You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Steven Brendtro <st...@gmail.com> on 2007/12/14 15:59:44 UTC

Custom Authenticator and Attributes

I am coding a custom Authenticator Interface for doing some extra checking
before authenticating the DN.  Basically before I authenticate, I want to
check that the user (not sure what else to call it) has certain attributes
set to specific values.  I've been looking through the API for the past few
days and don't understand how to accomplish this.  If possible, I want to
get a set of Attributes back to iterate through.

Any suggestions would be most helpful.

Thanks in advance.

Re: Custom Authenticator and Attributes

Posted by Steven Brendtro <st...@gmail.com>.

Since ServerContext.getNexusProxy() is protected, I assume I need to create
a PartitionNexusProxy from scratch, correct?  Something like this?

       PartitionNexusProxy nexusProxy = new PartitionNexusProxy(
serverContext, serverContext.getService() );
       String[] attrIds = new String[4];
       attrIds[0] = "myAttribute1";
       attrIds[1] = "myAttribute2";
       attrIds[2] = "org.apache.directory.server.core.interceptor.???";
       attrIds[3] = "org.apache.directory.server.core.interceptor.???";
       Attributes myAttributes = nexusProxy.lookup( binDn, attrIds );

How do I know what interceptors will need to be listed?  Sorry, I'm new to
the concept of interceptors, and only 1 week into the ApacheDS code.

Thanks again for your help.

Steve


On Dec 14, 2007 5:40 PM, Alex Karasulu <ak...@apache.org> wrote:

> Wrong class; try on NexusProxy.
>
> Alex
>
>
> On Dec 14, 2007 6:22 PM, Steven Brendtro <st...@gmail.com>
> wrote:
>
> > I just checked svn, and for all versions (1.0.1, 1.0.2, 1.5.0, and 1.5.1)
> > of ServerContext.java has only two overloads:
> >
> > public Object lookup( String name )
> > public Object lookup( Name name )
> >
> > The first version just converts the name to an LdapDN and calls the
> > second.
> >
> > Any other way around this?
> >
> > Steve
> >
> >
> > On Dec 14, 2007 4:56 PM, Alex Karasulu <ak...@apache.org> wrote:
> >
> > > Basically the nexus proxy makes calls to the nexus after these calls
> > > are intercepted by each interceptor in the InterceptorChain.  Hence why we
> > > call it the NexusProxy.  You stumbled on a particular problem: you're not
> > > authenticated yet obviously, but you're trying to go through the chain again
> > > and are encountering the authentication interceptor.  You're lucky you got
> > > this exception otherwise you would have infinite recursion followed by as
> > > nasty OoME.
> > >
> > > I don't remember clearly but this version of the server might have
> > > bypass instructions for the proxy.  See if there is a method overload for
> > > lookup that takes a String[] in addition to the bindDn.  If you put the FQCN
> > > of an interceptor into this String array (the second argument) you will
> > > bypass that interceptor.  So you probably want to bypass a few of them.
> > >
> > > Alex
> > >
> > >
> > > On Dec 14, 2007 5:21 PM, Steven Brendtro <steven.brendtro@gmail.com >
> > > wrote:
> > >
> > > > Thanks for the suggestion.  It got me a bit farther, but I hit
> > > > another wall.
> > > >
> > > > In my authenticator's implementation of authenticate(), I can't call
> > > > ServerContext.getNexusProxy() as it is protected.  I did try:
> > > >
> > > >                 PartitionNexus nexusProxy = (PartitionNexus)
> > > > serverContext.lookup( bindDn );
> > > >                 Attributes attributeList = nexusProxy.lookup( bindDn
> > > > );
> > > >
> > > > But got a nasty exception:
> > > > org.apache.directory.server.core.interceptor.InterceptorException:
> > > > Unexpected exception. [Root exception is
> > > > java.lang.IllegalStateException: Attempted operation by
> > > > unauthenticated caller.]
> > > >
> > > > In the middle of the stack trace was an an error pointing at the
> > > > first line of these two.  I assume it has something to do with how I am
> > > > casting the Object returned from the ServerContext.lookup call.  Any
> > > > ideas on the right way to do this?
> > > >
> > > > Thanks,
> > > > Steve
> > > >
> > > >
> > > > On Dec 14, 2007 12:10 PM, Alex Karasulu <ak...@apache.org>
> > > > wrote:
> > > >
> > > > > For 1.0 your best option is to grab a handle to the nexus on
> > > > > initialization of your authenticator.  Use the nexus to lookup the
> > > > > attributes of the user (the entry for the principalDn).  Then you can
> > > > > perform what logic you need to interogate the attributes of the user.
> > > > >
> > > > > HTH,
> > > > > Alex
> > > > > On Dec 14, 2007 10:18 AM, Steven Brendtro <
> > > > > steven.brendtro@gmail.com> wrote:
> > > > >
> > > > > > Oh, I forgot to mention... this is for 1.0.x (specifically 1.0.1
> > > > > > ).
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > >
> > > > > > On Dec 14, 2007 8:59 AM, Steven Brendtro <steven.brendtro@gmail.com
> > > > > > > wrote:
> > > > > >
> > > > > > > I am coding a custom Authenticator Interface for doing some
> > > > > > > extra checking before authenticating the DN.  Basically before I
> > > > > > > authenticate, I want to check that the user (not sure what else to call it)
> > > > > > > has certain attributes set to specific values.  I've been looking through
> > > > > > > the API for the past few days and don't understand how to accomplish this.
> > > > > > > If possible, I want to get a set of Attributes back to iterate through.
> > > > > > >
> > > > > > > Any suggestions would be most helpful.
> > > > > > >
> > > > > > > Thanks in advance.
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: Custom Authenticator and Attributes

