You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2007/04/24 21:55:50 UTC
svn commit: r532059 -
/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
Author: elecharny
Date: Tue Apr 24 12:55:49 2007
New Revision: 532059
URL: http://svn.apache.org/viewvc?view=rev&rev=532059
Log:
Removed useless declaration
Used AttributeUtils.getAttribute() everywhere
Added some logs
Used some more constants
Modified:
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java?view=diff&rev=532059&r1=532058&r2=532059
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java Tue Apr 24 12:55:49 2007
@@ -48,9 +48,15 @@
import org.apache.directory.server.core.invocation.InvocationStack;
import org.apache.directory.server.core.jndi.ServerContext;
import org.apache.directory.server.core.partition.PartitionNexus;
+import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
+import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.name.LdapDN;
+import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.schema.OidNormalizer;
+import org.apache.directory.shared.ldap.util.AttributeUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/**
@@ -64,6 +70,9 @@
*/
public class DefaultAuthorizationService extends BaseInterceptor
{
+ /** the logger for this class */
+ private static final Logger log = LoggerFactory.getLogger( DefaultAuthorizationService.class );
+
/** The service name */
public static final String NAME = "defaultAuthorizationService";
@@ -71,19 +80,16 @@
* the base distinguished {@link Name} for all users
*/
private static LdapDN USER_BASE_DN;
- private static LdapDN USER_BASE_DN_NORMALIZED;
/**
* the base distinguished {@link Name} for all groups
*/
private static LdapDN GROUP_BASE_DN;
- private static LdapDN GROUP_BASE_DN_NORMALIZED;
/**
* the distinguished {@link Name} for the administrator group
*/
private static LdapDN ADMIN_GROUP_DN;
- private static LdapDN ADMIN_GROUP_DN_NORMALIZED;
/**
* the name parser used by this service
@@ -96,6 +102,13 @@
private Map<String, OidNormalizer> normalizerMapping;
private PartitionNexus nexus;
+
+ /** attribute type registry */
+ private AttributeTypeRegistry attrRegistry;
+
+ /** A starage for the uniqueMember attributeType */
+ private AttributeType uniqueMemberAT;
+
/**
* Creates a new instance.
@@ -114,14 +127,18 @@
enabled = !factoryCfg.getStartupConfiguration().isAccessControlEnabled();
USER_BASE_DN = PartitionNexus.getUsersBaseName();
- USER_BASE_DN_NORMALIZED = LdapDN.normalize( USER_BASE_DN, normalizerMapping );
+ USER_BASE_DN.normalize( normalizerMapping );
GROUP_BASE_DN = PartitionNexus.getGroupsBaseName();
- GROUP_BASE_DN_NORMALIZED = LdapDN.normalize( GROUP_BASE_DN, normalizerMapping );
+ GROUP_BASE_DN.normalize( normalizerMapping );
ADMIN_GROUP_DN = new LdapDN( "cn=Administrators,ou=groups,ou=system" );
- ADMIN_GROUP_DN_NORMALIZED = ( LdapDN ) ADMIN_GROUP_DN.clone();
- ADMIN_GROUP_DN_NORMALIZED.normalize( normalizerMapping );
+ ADMIN_GROUP_DN.normalize( normalizerMapping );
+
+ attrRegistry = factoryCfg.getRegistries().getAttributeTypeRegistry();
+
+ uniqueMemberAT = attrRegistry.lookup( SchemaConstants.UNIQUE_MEMBER_AT_OID );
+
loadAdministrators();
}
@@ -130,20 +147,22 @@
{
// read in the administrators and cache their normalized names
Set<String> newAdministrators = new HashSet<String>( 2 );
- Attributes adminGroup = nexus.lookup( new LookupOperationContext( ADMIN_GROUP_DN_NORMALIZED ) );
+ Attributes adminGroup = nexus.lookup( new LookupOperationContext( ADMIN_GROUP_DN ) );
if ( adminGroup == null )
{
return;
}
- Attribute uniqueMember = adminGroup.get( "uniqueMember" );
+ Attribute uniqueMember = AttributeUtils.getAttribute( adminGroup, uniqueMemberAT );
+
for ( int ii = 0; ii < uniqueMember.size(); ii++ )
{
