.authn.Authenticator"
@@ -131,6 +137,7 @@
this.authenticators = authenticators;
}
+
/**
* Deinitializes and deregisters all {@link Authenticator}s from this service.
*/
@@ -145,6 +152,7 @@
}
}
+
/**
* Initializes the specified {@link Authenticator} and registers it to
* this service.
@@ -308,6 +316,7 @@
return next.lookup( opContext );
}
+
private void invalidateAuthenticatorCaches( LdapDN principalDn )
{
for ( String authMech : authenticatorsMapByType.keySet() )
@@ -403,65 +412,27 @@
*/
private void checkAuthenticated( OperationContext operation ) throws Exception
{
- try
- {
- checkAuthenticated();
- }
- catch ( IllegalStateException ise )
+ if ( operation.getSession() == null || operation.getSession().getEffectivePrincipal() == null )
{
LOG.error( "Attempted operation {} by unauthenticated caller.", operation.getName() );
-
throw new IllegalStateException( "Attempted operation by unauthenticated caller." );
}
}
- private void checkAuthenticated() throws Exception
- {
- ServerContext ctx = ( ServerContext ) InvocationStack.getInstance().peek().getCaller();
-
- if ( ctx.getPrincipal() != null )
- {
- if ( ctx.getEnvironment().containsKey( Context.SECURITY_CREDENTIALS ) )
- {
- ctx.removeFromEnvironment( Context.SECURITY_CREDENTIALS );
- }
-
- return;
- }
-
- throw new IllegalStateException( "Attempted operation by unauthenticated caller." );
- }
public void bind( NextInterceptor next, BindOperationContext opContext ) throws Exception
{
- // The DN is always normalized here
- LdapDN normBindDn = opContext.getDn();
- String bindUpDn = normBindDn.getUpName();
-
if ( IS_DEBUG )
{
- LOG.debug( "Bind operation. bindDn: " + bindUpDn );
+ LOG.debug( "bind: principal: " + opContext.getPrincipalDn() );
}
- // check if we are already authenticated and if so we return making
- // sure first that the credentials are not exposed within context
- ServerContext ctx = ( ServerContext ) InvocationStack.getInstance().peek().getCaller();
-
- if ( IS_DEBUG )
+ if ( opContext.getSession() != null && opContext.getSession().getEffectivePrincipal() != null )
{
- LOG.debug( "bind: principal: " + ctx.getPrincipal() );
+ // null out the credentials
+ opContext.setCredentials( null );
}
-
- if ( ctx.getPrincipal() != null )
- {
- if ( ctx.getEnvironment().containsKey( Context.SECURITY_CREDENTIALS ) )
- {
- ctx.removeFromEnvironment( Context.SECURITY_CREDENTIALS );
- }
-
- return;
- }
-
+
// pick the first matching authenticator type
Collection<Authenticator> authenticators = null;
@@ -484,12 +455,14 @@
LOG.debug( "Nexus succeeded on bind operation." );
- // bind succeeded if we got this far
- ctx.setPrincipal( new TrustedPrincipalWrapper( new LdapPrincipal( normBindDn, LdapJndiProperties
- .getAuthenticationLevel( ctx.getEnvironment() ) ) ) );
+ // bind succeeded if we got this far
+ // TODO - authentication level not being set
+ LdapPrincipal principal = new LdapPrincipal( opContext.getPrincipalDn(), AuthenticationLevel.SIMPLE );
+ CoreSession session = new DefaultCoreSession( principal, directoryService );
+ opContext.setSession( session );
// remove creds so there is no security risk
- ctx.removeFromEnvironment( Context.SECURITY_CREDENTIALS );
+ opContext.setCredentials( null );
return;
}
@@ -500,13 +473,14 @@
try
{
// perform the authentication
- LdapPrincipal authorizationId = authenticator.authenticate( normBindDn, ctx );
+ LdapPrincipal principal = authenticator.authenticate( opContext );
// authentication was successful
- ctx.setPrincipal( new TrustedPrincipalWrapper( authorizationId ) );
+ CoreSession session = new DefaultCoreSession( principal, directoryService );
+ opContext.setSession( session );
// remove creds so there is no security risk
- ctx.removeFromEnvironment( Context.SECURITY_CREDENTIALS );
+ opContext.setCredentials( null );
return;
}
@@ -515,7 +489,7 @@
// authentication failed, try the next authenticator
if ( LOG.isInfoEnabled() )
{
- LOG.info( "Authenticator " + authenticator.getClass() + " failed to authenticate " + bindUpDn );
+ LOG.info( "Authenticator {} failed to authenticate: {}", authenticator, opContext );
}
}
catch ( Exception e )
@@ -523,7 +497,7 @@
// Log other exceptions than LdapAuthenticationException
if ( LOG.isWarnEnabled() )
{
- LOG.warn( "Unexpected exception from " + authenticator.getClass() + " for principal " + bindUpDn, e );
+ LOG.info( "Unexpected failure for Authenticator {} : {}", authenticator, opContext );
}
}
}
@@ -535,47 +509,4 @@
throw new LdapAuthenticationException();
}
-
- /**
- * FIXME This doesn't secure anything actually.
- * <p/>
- * Created this wrapper to pass to ctx.setPrincipal() which is public for added
- * security. This adds more security because an instance of this class is not
- * easily accessible whereas LdapPrincipals can be accessed easily from a context
- * althought they cannot be instantiated outside of the authn package. Malicious
- * code may not be able to set the principal to what they would like but they
- * could switch existing principals using the now public ServerContext.setPrincipal()
- * method. To avoid this we make sure that this metho takes a TrustedPrincipalWrapper
- * as opposed to the LdapPrincipal. Only this service can create and call setPrincipal
- * with a TrustedPrincipalWrapper.
- */
- public final class TrustedPrincipalWrapper
- {
- /**
- * the wrapped ldap principal
- */
- private final LdapPrincipal principal;
-
-
- /**
- * Creates a TrustedPrincipalWrapper around an LdapPrincipal.
- *
- * @param principal the LdapPrincipal to wrap
- */
- private TrustedPrincipalWrapper( LdapPrincipal principal )
- {
- this.principal = principal;
- }
-
-
- /**
- * Gets the LdapPrincipal this TrustedPrincipalWrapper wraps.