Posted by Alex Karasulu <ak...@apache.org>.

Wrong class; try on NexusProxy.

Alex

On Dec 14, 2007 6:22 PM, Steven Brendtro <st...@gmail.com> wrote:

> I just checked svn, and for all versions (1.0.1, 1.0.2, 1.5.0, and 1.5.1)
> of ServerContext.java has only two overloads:
>
> public Object lookup( String name )
> public Object lookup( Name name )
>
> The first version just converts the name to an LdapDN and calls the
> second.
>
> Any other way around this?
>
> Steve
>
>
> On Dec 14, 2007 4:56 PM, Alex Karasulu <ak...@apache.org> wrote:
>
> > Basically the nexus proxy makes calls to the nexus after these calls are
> > intercepted by each interceptor in the InterceptorChain.  Hence why we call
> > it the NexusProxy.  You stumbled on a particular problem: you're not
> > authenticated yet obviously, but you're trying to go through the chain again
> > and are encountering the authentication interceptor.  You're lucky you got
> > this exception otherwise you would have infinite recursion followed by as
> > nasty OoME.
> >
> > I don't remember clearly but this version of the server might have
> > bypass instructions for the proxy.  See if there is a method overload for
> > lookup that takes a String[] in addition to the bindDn.  If you put the FQCN
> > of an interceptor into this String array (the second argument) you will
> > bypass that interceptor.  So you probably want to bypass a few of them.
> >
> > Alex
> >
> >
> > On Dec 14, 2007 5:21 PM, Steven Brendtro <steven.brendtro@gmail.com >
> > wrote:
> >
> > > Thanks for the suggestion.  It got me a bit farther, but I hit another
> > > wall.
> > >
> > > In my authenticator's implementation of authenticate(), I can't call
> > > ServerContext.getNexusProxy() as it is protected.  I did try:
> > >
> > >                 PartitionNexus nexusProxy = (PartitionNexus)
> > > serverContext.lookup( bindDn );
> > >                 Attributes attributeList = nexusProxy.lookup( bindDn
> > > );
> > >
> > > But got a nasty exception:
> > > org.apache.directory.server.core.interceptor.InterceptorException:
> > > Unexpected exception. [Root exception is
> > > java.lang.IllegalStateException: Attempted operation by
> > > unauthenticated caller.]
> > >
> > > In the middle of the stack trace was an an error pointing at the first
> > > line of these two.  I assume it has something to do with how I am casting
> > > the Object returned from the ServerContext.lookup call.  Any ideas on
> > > the right way to do this?
> > >
> > > Thanks,
> > > Steve
> > >
> > >
> > > On Dec 14, 2007 12:10 PM, Alex Karasulu <ak...@apache.org> wrote:
> > >
> > > > For 1.0 your best option is to grab a handle to the nexus on
> > > > initialization of your authenticator.  Use the nexus to lookup the
> > > > attributes of the user (the entry for the principalDn).  Then you can
> > > > perform what logic you need to interogate the attributes of the user.
> > > >
> > > > HTH,
> > > > Alex
> > > > On Dec 14, 2007 10:18 AM, Steven Brendtro <st...@gmail.com>
> > > > wrote:
> > > >
> > > > > Oh, I forgot to mention... this is for 1.0.x (specifically 1.0.1).
> > > > >
> > > > > Thanks
> > > > >
> > > > >
> > > > > On Dec 14, 2007 8:59 AM, Steven Brendtro <steven.brendtro@gmail.com
> > > > > > wrote:
> > > > >
> > > > > > I am coding a custom Authenticator Interface for doing some
> > > > > > extra checking before authenticating the DN.  Basically before I
> > > > > > authenticate, I want to check that the user (not sure what else to call it)
> > > > > > has certain attributes set to specific values.  I've been looking through
> > > > > > the API for the past few days and don't understand how to accomplish this.
> > > > > > If possible, I want to get a set of Attributes back to iterate through.
> > > > > >
> > > > > > Any suggestions would be most helpful.
> > > > > >
> > > > > > Thanks in advance.
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> >
>