LdapDN memberDn = new LdapDN( ( String ) uniqueMember.get( ii ) );
memberDn.normalize( normalizerMapping );
- newAdministrators.add( memberDn.toNormName() );
+ newAdministrators.add( memberDn.getNormName() );
}
+
administrators = newAdministrators;
}
@@ -164,40 +183,51 @@
LdapDN principalDn = getPrincipal().getJndiName();
- if ( name.toString().equals( "" ) )
+ if ( name.isEmpty() )
{
String msg = "The rootDSE cannot be deleted!";
+ log.error( msg );
throw new LdapNoPermissionException( msg );
}
- if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
+ if ( name.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
{
String msg = "The Administrators group cannot be deleted!";
+ log.error( msg );
throw new LdapNoPermissionException( msg );
}
if ( isTheAdministrator( name ) )
{
- String msg = "User " + principalDn;
+ String msg = "User " + principalDn.getUpName();
msg += " does not have permission to delete the admin account.";
msg += " No one not even the admin can delete this account!";
+ log.error( msg );
throw new LdapNoPermissionException( msg );
}
- if ( name.size() > 2 && name.startsWith( USER_BASE_DN ) && !isAnAdministrator( principalDn ) )
+ if ( name.size() > 2 )
{
- String msg = "User " + principalDn;
- msg += " does not have permission to delete the user account: ";
- msg += name + ". Only the admin can delete user accounts.";
- throw new LdapNoPermissionException( msg );
- }
-
- if ( name.size() > 2 && name.startsWith( GROUP_BASE_DN ) && !isAnAdministrator( principalDn ) )
- {
- String msg = "User " + principalDn;
- msg += " does not have permission to delete the group entry: ";
- msg += name + ". Only the admin can delete groups.";
- throw new LdapNoPermissionException( msg );
+ if ( !isAnAdministrator( principalDn ) )
+ {
+ if ( name.startsWith( USER_BASE_DN ) )
+ {
+ String msg = "User " + principalDn.getUpName();
+ msg += " does not have permission to delete the user account: ";
+ msg += name.getUpName() + ". Only the admin can delete user accounts.";
+ log.error( msg );
+ throw new LdapNoPermissionException( msg );
+ }
+
+ if ( name.startsWith( GROUP_BASE_DN ) )
+ {
+ String msg = "User " + principalDn.getUpName();
+ msg += " does not have permission to delete the group entry: ";
+ msg += name.getUpName() + ". Only the admin can delete groups.";
+ log.error( msg );
+ throw new LdapNoPermissionException( msg );
+ }
+ }
}
nextInterceptor.delete( opContext );
@@ -206,19 +236,18 @@
private final boolean isTheAdministrator( LdapDN normalizedDn )
{
- return normalizedDn.toNormName() == PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ||
- normalizedDn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
+ return normalizedDn.getNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
}
- private final boolean isAnAdministrator( LdapDN normalizedDn ) throws NamingException
+ private final boolean isAnAdministrator( LdapDN normalizedDn )
{
if ( isTheAdministrator( normalizedDn ) )
{
return true;
}
- return administrators.contains( normalizedDn.toNormName() );
+ return administrators.contains( normalizedDn.getNormName() );
}
@@ -237,19 +266,21 @@
{
if ( enabled )
{
- protectModifyAlterations( opContext.getDn() );
+ LdapDN dn = opContext.getDn();
+
+ protectModifyAlterations( dn );
nextInterceptor.modify( opContext );
// update administrators if we change administrators group
- if ( opContext.getDn().getNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
+ if ( dn.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
{
loadAdministrators();
}
-
- return;
}
-
- nextInterceptor.modify( opContext );
+ else
+ {
+ nextInterceptor.modify( opContext );
+ }
}
@@ -257,44 +288,51 @@
{
LdapDN principalDn = getPrincipal().getJndiName();
- if ( dn.size() == 0 )
+ if ( dn.isEmpty() )
{