- *
- * @return the wrapped LdapPrincipal
- */
- public LdapPrincipal getPrincipal()
- {
- return principal;
- }
- }
}
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java Mon Jun 2 07:00:23 2008
@@ -21,13 +21,11 @@
import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.interceptor.context.BindOperationContext;
import org.apache.directory.server.core.jndi.ServerContext;
import org.apache.directory.server.core.partition.PartitionNexus;
import org.apache.directory.shared.ldap.name.LdapDN;
-import javax.naming.Context;
-import javax.naming.NamingException;
-
/**
* Authenticates users who access {@link PartitionNexus}.
@@ -58,7 +56,7 @@
* Called by {@link AuthenticationInterceptor} to indicate that this
* authenticator is being placed into service.
*/
- public void init( DirectoryService directoryService ) throws NamingException;
+ public void init( DirectoryService directoryService ) throws Exception;
/**
@@ -67,6 +65,7 @@
*/
public void destroy();
+
/**
* Callback used to respond to password changes by invalidating a password
* cache if implemented. This is an additional feature of an authenticator
@@ -77,8 +76,9 @@
*/
public void invalidateCache( LdapDN bindDn );
+
/**
* Performs authentication and returns the principal if succeeded.
*/
- public LdapPrincipal authenticate( LdapDN bindDn, ServerContext ctx ) throws NamingException;
+ public LdapPrincipal authenticate( BindOperationContext opContext ) throws Exception;
}
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java Mon Jun 2 07:00:23 2008
@@ -34,11 +34,7 @@
import javax.naming.NamingException;
import org.apache.commons.collections.map.LRUMap;
-import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
-import org.apache.directory.server.core.invocation.Invocation;
-import org.apache.directory.server.core.invocation.InvocationStack;
-import org.apache.directory.server.core.jndi.ServerContext;
-import org.apache.directory.server.core.partition.PartitionNexusProxy;
+import org.apache.directory.server.core.interceptor.context.BindOperationContext;
import org.apache.directory.server.core.normalization.NormalizationInterceptor;
import org.apache.directory.server.core.referral.ReferralInterceptor;
import org.apache.directory.server.core.authz.AciAuthorizationInterceptor;
@@ -52,7 +48,6 @@
import org.apache.directory.server.core.entry.ServerStringValue;
import org.apache.directory.server.core.event.EventInterceptor;
import org.apache.directory.server.core.trigger.TriggerInterceptor;
-import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.LdapSecurityConstants;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
@@ -188,14 +183,13 @@
* @return A byte array which can be empty if the password was not found
* @throws NamingException If we have a problem during the lookup operation
*/
- private LdapPrincipal getStoredPassword( Registries registries, LdapDN principalDN ) throws NamingException
+ private LdapPrincipal getStoredPassword( BindOperationContext opContext ) throws Exception
{
- LdapPrincipal principal;
- String principalNorm = principalDN.getNormName();
+ LdapPrincipal principal = null;
synchronized( credentialCache )
{
- principal = (LdapPrincipal)credentialCache.get( principalNorm );
+ principal = ( LdapPrincipal ) credentialCache.get( opContext.getPrincipalDn().getNormName() );
}
byte[] storedPassword;
@@ -204,7 +198,7 @@
{
// Not found in the cache
// Get the user password from the backend
- storedPassword = lookupUserPassword( registries, principalDN );
+ storedPassword = lookupUserPassword( opContext );
// Deal with the special case where the user didn't enter a password
@@ -217,55 +211,18 @@
}
// Create the new principal before storing it in the cache
- principal = new LdapPrincipal( principalDN, AuthenticationLevel.SIMPLE, storedPassword );
+ principal = new LdapPrincipal( opContext.getPrincipalDn(), AuthenticationLevel.SIMPLE, storedPassword );
// Now, update the local cache.
synchronized( credentialCache )
{
- credentialCache.put( principalDN.getNormName(), principal );
+ credentialCache.put( opContext.getPrincipalDn().getNormName(), principal );
}
}
return principal;
}
- /**
- * Get the user credentials from the environment. It is stored into the
- * ServcerContext.
- *
- * @param ctx the naming context to get the credentials from
- * @return the credentials
- * @throws LdapAuthenticationException if the there are probelms with security
- * credentials provided
- */
- private byte[] getCredentials( ServerContext ctx ) throws LdapAuthenticationException
- {
- Object creds = ctx.getEnvironment().get( Context.SECURITY_CREDENTIALS );
- byte[] credentials;
-
- if ( creds == null )
- {
- credentials = ArrayUtils.EMPTY_BYTE_ARRAY;
- }
- else if ( creds instanceof String )
- {
- credentials = StringTools.getBytesUtf8( ( String ) creds );
- }
- else if ( creds instanceof byte[] )
- {
- // This is the general case. When dealing with a BindRequest operation,
- // received by the server, the credentials are always stored into a byte array
- credentials = (byte[])creds;
- }
- else
- {
- LOG.info( "Incorrect credentials stored in {}", Context.SECURITY_CREDENTIALS );
- throw new LdapAuthenticationException();
- }
-
- return credentials;
- }
-
/**
* Looks up <tt>userPassword</tt> attribute of the entry whose name is the
@@ -297,17 +254,17 @@
*
* The stored password is always using the unsalted form, and is stored as a bytes array.
*/
- public LdapPrincipal authenticate( LdapDN principalDn, ServerContext ctx ) throws NamingException
+ public LdapPrincipal authenticate( BindOperationContext opContext ) throws Exception
{
if ( IS_DEBUG )
{
- LOG.debug( "Authenticating {}", principalDn );
+ LOG.debug( "Authenticating {}", opContext.getPrincipalDn() );
}
// ---- extract password from JNDI environment
- byte[] credentials = getCredentials( ctx );
+ byte[] credentials = opContext.getCredentials();
- LdapPrincipal principal = getStoredPassword( getDirectoryService().getRegistries(), principalDn );
+ LdapPrincipal principal = getStoredPassword( opContext );
// Get the stored password, either from cache or from backend
byte[] storedPassword = principal.getUserPassword();
@@ -318,7 +275,7 @@
{
if ( IS_DEBUG )
{
- LOG.debug( "{} Authenticated", principalDn );
+ LOG.debug( "{} Authenticated", opContext.getPrincipalDn() );
}
return principal;
@@ -347,7 +304,7 @@
{
if ( IS_DEBUG )
{
- LOG.debug( "{} Authenticated", principalDn );
+ LOG.debug( "{} Authenticated", opContext.getPrincipalDn() );
}
return principal;
@@ -355,7 +312,7 @@
else
{
// Bad password ...
