You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Alex Karasulu (JIRA)" <ji...@apache.org> on 2007/04/19 21:01:15 UTC

[jira] Commented: (DIRSERVER-884) Authorization, Prescriptive ACI Bug - Server start fails on bad ACI Entry

    [ https://issues.apache.org/jira/browse/DIRSERVER-884?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12490142 ] 

Alex Karasulu commented on DIRSERVER-884:
-----------------------------------------

This problem will be solved once we start using all those nice syntaxCheckers that Emmanuel built.  This way the syntaxChecker will prevent the modification of the ACIEntry attribute with the incorrect syntax for the ACI.  I guess I need to start looking into doing this.  However this might not be possible in the 1.0.x branch since these syntaxCheckers are not available.  In this case I might need to add protective code in the authorizationService to prevent the srver from bombing on an invalid ACI entry.

BTW this was a nice thorough JIRA report Quinn.  Thanks for it.

> Authorization, Prescriptive ACI Bug - Server start fails on bad ACI Entry
> -------------------------------------------------------------------------
>
>                 Key: DIRSERVER-884
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-884
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.0.1, 1.5.0
>         Environment: Confirmed on Windows XP and Mac OSX 10.4.8
>            Reporter: Timothy Quinn
>         Assigned To: Alex Karasulu
>            Priority: Critical
>             Fix For: 1.5.1, 1.0.2
>
>
> :: Summary ::
> ApacheDS server fails to start when a Access Control Subentry exists that contains a malformed prescriptiveACI. Just by simply removing a single brace from the ACI, the server startup fails on validation of the entry.
> :: Steps To Reproduce ::
> 1) Installed fresh version of ApacheDS (ok)
> 2) Started Server (ok)
> 3) Connected to server using LDAP Studio (ok)
> 4) Added administrativeRole attribute to entry (ok)
> 5) Added a good ACI Entry (copied from working sever - ok)
> 6) Removed a curly brace from the prescriptiveaci attribute (ok)
> 7) Stopped and restarted server (barf)
> ... Server barfed out the error and server fails to start!:
> ~err_snip~
> TupleCache.subentryAdded - ACIItem parser failure on 'null'. Cannnot add ACITuples to TupleCache.
> java.text.ParseException: Parser failure on ACIItem:
>         {
>     identificationTag "enableSearchForAllUsers",
>     precedence 14,
>     .... ~skipping aci details for lack of relevance to issue~ ...
> }
> Antlr exception trace:
> unexpected token: name
>         at org.apache.directory.shared.ldap.aci.ACIItemParser.parse(ACIItemParser.java:128)
>         at org.apache.directory.server.core.authz.TupleCache.subentryAdded(TupleCache.java:186)
>         at org.apache.directory.server.core.authz.TupleCache.initialize (TupleCache.java:139)
>         at org.apache.directory.server.core.authz.TupleCache.<init>(TupleCache.java:101)
> ~/err_snip~
> 8) Try turning off accessControlEnabled flag in config.xml (ok)
> 9) Try Starting the server (barf)
> ... This is the most intuitive step to fix it but did not help.
> ... Server will still not start up!
> :: Workaround Steps ::
> 1) Comment out Authorization bean entry in server.xml (ok)
> 2) Restarted server (ok (whew!))
> 3) Connect to and fix bad ACI Entry using LDAP Studio (ok)
> 4) Stop the server (ok)
> 5) Remove Comment of Authorization bean entry in server.xml (ok)
> 6) Restarted server (ok)
> ... YeeeHaaa - Server started without any problems =)
> Notes:
> - See ApacheDS March 2007 Users mailing list thread titled "[ApacheDS Authorization] HELP - Server will no longer start"

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.