String msg = "The rootDSE cannot be modified!";
+ log.error( msg );
throw new LdapNoPermissionException( msg );
}
if ( ! isAnAdministrator( principalDn ) )
{
// allow self modifications
- if ( dn.toNormName().equals( getPrincipal().getJndiName().toNormName() ) )
+ if ( dn.getNormName().equals( getPrincipal().getJndiName().getNormName() ) )
{
return;
}
- if ( dn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+ if ( dn.getNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
{
- String msg = "User " + principalDn;
+ String msg = "User " + principalDn.getUpName();
msg += " does not have permission to modify the account of the";
msg += " admin user.";
+ log.error( msg );
throw new LdapNoPermissionException( msg );
}
- if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN_NORMALIZED ) )
- {
- String msg = "User " + principalDn;
- msg += " does not have permission to modify the account of the";
- msg += " user " + dn + ".\nEven the owner of an account cannot";
- msg += " modify it.\nUser accounts can only be modified by the";
- msg += " administrator.";
- throw new LdapNoPermissionException( msg );
- }
-
- if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN_NORMALIZED ) )
- {
- String msg = "User " + principalDn;
- msg += " does not have permission to modify the group entry ";
- msg += dn.getUpName() + ".\nGroups can only be modified by the admin.";
- throw new LdapNoPermissionException( msg );
+ if ( dn.size() > 2 )
+ {
+ if ( dn.startsWith( USER_BASE_DN ) )
+ {
+ String msg = "User " + principalDn.getUpName();
+ msg += " does not have permission to modify the account of the";
+ msg += " user " + dn.getUpName() + ".\nEven the owner of an account cannot";
+ msg += " modify it.\nUser accounts can only be modified by the";
+ msg += " administrator.";
+ log.error( msg );
+ throw new LdapNoPermissionException( msg );
+ }
+
+ if ( dn.startsWith( GROUP_BASE_DN ) )
+ {
+ String msg = "User " + principalDn.getUpName();
+ msg += " does not have permission to modify the group entry ";
+ msg += dn.getUpName() + ".\nGroups can only be modified by the admin.";
+ log.error( msg );
+ throw new LdapNoPermissionException( msg );
+ }
}
}
}
@@ -347,15 +385,18 @@
{
LdapDN principalDn = getPrincipal().getJndiName();
- if ( dn.toString().equals( "" ) )
+ if ( dn.isEmpty() )
{
String msg = "The rootDSE cannot be moved or renamed!";
+ log.error( msg );
throw new LdapNoPermissionException( msg );
}
- if ( dn.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
+ if ( dn.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
{
- throw new LdapNoPermissionException( "The Administrators group cannot be moved or renamed!" );
+ String msg = "The Administrators group cannot be moved or renamed!";
+ log.error( msg );
+ throw new LdapNoPermissionException( msg );
}
if ( isTheAdministrator( dn ) )
@@ -363,24 +404,26 @@
String msg = "User '" + principalDn.getUpName();
msg += "' does not have permission to move or rename the admin";
msg += " account. No one not even the admin can move or";
- msg += " rename " + dn + "!";
+ msg += " rename " + dn.getUpName() + "!";
+ log.error( msg );
throw new LdapNoPermissionException( msg );
}
- if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN_NORMALIZED ) && !isAnAdministrator( principalDn ) )
+ if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && !isAnAdministrator( principalDn ) )
{
- String msg = "User '" + principalDn;
+ String msg = "User '" + principalDn.getUpName();
msg += "' does not have permission to move or rename the user";
- msg += " account: " + dn + ". Only the admin can move or";
+ msg += " account: " + dn.getUpName() + ". Only the admin can move or";
msg += " rename user accounts.";
+ log.error( msg );
throw new LdapNoPermissionException( msg );
}