- String message = "Password not correct for user '" + principalDn.getUpName() + "'";
+ String message = "Password not correct for user '" + opContext.getPrincipalDn().getUpName() + "'";
LOG.info( message );
throw new LdapAuthenticationException(message);
}
@@ -363,7 +320,7 @@
else
{
// Bad password ...
- String message = "Password not correct for user '" + principalDn.getUpName() + "'";
+ String message = "Password not correct for user '" + opContext.getPrincipalDn().getUpName() + "'";
LOG.info( message );
throw new LdapAuthenticationException(message);
}
@@ -576,23 +533,19 @@
* @return the credentials from the backend
* @throws NamingException if there are problems accessing backend
*/
- private byte[] lookupUserPassword( Registries registries, LdapDN principalDn ) throws NamingException
+ private byte[] lookupUserPassword( BindOperationContext opContext ) throws Exception
{
// ---- lookup the principal entry's userPassword attribute
- Invocation invocation = InvocationStack.getInstance().peek();
- PartitionNexusProxy proxy = invocation.getProxy();
ServerEntry userEntry;
try
{
- LookupOperationContext lookupContex = new LookupOperationContext( registries, new String[] { SchemaConstants.USER_PASSWORD_AT_OID } );
- lookupContex.setDn( principalDn );
-
- userEntry = proxy.lookup( lookupContex, USERLOOKUP_BYPASS );
+ userEntry = opContext.lookup( opContext.getPrincipalDn(), USERLOOKUP_BYPASS );
if ( userEntry == null )
{
- throw new LdapAuthenticationException( "Failed to lookup user for authentication: " + principalDn );
+ throw new LdapAuthenticationException( "Failed to lookup user for authentication: "
+ + opContext.getPrincipalDn() );
}
}
catch ( Exception cause )
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java Mon Jun 2 07:00:23 2008
@@ -22,9 +22,8 @@
import javax.naming.NamingException;
-import org.apache.directory.server.core.jndi.ServerContext;
+import org.apache.directory.server.core.interceptor.context.BindOperationContext;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
-import org.apache.directory.shared.ldap.name.LdapDN;
/**
@@ -51,9 +50,9 @@
* User has already been authenticated during SASL negotiation. Set the authentication level
* to strong and return an {@link LdapPrincipal}.
*/
- public LdapPrincipal authenticate( LdapDN principalDn, ServerContext ctx ) throws NamingException
+ public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
{
// Possibly check if user account is disabled, other account checks.
- return new LdapPrincipal( principalDn, AuthenticationLevel.STRONG );
+ return new LdapPrincipal( opContext.getPrincipalDn(), AuthenticationLevel.STRONG );
}
}
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Mon Jun 2 07:00:23 2008
@@ -21,6 +21,8 @@
import org.apache.directory.server.constants.ServerDNConstants;
+import org.apache.directory.server.core.CoreSession;
+import org.apache.directory.server.core.DefaultCoreSession;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.authn.LdapPrincipal;
import org.apache.directory.server.core.authz.support.ACDFEngine;
@@ -43,14 +45,11 @@
import org.apache.directory.server.core.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveOperationContext;
+import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchingOperationContext;
-import org.apache.directory.server.core.invocation.Invocation;
-import org.apache.directory.server.core.invocation.InvocationStack;
-import org.apache.directory.server.core.jndi.ServerContext;
-import org.apache.directory.server.core.jndi.ServerLdapContext;
-import org.apache.directory.server.core.partition.PartitionNexusProxy;
+import org.apache.directory.server.core.partition.ByPassConstants;
import org.apache.directory.server.core.subtree.SubentryInterceptor;
import org.apache.directory.server.schema.ConcreteNameComponentNormalizer;
import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
@@ -60,6 +59,7 @@
import org.apache.directory.shared.ldap.aci.ACIItemParser;
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
import org.apache.directory.shared.ldap.entry.Modification;
@@ -202,8 +202,13 @@
{
super.init( directoryService );
- tupleCache = new TupleCache( directoryService );
- groupCache = new GroupCache( directoryService );
+ LdapDN adminDn = new LdapDN( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
+ adminDn.normalize( directoryService.getRegistries().getAttributeTypeRegistry().getNormalizerMapping() );
+ CoreSession adminSession = new DefaultCoreSession(
+ new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), directoryService );
+
+ tupleCache = new TupleCache( adminSession );
+ groupCache = new GroupCache( adminSession );
registries = directoryService.getRegistries();
atRegistry = registries.getAttributeTypeRegistry();
OidRegistry oidRegistry = registries.getOidRegistry();
@@ -269,7 +274,7 @@
* @throws Exception if there are problems accessing attribute values
* @param proxy the partition nexus proxy object
*/
- private void addPerscriptiveAciTuples( PartitionNexusProxy proxy, Collection<ACITuple> tuples, LdapDN dn,
+ private void addPerscriptiveAciTuples( OperationContext opContext, Collection<ACITuple> tuples, LdapDN dn,
ServerEntry entry ) throws Exception
{
EntryAttribute oc = entry.get( objectClassType );
@@ -287,7 +292,7 @@
{
LdapDN parentDn = ( LdapDN ) dn.clone();
parentDn.remove( dn.size() - 1 );
- entry = proxy.lookup( new LookupOperationContext( registries, parentDn), PartitionNexusProxy.LOOKUP_BYPASS );
+ entry = opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS );
}
EntryAttribute subentries = entry.get( acSubentryType );
@@ -353,7 +358,7 @@
* @throws Exception if there are problems accessing attribute values
* @param proxy the partition nexus proxy object
*/
- private void addSubentryAciTuples( PartitionNexusProxy proxy, Collection<ACITuple> tuples, LdapDN dn, ServerEntry entry )
+ private void addSubentryAciTuples( OperationContext opContext, Collection<ACITuple> tuples, LdapDN dn, ServerEntry entry )
throws Exception
{
// only perform this for subentries
@@ -366,14 +371,8 @@
// will contain the subentryACI attributes that effect subentries
LdapDN parentDn = ( LdapDN ) dn.clone();
parentDn.remove( dn.size() - 1 );
- ServerEntry administrativeEntry =
