You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2008/08/08 05:31:52 UTC
svn commit: r683825 - in
/directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap:
LdapServer.java handlers/LdapRequestHandler.java
handlers/ssl/LdapsInitializer.java
Author: akarasulu
Date: Thu Aug 7 20:31:51 2008
New Revision: 683825
URL: http://svn.apache.org/viewvc?rev=683825&view=rev
Log:
DIRSERVER-1194: added confidentiality requirement flag and made sure LDAPS works like StartTLS
Modified:
directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/LdapServer.java
directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/LdapRequestHandler.java
directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/ssl/LdapsInitializer.java
Modified: directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/LdapServer.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/LdapServer.java?rev=683825&r1=683824&r2=683825&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/LdapServer.java (original)
+++ directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/LdapServer.java Thu Aug 7 20:31:51 2008
@@ -197,6 +197,12 @@
/** tracks start state of the server */
private boolean started;
+ /**
+ * Whether or not confidentiality (TLS secured connection) is required:
+ * disabled by default.
+ */
+ private boolean confidentialityRequired;
+
/**
* Creates an LDAP protocol provider.
@@ -529,6 +535,31 @@
/**
+ * Sets the mode for this LdapServer to accept requests with or without a
+ * TLS secured connection via either StartTLS extended operations or using
+ * LDAPS.
+ *
+ * @param confidentialityRequired true to require confidentiality
+ */
+ public void setConfidentialityRequired( boolean confidentialityRequired )
+ {
+ this.confidentialityRequired = confidentialityRequired;
+ }
+
+
+ /**
+ * Gets whether or not TLS secured connections are required to perform
+ * operations on this LdapServer.
+ *
+ * @return true if TLS secured connections are required, false otherwise
+ */
+ public boolean isConfidentialityRequired()
+ {
+ return confidentialityRequired;
+ }
+
+
+ /**
* Returns <tt>true</tt> if LDAPS is enabled.
*
* @return True if LDAPS is enabled.
Modified: directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/LdapRequestHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/LdapRequestHandler.java?rev=683825&r1=683824&r2=683825&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/LdapRequestHandler.java (original)
+++ directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/LdapRequestHandler.java Thu Aug 7 20:31:51 2008
@@ -23,9 +23,16 @@
import org.apache.directory.server.core.CoreSession;
import org.apache.directory.server.newldap.LdapServer;
import org.apache.directory.server.newldap.LdapSession;
+import org.apache.directory.server.newldap.handlers.extended.StartTlsHandler;
import org.apache.directory.shared.ldap.message.AbandonRequest;
import org.apache.directory.shared.ldap.message.BindRequest;
+import org.apache.directory.shared.ldap.message.ExtendedRequest;
+import org.apache.directory.shared.ldap.message.LdapResult;
import org.apache.directory.shared.ldap.message.Request;
+import org.apache.directory.shared.ldap.message.ResultCodeEnum;
+import org.apache.directory.shared.ldap.message.ResultResponse;
+import org.apache.directory.shared.ldap.message.ResultResponseRequest;
+import org.apache.mina.common.IoFilterChain;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.demux.MessageHandler;
@@ -59,6 +66,43 @@
{
this.ldapServer = ldapServer;
}
+
+
+ /**
+ * Checks to see if confidentiality requirements are met. If the
+ * LdapServer requires confidentiality and the SSLFilter is engaged
+ * this will return true. If confidentiality is not required this
+ * will return true. If confidentially is required and the SSLFilter
+ * is not engaged in the IoFilterChain this will return false.
+ *
+ * This method is used by handlers to determine whether to send back
+ * {@link ResultCodeEnum#CONFIDENTIALITY_REQUIRED} error responses back
+ * to clients.
+ *
+ * @param session the MINA IoSession to check for TLS security
+ * @return true if confidentiality requirement is met, false otherwise
+ */
+ public final boolean isConfidentialityRequirementSatisfied( IoSession session )
+ {
+
+ if ( ! ldapServer.isConfidentialityRequired() )
+ {
+ return true;
+ }
+
+ IoFilterChain chain = session.getFilterChain();
+ return chain.contains( "sslFilter" );
+ }
+
+
+ public void rejectWithoutConfidentiality( IoSession session, ResultResponse resp )
+ {
+ LdapResult result = resp.getLdapResult();
+ result.setResultCode( ResultCodeEnum.CONFIDENTIALITY_REQUIRED );
+ result.setErrorMessage( "Confidentiality (TLS secured connection) is required." );
+ session.write( resp );
+ return;
+ }
/**
@@ -74,6 +118,33 @@
{
LdapSession ldapSession = ldapServer.getLdapSession( session );
ldapSession.setLdapServer( ldapServer );
+
+ // protect against insecure conns when confidentiality is required
+ if ( ! isConfidentialityRequirementSatisfied( session ) )
+ {
+ if ( message instanceof ExtendedRequest )
+ {
+ // Reject all extended operations except StartTls
+ ExtendedRequest req = ( ExtendedRequest ) message;
+ if ( ! req.getID().equals( StartTlsHandler.EXTENSION_OID ) )
+ {
+ rejectWithoutConfidentiality( session, req.getResultResponse() );
+ return;
+ }
+
+ // Allow StartTls extended operations to go through
+ }
+ else if ( message instanceof ResultResponseRequest )
+ {
+ // Reject all other operations that have a result response
+ rejectWithoutConfidentiality( session, ( ( ResultResponseRequest ) message ).getResultResponse() );
+ return;
+ }
+ else // Just return from unbind, and abandon immediately
+ {
+ return;
+ }
+ }
// We should check that the server allows anonymous requests
// only if it's not a BindRequest
Modified: directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/ssl/LdapsInitializer.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/ssl/LdapsInitializer.java?rev=683825&r1=683824&r2=683825&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/ssl/LdapsInitializer.java (original)
+++ directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/ssl/LdapsInitializer.java Thu Aug 7 20:31:51 2008
@@ -69,7 +69,7 @@
}
DefaultIoFilterChainBuilder chain = new DefaultIoFilterChainBuilder();
- chain.addLast( "SSL", new SSLFilter( sslCtx ) );
+ chain.addLast( "sslFilter", new SSLFilter( sslCtx ) );
return chain;
}
}