Re: Custom Authenticator and Attributes

Posted by Steven Brendtro <st...@gmail.com>.

I just checked svn, and for all versions (1.0.1, 1.0.2, 1.5.0, and 1.5.1) of
ServerContext.java has only two overloads:

public Object lookup( String name )
public Object lookup( Name name )

The first version just converts the name to an LdapDN and calls the second.


Any other way around this?

Steve

On Dec 14, 2007 4:56 PM, Alex Karasulu <ak...@apache.org> wrote:

> Basically the nexus proxy makes calls to the nexus after these calls are
> intercepted by each interceptor in the InterceptorChain.  Hence why we call
> it the NexusProxy.  You stumbled on a particular problem: you're not
> authenticated yet obviously, but you're trying to go through the chain again
> and are encountering the authentication interceptor.  You're lucky you got
> this exception otherwise you would have infinite recursion followed by as
> nasty OoME.
>
> I don't remember clearly but this version of the server might have bypass
> instructions for the proxy.  See if there is a method overload for lookup
> that takes a String[] in addition to the bindDn.  If you put the FQCN of an
> interceptor into this String array (the second argument) you will bypass
> that interceptor.  So you probably want to bypass a few of them.
>
> Alex
>
>
> On Dec 14, 2007 5:21 PM, Steven Brendtro <st...@gmail.com>
> wrote:
>
> > Thanks for the suggestion.  It got me a bit farther, but I hit another
> > wall.
> >
> > In my authenticator's implementation of authenticate(), I can't call
> > ServerContext.getNexusProxy() as it is protected.  I did try:
> >
> >                 PartitionNexus nexusProxy = (PartitionNexus)
> > serverContext.lookup( bindDn );
> >                 Attributes attributeList = nexusProxy.lookup( bindDn );
> >
> > But got a nasty exception:
> > org.apache.directory.server.core.interceptor.InterceptorException:
> > Unexpected exception. [Root exception is java.lang.IllegalStateException:
> > Attempted operation by unauthenticated caller.]
> >
> > In the middle of the stack trace was an an error pointing at the first
> > line of these two.  I assume it has something to do with how I am casting
> > the Object returned from the ServerContext.lookup call.  Any ideas on
> > the right way to do this?
> >
> > Thanks,
> > Steve
> >
> >
> > On Dec 14, 2007 12:10 PM, Alex Karasulu <ak...@apache.org> wrote:
> >
> > > For 1.0 your best option is to grab a handle to the nexus on
> > > initialization of your authenticator.  Use the nexus to lookup the
> > > attributes of the user (the entry for the principalDn).  Then you can
> > > perform what logic you need to interogate the attributes of the user.
> > >
> > > HTH,
> > > Alex
> > > On Dec 14, 2007 10:18 AM, Steven Brendtro <st...@gmail.com>
> > > wrote:
> > >
> > > > Oh, I forgot to mention... this is for 1.0.x (specifically 1.0.1).
> > > >
> > > > Thanks
> > > >
> > > >
> > > > On Dec 14, 2007 8:59 AM, Steven Brendtro <steven.brendtro@gmail.com >
> > > > wrote:
> > > >
> > > > > I am coding a custom Authenticator Interface for doing some extra
> > > > > checking before authenticating the DN.  Basically before I authenticate, I
> > > > > want to check that the user (not sure what else to call it) has certain
> > > > > attributes set to specific values.  I've been looking through the API for
> > > > > the past few days and don't understand how to accomplish this.  If possible,
> > > > > I want to get a set of Attributes back to iterate through.
> > > > >
> > > > > Any suggestions would be most helpful.
> > > > >
> > > > > Thanks in advance.
> > > > >
> > > >
> > > >
> > >
> >
>