- proxy.lookup(
- new LookupOperationContext(
- registries,
- parentDn,
- new String[]
- { SchemaConstants.SUBENTRY_ACI_AT }) ,
- PartitionNexusProxy.LOOKUP_BYPASS ).getOriginalEntry();
+ ServerEntry administrativeEntry = opContext.lookup( parentDn,
+ Collections.singletonList( SchemaConstants.SUBENTRY_ACI_AT ) ).getOriginalEntry();
EntryAttribute subentryAci = administrativeEntry.get( subentryAciType );
@@ -427,8 +426,7 @@
public void add( NextInterceptor next, AddOperationContext addContext ) throws Exception
{
// Access the principal requesting the operation, and bypass checks if it is the admin
- Invocation invocation = InvocationStack.getInstance().peek();
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = addContext.getSession().getEffectivePrincipal();
LdapDN principalDn = principal.getJndiName();
ServerEntry serverEntry = addContext.getEntry();
@@ -467,12 +465,11 @@
// Build the total collection of tuples to be considered for add rights
// NOTE: entryACI are NOT considered in adds (it would be a security breech)
- addPerscriptiveAciTuples( invocation.getProxy(), tuples, name, subentryAttrs );
- addSubentryAciTuples( invocation.getProxy(), tuples, name, subentryAttrs );
+ addPerscriptiveAciTuples( addContext, tuples, name, subentryAttrs );
+ addSubentryAciTuples( addContext, tuples, name, subentryAttrs );
// check if entry scope permission is granted
- PartitionNexusProxy proxy = invocation.getProxy();
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, addContext, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
ADD_PERMS, tuples, subentryAttrs, null );
// now we must check if attribute type and value scope permission is granted
@@ -480,8 +477,9 @@
{
for ( Value<?> value:attribute )
{
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, attribute
- .getUpId(), value, ADD_PERMS, tuples, serverEntry, null );
+ engine.checkPermission( registries, addContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), name, attribute.getUpId(), value,
+ ADD_PERMS, tuples, serverEntry, null );
}
}
@@ -505,11 +503,7 @@
{
LdapDN name = deleteContext.getDn();
- // Access the principal requesting the operation, and bypass checks if it is the admin
- Invocation invocation = InvocationStack.getInstance().peek();
- PartitionNexusProxy proxy = invocation.getProxy();
-
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = deleteContext.getSession().getEffectivePrincipal();
LdapDN principalDn = principal.getJndiName();
// bypass authz code if we are disabled
@@ -519,7 +513,7 @@
return;
}
- ServerEntry entry = proxy.lookup( new LookupOperationContext( registries, name ) , PartitionNexusProxy.LOOKUP_BYPASS );
+ ClonedServerEntry entry = deleteContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
protectCriticalEntries( name );
@@ -534,12 +528,12 @@
Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( proxy, tuples, name, entry );
+ addPerscriptiveAciTuples( deleteContext, tuples, name, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( proxy, tuples, name, entry );
+ addSubentryAciTuples( deleteContext, tuples, name, entry );
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
- REMOVE_PERMS, tuples, entry, null );
+ engine.checkPermission( registries, deleteContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), name, null, null, REMOVE_PERMS, tuples, entry, null );
next.delete( deleteContext );
tupleCache.subentryDeleted( name, entry );
@@ -549,15 +543,12 @@
public void modify( NextInterceptor next, ModifyOperationContext opContext ) throws Exception
{
- // Access the principal requesting the operation, and bypass checks if it is the admin
- Invocation invocation = InvocationStack.getInstance().peek();
- PartitionNexusProxy proxy = invocation.getProxy();
LdapDN name = opContext.getDn();
// Access the principal requesting the operation, and bypass checks if it is the admin
- ServerEntry entry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+ ClonedServerEntry entry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
LdapDN principalDn = principal.getJndiName();
// bypass authz code if we are disabled
@@ -576,7 +567,7 @@
/**
* @TODO: A virtual entry can be created here for not hitting the backend again.
*/
- ServerEntry modifiedEntry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+ ServerEntry modifiedEntry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
tupleCache.subentryModified( name, mods, modifiedEntry );
groupCache.groupModified( name, mods, entry, registries );
return;
@@ -584,11 +575,12 @@
Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( proxy, tuples, name, entry );
+ addPerscriptiveAciTuples( opContext, tuples, name, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( proxy, tuples, name, entry );
+ addSubentryAciTuples( opContext, tuples, name, entry );
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, opContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), name, null, null,
Collections.singleton( MicroOperation.MODIFY ), tuples, entry, null );
Collection<MicroOperation> perms = null;
@@ -607,7 +599,7 @@
if ( entry.get( attr.getId() ) == null )
{
// ... we also need to check if adding the attribute is permitted
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
+ engine.checkPermission( registries, opContext, userGroups, principalDn, principal.getAuthenticationLevel(), name,
attr.getId(), null, perms, tuples, entry, null );
}
@@ -623,8 +615,9 @@
if ( entryAttr.size() == 1 )
{
// ... we also need to check if removing the attribute at all is permitted
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
- attr.getId(), null, perms, tuples, entry, null );
+ engine.checkPermission( registries, opContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), name, attr.getId(),
+ null, perms, tuples, entry, null );
}
}
@@ -652,8 +645,9 @@
for ( Value<?> value:attr )
{
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
- attr.getId(), value, perms, tuples, entry, entryView );
+ engine.checkPermission( registries, opContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), name, attr.getId(), value,
+ perms, tuples, entry, entryView );
}
}
@@ -663,21 +657,20 @@
/**
* @TODO: A virtual entry can be created here for not hitting the backend again.