- if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN_NORMALIZED ) && !isAnAdministrator( principalDn ) )
+ if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) && !isAnAdministrator( principalDn ) )
{
- String msg = "User " + principalDn;
+ String msg = "User " + principalDn.getUpName();
msg += " does not have permission to move or rename the group entry ";
- msg += dn + ".\nGroups can only be moved or renamed by the admin.";
+ msg += dn.getUpName() + ".\nGroups can only be moved or renamed by the admin.";
throw new LdapNoPermissionException( msg );
}
}
@@ -390,7 +433,7 @@
{
Attributes attributes = nextInterceptor.lookup( opContext );
- if ( !enabled || attributes == null )
+ if ( !enabled || ( attributes == null ) )
{
return attributes;
}
@@ -404,34 +447,40 @@
{
LdapContext ctx = ( LdapContext ) InvocationStack.getInstance().peek().getCaller();
LdapDN principalDn = ( ( ServerContext ) ctx ).getPrincipal().getJndiName();
+
if ( !isAnAdministrator( principalDn ) )
{
- if ( normalizedDn.size() > 2 && normalizedDn.startsWith( USER_BASE_DN_NORMALIZED ) )
+ if ( normalizedDn.size() > 2 )
{
- // allow for self reads
- if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
+ if( normalizedDn.startsWith( USER_BASE_DN ) )
{
- return;
+ // allow for self reads
+ if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
+ {
+ return;
+ }
+
+ String msg = "Access to user account '" + normalizedDn.getUpName() + "' not permitted";
+ msg += " for user '" + principalDn.getUpName() + "'. Only the admin can";
+ msg += " access user account information";
+ log.error( msg );
+ throw new LdapNoPermissionException( msg );
}
- String msg = "Access to user account '" + normalizedDn + "' not permitted";
- msg += " for user '" + principalDn + "'. Only the admin can";
- msg += " access user account information";
- throw new LdapNoPermissionException( msg );
- }
-
- if ( normalizedDn.size() > 2 && normalizedDn.startsWith( GROUP_BASE_DN_NORMALIZED ) )
- {
- // allow for self reads
- if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
+ if ( normalizedDn.startsWith( GROUP_BASE_DN ) )
{
- return;
+ // allow for self reads
+ if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
+ {
+ return;
+ }
+
+ String msg = "Access to group '" + normalizedDn.getUpName() + "' not permitted";
+ msg += " for user '" + principalDn.getUpName() + "'. Only the admin can";
+ msg += " access group information";
+ log.error( msg );
+ throw new LdapNoPermissionException( msg );
}
-
- String msg = "Access to group '" + normalizedDn + "' not permitted";
- msg += " for user '" + principalDn + "'. Only the admin can";
- msg += " access group information";
- throw new LdapNoPermissionException( msg );
}
if ( isTheAdministrator( normalizedDn ) )
@@ -443,8 +492,9 @@
}
String msg = "Access to admin account not permitted for user '";
- msg += principalDn + "'. Only the admin can";
+ msg += principalDn.getUpName() + "'. Only the admin can";
msg += " access admin account information";
+ log.error( msg );
throw new LdapNoPermissionException( msg );
}
}
@@ -509,7 +559,8 @@
}
// Users reading their own entries should be allowed to see all
- boolean isSelfRead = dn.toNormName().equals( principalDn.toNormName() );
+ boolean isSelfRead = dn.getNormName().equals( principalDn.getNormName() );
+
if ( isSelfRead )
{
return true;
@@ -521,8 +572,8 @@
// stuff this if in here instead of up in outer if to prevent
// constant needless reexecution for all entries in other depths
- if ( dn.toNormName().endsWith( USER_BASE_DN_NORMALIZED.toNormName() )
- || dn.toNormName().endsWith( GROUP_BASE_DN_NORMALIZED.toNormName() ) )
+ if ( dn.getNormName().endsWith( USER_BASE_DN.getNormName() )
+ || dn.getNormName().endsWith( GROUP_BASE_DN.getNormName() ) )
{
return false;
}