Re: Custom Authenticator and Attributes

Posted by Alex Karasulu <ak...@apache.org>.

Basically the nexus proxy makes calls to the nexus after these calls are
intercepted by each interceptor in the InterceptorChain.  Hence why we call
it the NexusProxy.  You stumbled on a particular problem: you're not
authenticated yet obviously, but you're trying to go through the chain again
and are encountering the authentication interceptor.  You're lucky you got
this exception otherwise you would have infinite recursion followed by as
nasty OoME.

I don't remember clearly but this version of the server might have bypass
instructions for the proxy.  See if there is a method overload for lookup
that takes a String[] in addition to the bindDn.  If you put the FQCN of an
interceptor into this String array (the second argument) you will bypass
that interceptor.  So you probably want to bypass a few of them.

Alex

On Dec 14, 2007 5:21 PM, Steven Brendtro <st...@gmail.com> wrote:

> Thanks for the suggestion.  It got me a bit farther, but I hit another
> wall.
>
> In my authenticator's implementation of authenticate(), I can't call
> ServerContext.getNexusProxy() as it is protected.  I did try:
>
>                 PartitionNexus nexusProxy = (PartitionNexus)
> serverContext.lookup( bindDn );
>                 Attributes attributeList = nexusProxy.lookup( bindDn );
>
> But got a nasty exception:
> org.apache.directory.server.core.interceptor.InterceptorException:
> Unexpected exception. [Root exception is java.lang.IllegalStateException:
> Attempted operation by unauthenticated caller.]
>
> In the middle of the stack trace was an an error pointing at the first
> line of these two.  I assume it has something to do with how I am casting
> the Object returned from the ServerContext.lookup call.  Any ideas on the
> right way to do this?
>
> Thanks,
> Steve
>
>
> On Dec 14, 2007 12:10 PM, Alex Karasulu <ak...@apache.org> wrote:
>
> > For 1.0 your best option is to grab a handle to the nexus on
> > initialization of your authenticator.  Use the nexus to lookup the
> > attributes of the user (the entry for the principalDn).  Then you can
> > perform what logic you need to interogate the attributes of the user.
> >
> > HTH,
> > Alex
> > On Dec 14, 2007 10:18 AM, Steven Brendtro <st...@gmail.com>
> > wrote:
> >
> > > Oh, I forgot to mention... this is for 1.0.x (specifically 1.0.1).
> > >
> > > Thanks
> > >
> > >
> > > On Dec 14, 2007 8:59 AM, Steven Brendtro <steven.brendtro@gmail.com >
> > > wrote:
> > >
> > > > I am coding a custom Authenticator Interface for doing some extra
> > > > checking before authenticating the DN.  Basically before I authenticate, I
> > > > want to check that the user (not sure what else to call it) has certain
> > > > attributes set to specific values.  I've been looking through the API for
> > > > the past few days and don't understand how to accomplish this.  If possible,
> > > > I want to get a set of Attributes back to iterate through.
> > > >
> > > > Any suggestions would be most helpful.
> > > >
> > > > Thanks in advance.
> > > >
> > >
> > >
> >
>

Re: Custom Authenticator and Attributes

Posted by Steven Brendtro <st...@gmail.com>.