*/
- ServerEntry modifiedEntry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+ ServerEntry modifiedEntry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
tupleCache.subentryModified( name, mods, modifiedEntry );
groupCache.groupModified( name, mods, entry, registries );
}
+
public boolean hasEntry( NextInterceptor next, EntryOperationContext entryContext ) throws Exception
{
LdapDN name = entryContext.getDn();
- Invocation invocation = InvocationStack.getInstance().peek();
- PartitionNexusProxy proxy = invocation.getProxy();
- ClonedServerEntry entry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+ ClonedServerEntry entry = entryContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = entryContext.getSession().getEffectivePrincipal();
LdapDN principalDn = principal.getJndiName();
if ( isPrincipalAnAdministrator( principalDn ) || !enabled || ( name.size() == 0 ) ) // no checks on the rootdse
@@ -688,12 +681,13 @@
Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( proxy, tuples, name, entry.getOriginalEntry() );
+ addPerscriptiveAciTuples( entryContext, tuples, name, entry.getOriginalEntry() );
addEntryAciTuples( tuples, entry.getOriginalEntry() );
- addSubentryAciTuples( proxy, tuples, name, entry.getOriginalEntry() );
+ addSubentryAciTuples( entryContext, tuples, name, entry.getOriginalEntry() );
// check that we have browse access to the entry
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, entryContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), name, null, null,
BROWSE_PERMS, tuples, entry.getOriginalEntry(), null );
return next.hasEntry( entryContext );
@@ -715,24 +709,25 @@
* @param entry the raw entry pulled from the nexus
* @throws Exception if undlying access to the DIT fails
*/
- private void checkLookupAccess( LdapPrincipal principal, LdapDN dn, ServerEntry entry ) throws Exception
+ private void checkLookupAccess( LookupOperationContext lookupContext, ServerEntry entry ) throws Exception
{
// no permissions checks on the RootDSE
- if ( dn.toString().trim().equals( "" ) )
+ if ( lookupContext.getDn().toString().trim().equals( "" ) )
{
return;
}
- PartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
+ LdapPrincipal principal = lookupContext.getSession().getEffectivePrincipal();
LdapDN userName = principal.getJndiName();
Set<LdapDN> userGroups = groupCache.getGroups( userName.toNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( proxy, tuples, dn, entry );
+ addPerscriptiveAciTuples( lookupContext, tuples, lookupContext.getDn(), entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( proxy, tuples, dn, entry );
+ addSubentryAciTuples( lookupContext, tuples, lookupContext.getDn(), entry );
// check that we have read access to the entry
- engine.checkPermission( registries, proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, null, null,
+ engine.checkPermission( registries, lookupContext, userGroups, userName, principal.getAuthenticationLevel(),
+ lookupContext.getDn(), null, null,
LOOKUP_PERMS, tuples, entry, null );
// check that we have read access to every attribute type and value
@@ -743,11 +738,11 @@
{
engine.checkPermission(
registries,
- proxy,
+ lookupContext,
userGroups,
userName,
principal.getAuthenticationLevel(),
- dn,
+ lookupContext.getDn(),
attribute.getUpId(),
value,
READ_PERMS,
@@ -761,8 +756,7 @@
public ClonedServerEntry lookup( NextInterceptor next, LookupOperationContext lookupContext ) throws Exception
{
- Invocation invocation = InvocationStack.getInstance().peek();
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = lookupContext.getSession().getEffectivePrincipal();
LdapDN principalDn = principal.getJndiName();
if ( !principalDn.isNormalized() )
@@ -775,24 +769,22 @@
return next.lookup( lookupContext );
}
- PartitionNexusProxy proxy = invocation.getProxy();
- ServerEntry entry = proxy.lookup( lookupContext, PartitionNexusProxy.LOOKUP_BYPASS );
+ lookupContext.setByPassed( ByPassConstants.LOOKUP_BYPASS );
+ ServerEntry entry = lookupContext.getSession().getDirectoryService()
+ .getOperationManager().lookup( lookupContext );
- checkLookupAccess( principal, lookupContext.getDn(), entry );
+ checkLookupAccess( lookupContext, entry );
return next.lookup( lookupContext );
}
+
public void rename( NextInterceptor next, RenameOperationContext renameContext ) throws Exception
{
LdapDN name = renameContext.getDn();
- // Access the principal requesting the operation, and bypass checks if it is the admin
- Invocation invocation = InvocationStack.getInstance().peek();
- PartitionNexusProxy proxy = invocation.getProxy();
+ ServerEntry entry = renameContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
- ServerEntry entry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
-
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = renameContext.getSession().getEffectivePrincipal();
LdapDN principalDn = principal.getJndiName();
LdapDN newName = ( LdapDN ) name.clone();
newName.remove( name.size() - 1 );
@@ -822,11 +814,12 @@
Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( proxy, tuples, name, entry );
+ addPerscriptiveAciTuples( renameContext, tuples, name, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( proxy, tuples, name, entry );
+ addSubentryAciTuples( renameContext, tuples, name, entry );
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, renameContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), name, null, null,
RENAME_PERMS, tuples, entry, null );
next.rename( renameContext );
@@ -841,13 +834,9 @@
LdapDN oriChildName = moveAndRenameContext.getDn();
LdapDN newParentName = moveAndRenameContext.getParent();
- // Access the principal requesting the operation, and bypass checks if it is the admin
- Invocation invocation = InvocationStack.getInstance().peek();
- PartitionNexusProxy proxy = invocation.getProxy();
+ ServerEntry entry = moveAndRenameContext.lookup( oriChildName, ByPassConstants.LOOKUP_BYPASS );
- ServerEntry entry = proxy.lookup( new LookupOperationContext( registries, oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS );
-
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = moveAndRenameContext.getSession().getEffectivePrincipal();
LdapDN principalDn = principal.getJndiName();
LdapDN newName = ( LdapDN ) newParentName.clone();
newName.add( moveAndRenameContext.getNewRdn().getUpName() );
@@ -872,11 +861,12 @@
Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
+ addPerscriptiveAciTuples( moveAndRenameContext, tuples, oriChildName, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( proxy, tuples, oriChildName, entry );
+ addSubentryAciTuples( moveAndRenameContext, tuples, oriChildName, entry );
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
+ engine.checkPermission( registries, moveAndRenameContext, userGroups,
+ principalDn, principal.getAuthenticationLevel(), oriChildName, null,
null, MOVERENAME_PERMS, tuples, entry, null );
// Get the entry again without operational attributes
@@ -884,10 +874,9 @@
// will not be valid at the new location.
// This will certainly be fixed by the SubentryInterceptor,
// but after this service.
- ServerEntry importedEntry = proxy.lookup(
- new LookupOperationContext( registries, oriChildName ),
- PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
-
+
+ ClonedServerEntry importedEntry = moveAndRenameContext.lookup( oriChildName,
+ ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
// As the target entry does not exist yet and so
// its subentry operational attributes are not there,
@@ -904,10 +893,11 @@
Collection<ACITuple> destTuples = new HashSet<ACITuple>();
// Import permission is only valid for prescriptive ACIs
- addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
+ addPerscriptiveAciTuples( moveAndRenameContext, destTuples, newName, subentryAttrs );
// Evaluate the target context to see whether it
// allows an entry named newName to be imported as a subordinate.
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
+ engine.checkPermission( registries, moveAndRenameContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), newName, null,
null, IMPORT_PERMS, destTuples, subentryAttrs, null );
@@ -923,13 +913,11 @@
LdapDN newParentName = moveContext.getParent();
// Access the principal requesting the operation, and bypass checks if it is the admin
- Invocation invocation = InvocationStack.getInstance().peek();
- PartitionNexusProxy proxy = invocation.getProxy();
- ServerEntry entry = proxy.lookup( new LookupOperationContext( registries, oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS );
+ ServerEntry entry = moveContext.lookup( oriChildName, ByPassConstants.LOOKUP_BYPASS );
LdapDN newName = ( LdapDN ) newParentName.clone();
newName.add( oriChildName.get( oriChildName.size() - 1 ) );
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = moveContext.getSession().getEffectivePrincipal();
LdapDN principalDn = principal.getJndiName();
// bypass authz code if we are disabled
@@ -952,11 +940,12 @@
Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
+ addPerscriptiveAciTuples( moveContext, tuples, oriChildName, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( proxy, tuples, oriChildName, entry );
+ addSubentryAciTuples( moveContext, tuples, oriChildName, entry );
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
+ engine.checkPermission( registries, moveContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), oriChildName, null,
null, EXPORT_PERMS, tuples, entry, null );
// Get the entry again without operational attributes
@@ -964,16 +953,16 @@
// will not be valid at the new location.
// This will certainly be fixed by the SubentryInterceptor,
// but after this service.
- ServerEntry importedEntry = proxy.lookup(
- new LookupOperationContext( registries, oriChildName ),
- PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
+ ServerEntry importedEntry = moveContext.lookup( oriChildName,
+ ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
// As the target entry does not exist yet and so
// its subentry operational attributes are not there,
// we need to construct an entry to represent it
// at least with minimal requirements which are object class
// and access control subentry operational attributes.
- SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() );
+ SubentryInterceptor subentryInterceptor = ( SubentryInterceptor )
+ chain.get( SubentryInterceptor.class.getName() );
ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
for ( EntryAttribute attribute:importedEntry )
@@ -983,10 +972,11 @@
Collection<ACITuple> destTuples = new HashSet<ACITuple>();
// Import permission is only valid for prescriptive ACIs
- addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
+ addPerscriptiveAciTuples( moveContext, destTuples, newName, subentryAttrs );
// Evaluate the target context to see whether it
// allows an entry named newName to be imported as a subordinate.
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
+ engine.checkPermission( registries, moveContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), newName, null,
null, IMPORT_PERMS, destTuples, subentryAttrs, null );
next.move( moveContext );
@@ -997,9 +987,7 @@
public EntryFilteringCursor list( NextInterceptor next, ListOperationContext opContext ) throws Exception
{
- Invocation invocation = InvocationStack.getInstance().peek();
- ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
- LdapPrincipal user = ctx.getPrincipal();
+ LdapPrincipal user = opContext.getSession().getEffectivePrincipal();
EntryFilteringCursor cursor = next.list( opContext );
if ( isPrincipalAnAdministrator( user.getJndiName() ) || !enabled )
@@ -1015,9 +1003,7 @@
public EntryFilteringCursor search( NextInterceptor next, SearchOperationContext opContext ) throws Exception
{
- Invocation invocation = InvocationStack.getInstance().peek();
- ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
- LdapPrincipal user = ctx.getPrincipal();
+ LdapPrincipal user = opContext.getSession().getEffectivePrincipal();
LdapDN principalDn = user.getJndiName();
EntryFilteringCursor cursor = next.search( opContext );
@@ -1046,15 +1032,10 @@
LdapDN name = opContext.getDn();
String oid = opContext.getOid();
Value<?> value = (Value<?>)opContext.getValue();
-
- // Access the principal requesting the operation, and bypass checks if it is the admin
- Invocation invocation = InvocationStack.getInstance().peek();
- PartitionNexusProxy proxy = invocation.getProxy();
- ServerEntry entry = proxy.lookup(
- new LookupOperationContext( registries, name ),
- PartitionNexusProxy.LOOKUP_BYPASS );
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ ClonedServerEntry entry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
+
+ LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
LdapDN principalDn = principal.getJndiName();
if ( isPrincipalAnAdministrator( principalDn ) || !enabled )
@@ -1064,13 +1045,15 @@
Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( proxy, tuples, name, entry );
+ addPerscriptiveAciTuples( opContext, tuples, name, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( proxy, tuples, name, entry );
+ addSubentryAciTuples( opContext, tuples, name, entry );
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, opContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), name, null, null,
READ_PERMS, tuples, entry, null );
- engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, oid, value,
+ engine.checkPermission( registries, opContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), name, oid, value,
COMPARE_PERMS, tuples, entry, null );
return next.compare( opContext );
@@ -1080,9 +1063,7 @@
public LdapDN getMatchedName ( NextInterceptor next, GetMatchedNameOperationContext opContext ) throws Exception
{
// Access the principal requesting the operation, and bypass checks if it is the admin
- Invocation invocation = InvocationStack.getInstance().peek();
- PartitionNexusProxy proxy = invocation.getProxy();
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
LdapDN principalDn = principal.getJndiName();
if ( isPrincipalAnAdministrator( principalDn ) || !enabled )
@@ -1099,15 +1080,16 @@
// that but if permission is granted then short the process and return the dn
while ( matched.size() > 0 )
{
- entry = proxy.lookup( new LookupOperationContext( registries, matched ), PartitionNexusProxy.GETMATCHEDDN_BYPASS );
+ entry = opContext.lookup( matched, ByPassConstants.GETMATCHEDDN_BYPASS );
Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( proxy, tuples, matched, entry );
+ addPerscriptiveAciTuples( opContext, tuples, matched, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( proxy, tuples, matched, entry );
+ addSubentryAciTuples( opContext, tuples, matched, entry );
- if ( engine.hasPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), matched, null,
+ if ( engine.hasPermission( registries, opContext, userGroups, principalDn,
+ principal.getAuthenticationLevel(), matched, null,
null, MATCHEDNAME_PERMS, tuples, entry, null ) )
{
return matched;
@@ -1126,7 +1108,8 @@
}
- private boolean filter( Invocation invocation, LdapDN normName, ClonedServerEntry clonedEntry ) throws Exception
+ private boolean filter( OperationContext opContext, LdapDN normName, ClonedServerEntry clonedEntry )
+ throws Exception
{
/*
* First call hasPermission() for entry level "Browse" and "ReturnDN" perm
@@ -1134,20 +1117,20 @@
* process and return false.