Thanks for the suggestion.  It got me a bit farther, but I hit another wall.

In my authenticator's implementation of authenticate(), I can't call
ServerContext.getNexusProxy() as it is protected.  I did try:

                PartitionNexus nexusProxy = (PartitionNexus)
serverContext.lookup( bindDn );
                Attributes attributeList = nexusProxy.lookup( bindDn );

But got a nasty exception:
org.apache.directory.server.core.interceptor.InterceptorException:
Unexpected exception. [Root exception is java.lang.IllegalStateException:
Attempted operation by unauthenticated caller.]

In the middle of the stack trace was an an error pointing at the first line
of these two.  I assume it has something to do with how I am casting the
Object returned from the ServerContext.lookup call.  Any ideas on the right
way to do this?

Thanks,
Steve

On Dec 14, 2007 12:10 PM, Alex Karasulu <ak...@apache.org> wrote:

> For 1.0 your best option is to grab a handle to the nexus on
> initialization of your authenticator.  Use the nexus to lookup the
> attributes of the user (the entry for the principalDn).  Then you can
> perform what logic you need to interogate the attributes of the user.
>
> HTH,
> Alex
> On Dec 14, 2007 10:18 AM, Steven Brendtro <st...@gmail.com>
> wrote:
>
> > Oh, I forgot to mention... this is for 1.0.x (specifically 1.0.1).
> >
> > Thanks
> >
> >
> > On Dec 14, 2007 8:59 AM, Steven Brendtro <steven.brendtro@gmail.com >
> > wrote:
> >
> > > I am coding a custom Authenticator Interface for doing some extra
> > > checking before authenticating the DN.  Basically before I authenticate, I
> > > want to check that the user (not sure what else to call it) has certain
> > > attributes set to specific values.  I've been looking through the API for
> > > the past few days and don't understand how to accomplish this.  If possible,
> > > I want to get a set of Attributes back to iterate through.
> > >
> > > Any suggestions would be most helpful.
> > >
> > > Thanks in advance.
> > >
> >
> >
>

Re: Custom Authenticator and Attributes

Posted by Alex Karasulu <ak...@apache.org>.

For 1.0 your best option is to grab a handle to the nexus on initialization
of your authenticator.  Use the nexus to lookup the attributes of the user
(the entry for the principalDn).  Then you can perform what logic you need
to interogate the attributes of the user.

HTH,
Alex
On Dec 14, 2007 10:18 AM, Steven Brendtro <st...@gmail.com> wrote:

> Oh, I forgot to mention... this is for 1.0.x (specifically 1.0.1).
>
> Thanks
>
>
> On Dec 14, 2007 8:59 AM, Steven Brendtro <steven.brendtro@gmail.com >
> wrote:
>
> > I am coding a custom Authenticator Interface for doing some extra
> > checking before authenticating the DN.  Basically before I authenticate, I
> > want to check that the user (not sure what else to call it) has certain
> > attributes set to specific values.  I've been looking through the API for
> > the past few days and don't understand how to accomplish this.  If possible,
> > I want to get a set of Attributes back to iterate through.
> >
> > Any suggestions would be most helpful.
> >
> > Thanks in advance.
> >
>
>

Re: Custom Authenticator and Attributes

Posted by Steven Brendtro <st...@gmail.com>.

Oh, I forgot to mention... this is for 1.0.x (specifically 1.0.1).

Thanks

On Dec 14, 2007 8:59 AM, Steven Brendtro <st...@gmail.com> wrote:

> I am coding a custom Authenticator Interface for doing some extra checking
> before authenticating the DN.  Basically before I authenticate, I want to
> check that the user (not sure what else to call it) has certain attributes
> set to specific values.  I've been looking through the API for the past few
> days and don't understand how to accomplish this.  If possible, I want to
> get a set of Attributes back to iterate through.
>
> Any suggestions would be most helpful.
>
> Thanks in advance.
>