*/
- ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
- LdapDN userDn = ctx.getPrincipal().getJndiName();
+ LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
+ LdapDN userDn = principal.getJndiName();
Set<LdapDN> userGroups = groupCache.getGroups( userDn.toNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( invocation.getProxy(), tuples, normName, clonedEntry.getOriginalEntry() );
+ addPerscriptiveAciTuples( opContext, tuples, normName, clonedEntry.getOriginalEntry() );
addEntryAciTuples( tuples, clonedEntry.getOriginalEntry() );
- addSubentryAciTuples( invocation.getProxy(), tuples, normName, clonedEntry.getOriginalEntry() );
+ addSubentryAciTuples( opContext, tuples, normName, clonedEntry.getOriginalEntry() );
if ( !engine.hasPermission(
registries,
- invocation.getProxy(),
+ opContext,
userGroups,
userDn,
- ctx.getPrincipal().getAuthenticationLevel(),
+ principal.getAuthenticationLevel(),
normName,
null,
null,
@@ -1176,10 +1159,10 @@
if ( !engine.hasPermission(
registries,
- invocation.getProxy(),
+ opContext,
userGroups,
userDn,
- ctx.getPrincipal().getAuthenticationLevel(),
+ principal.getAuthenticationLevel(),
normName,
id,
null,
@@ -1200,10 +1183,10 @@
{
if ( !engine.hasPermission(
registries,
- invocation.getProxy(),
+ opContext,
userGroups,
userDn,
- ctx.getPrincipal().getAuthenticationLevel(),
+ principal.getAuthenticationLevel(),
normName,
attr.getUpId(),
value,
@@ -1245,7 +1228,7 @@
throws Exception
{
LdapDN normName = entry.getDn().normalize( atRegistry.getNormalizerMapping() );
- return filter( operationContext.getInvocation(), normName, entry );
+ return filter( operationContext, normName, entry );
}
}
}
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java Mon Jun 2 07:00:23 2008
@@ -21,7 +21,10 @@
import org.apache.directory.server.constants.ServerDNConstants;
+import org.apache.directory.server.core.CoreSession;
+import org.apache.directory.server.core.DefaultCoreSession;
import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.authn.LdapPrincipal;
import org.apache.directory.server.core.entry.ClonedServerEntry;
import org.apache.directory.server.core.entry.ServerEntry;
import org.apache.directory.server.core.filtering.EntryFilter;
@@ -35,15 +38,13 @@
import org.apache.directory.server.core.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveAndRenameOperationContext;
import org.apache.directory.server.core.interceptor.context.MoveOperationContext;
+import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchingOperationContext;
-import org.apache.directory.server.core.invocation.Invocation;
-import org.apache.directory.server.core.invocation.InvocationStack;
-import org.apache.directory.server.core.jndi.ServerContext;
import org.apache.directory.server.core.partition.PartitionNexus;
import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
-import org.apache.directory.server.schema.registries.Registries;
+import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
import org.apache.directory.shared.ldap.entry.Value;
@@ -55,7 +56,6 @@
import org.slf4j.LoggerFactory;
import javax.naming.NoPermissionException;
-import javax.naming.ldap.LdapContext;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
@@ -137,15 +137,20 @@
uniqueMemberAT = attrRegistry.lookup( SchemaConstants.UNIQUE_MEMBER_AT_OID );
- loadAdministrators( directoryService.getRegistries() );
+ loadAdministrators( directoryService );
}
- private void loadAdministrators( Registries registries ) throws Exception
+ private void loadAdministrators( DirectoryService directoryService ) throws Exception
{
// read in the administrators and cache their normalized names
Set<String> newAdministrators = new HashSet<String>( 2 );
- ServerEntry adminGroup = nexus.lookup( new LookupOperationContext( registries, ADMIN_GROUP_DN ) );
+ LdapDN adminDn = new LdapDN( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
+ adminDn.normalize( directoryService.getRegistries().getAttributeTypeRegistry().getNormalizerMapping() );
+ CoreSession adminSession = new DefaultCoreSession(
+ new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), directoryService );
+
+ ServerEntry adminGroup = nexus.lookup( new LookupOperationContext( adminSession, ADMIN_GROUP_DN ) );
if ( adminGroup == null )
{
@@ -268,7 +273,7 @@
// update administrators if we change administrators group
if ( dn.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
{
- loadAdministrators( opContext.getRegistries() );
+ loadAdministrators( opContext.getSession().getDirectoryService() );
}
}
else
@@ -432,16 +437,13 @@
return serverEntry;
}
- protectLookUp( opContext.getDn() );
+ protectLookUp( opContext.getSession().getEffectivePrincipal().getJndiName(), opContext.getDn() );
return serverEntry;
}
- private void protectLookUp( LdapDN normalizedDn ) throws Exception
+ private void protectLookUp( LdapDN principalDn, LdapDN normalizedDn ) throws Exception
{
- LdapContext ctx = ( LdapContext ) InvocationStack.getInstance().peek().getCaller();
- LdapDN principalDn = ( ( ServerContext ) ctx ).getPrincipal().getJndiName();
-
if ( !isAnAdministrator( principalDn ) )
{
if ( normalizedDn.size() > 2 )
@@ -507,7 +509,7 @@
cursor.addEntryFilter( new EntryFilter() {
public boolean accept( SearchingOperationContext operation, ClonedServerEntry result ) throws Exception
{
- return DefaultAuthorizationInterceptor.this.isSearchable( operation.getInvocation(), result );
+ return DefaultAuthorizationInterceptor.this.isSearchable( operation, result );
}
} );
return cursor;
@@ -527,16 +529,16 @@
{
public boolean accept( SearchingOperationContext operation, ClonedServerEntry entry ) throws Exception
{
- return DefaultAuthorizationInterceptor.this.isSearchable( operation.getInvocation(), entry );
+ return DefaultAuthorizationInterceptor.this.isSearchable( operation, entry );
}
} );
return cursor;
}
- private boolean isSearchable( Invocation invocation, ClonedServerEntry result ) throws Exception
+ private boolean isSearchable( OperationContext opContext, ClonedServerEntry result ) throws Exception
{
- LdapDN principalDn = ( ( ServerContext ) invocation.getCaller() ).getPrincipal().getJndiName();
+ LdapDN principalDn = opContext.getSession().getEffectivePrincipal().getJndiName();
LdapDN dn = result.getDn();
if ( !dn.isNormalized() )
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java Mon Jun 2 07:00:23 2008
@@ -28,7 +28,7 @@
import java.util.Set;
import org.apache.directory.server.constants.ServerDNConstants;
-import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.CoreSession;
import org.apache.directory.server.core.entry.ServerAttribute;
import org.apache.directory.server.core.entry.ServerEntry;
import org.apache.directory.server.core.filtering.EntryFilteringCursor;
@@ -99,11 +99,12 @@
* @param directoryService the directory service core
* @throws NamingException if there are failures on initialization
*/
- public GroupCache( DirectoryService directoryService ) throws Exception
+ public GroupCache( CoreSession session ) throws Exception
{
- normalizerMap = directoryService.getRegistries().getAttributeTypeRegistry().getNormalizerMapping();
- nexus = directoryService.getPartitionNexus();
- AttributeTypeRegistry attributeTypeRegistry = directoryService.getRegistries().getAttributeTypeRegistry();
+ normalizerMap = session.getDirectoryService().getRegistries().getAttributeTypeRegistry().getNormalizerMapping();
+ nexus = session.getDirectoryService().getPartitionNexus();
+ AttributeTypeRegistry attributeTypeRegistry = session.getDirectoryService()
+ .getRegistries().getAttributeTypeRegistry();
memberAT = attributeTypeRegistry.lookup( SchemaConstants.MEMBER_AT_OID );
uniqueMemberAT = attributeTypeRegistry.lookup( SchemaConstants.UNIQUE_MEMBER_AT_OID );
@@ -111,7 +112,7 @@
// stuff for dealing with the admin group
administratorsGroupDn = parseNormalized( ServerDNConstants.ADMINISTRATORS_GROUP_DN );
- initialize( directoryService.getRegistries() );
+ initialize( session );
}
@@ -123,7 +124,7 @@
}
- private void initialize( Registries registries ) throws Exception
+ private void initialize( CoreSession session ) throws Exception
{
// search all naming contexts for static groups and generate
// normalized sets of members to cache within the map
@@ -142,7 +143,9 @@
LdapDN baseDn = new LdapDN( suffix );
SearchControls ctls = new SearchControls();
ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
- EntryFilteringCursor results = nexus.search( new SearchOperationContext( registries,
+
+
+ EntryFilteringCursor results = nexus.search( new SearchOperationContext( session,
baseDn, AliasDerefMode.DEREF_ALWAYS, filter, ctls ) );
while ( results.next() )
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java Mon Jun 2 07:00:23 2008
@@ -20,7 +20,7 @@
package org.apache.directory.server.core.authz;
-import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.CoreSession;
import org.apache.directory.server.core.entry.ServerAttribute;
import org.apache.directory.server.core.entry.ServerEntry;
import org.apache.directory.server.core.filtering.EntryFilteringCursor;
@@ -29,7 +29,6 @@
import org.apache.directory.server.schema.ConcreteNameComponentNormalizer;
import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
import org.apache.directory.server.schema.registries.OidRegistry;
-import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.aci.ACIItem;
import org.apache.directory.shared.ldap.aci.ACIItemParser;
import org.apache.directory.shared.ldap.aci.ACITuple;
@@ -98,16 +97,18 @@
* @param directoryService the context factory configuration for the server
* @throws NamingException if initialization fails
*/
- public TupleCache( DirectoryService directoryService ) throws Exception
+ public TupleCache( CoreSession session ) throws Exception
{
- normalizerMap = directoryService.getRegistries().getAttributeTypeRegistry().getNormalizerMapping();
- this.nexus = directoryService.getPartitionNexus();
- AttributeTypeRegistry attributeTypeRegistry = directoryService.getRegistries().getAttributeTypeRegistry();
- OidRegistry oidRegistry = directoryService.getRegistries().getOidRegistry();
+ normalizerMap = session.getDirectoryService().getRegistries()
+ .getAttributeTypeRegistry().getNormalizerMapping();
+ this.nexus = session.getDirectoryService().getPartitionNexus();
+ AttributeTypeRegistry attributeTypeRegistry = session.getDirectoryService()
+ .getRegistries().getAttributeTypeRegistry();
+ OidRegistry oidRegistry = session.getDirectoryService().getRegistries().getOidRegistry();
NameComponentNormalizer ncn = new ConcreteNameComponentNormalizer( attributeTypeRegistry, oidRegistry );
aciParser = new ACIItemParser( ncn, normalizerMap );
prescriptiveAciAT = attributeTypeRegistry.lookup( SchemaConstants.PRESCRIPTIVE_ACI_AT );
- initialize( directoryService.getRegistries() );
+ initialize( session );
}
@@ -119,7 +120,7 @@
}
- private void initialize( Registries registries ) throws Exception
+ private void initialize( CoreSession session ) throws Exception
{
// search all naming contexts for access control subentenries
// generate ACITuple Arrays for each subentry
@@ -134,7 +135,7 @@
new ClientStringValue( SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC ) );
SearchControls ctls = new SearchControls();
ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
- EntryFilteringCursor results = nexus.search( new SearchOperationContext( registries,
+ EntryFilteringCursor results = nexus.search( new SearchOperationContext( session,
baseDn, AliasDerefMode.NEVER_DEREF_ALIASES, filter, ctls ) );
while ( results.next() )