You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2005/03/24 22:08:58 UTC
svn commit: r158946 - in directory:
apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java
protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java
Author: akarasulu
Date: Thu Mar 24 13:08:56 2005
New Revision: 158946
URL: http://svn.apache.org/viewcvs?view=rev&rev=158946
Log:
While fixing the problem with the broken server.disable.anonymous property I
noticed that anonymous binds are still possible with the bind operation. Here's
why ...
In LDAP an anonymous bind is when an operation is requested without having had
a successful bind take place first. For example a search can be attempted
before bothering with performing a bind op. This feature was there for all reqs
minus the bind request. So you could bind first anonymously to establish a
logical session then execute a command like search as the user "" with no
credentials. This was a security hole.
I fixed this by preventing a bind as well as other operations when certain
conditions indicative of an anonymous bind are in effect.
Modified:
directory/apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java
directory/protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java
Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java?view=diff&r1=158945&r2=158946
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java (original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java Thu Mar 24 13:08:56 2005
@@ -20,10 +20,7 @@
import java.io.File;
import java.io.IOException;
import java.util.Hashtable;
-import javax.naming.ConfigurationException;
-import javax.naming.Context;
-import javax.naming.InitialContext;
-import javax.naming.NamingException;
+import javax.naming.*;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
@@ -337,12 +334,27 @@
{
// Use the SUN JNDI provider to hit server port and bind as anonymous
- Hashtable env = new Hashtable();
+ final Hashtable env = new Hashtable();
+
env.put( Context.PROVIDER_URL, "ldap://localhost:" + port + "/ou=system" );
- env.put( Context.SECURITY_PRINCIPAL, "none" );
- InitialContext ctx = new InitialContext( env );
-
- assertNotNull( ctx );
+ env.put( Context.SECURITY_AUTHENTICATION, "none" );
+
+ env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
+
+ InitialContext ctx = null;
+
+ try
+ {
+ ctx = new InitialContext( env );
+
+ fail( "If anonymous binds are disabled we should never get here!" );
+ }
+ catch ( NoPermissionException e )
+ {
+ assertNull( ctx );
+
+ assertNotNull( e );
+ }
}
}
Modified: directory/protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java?view=diff&r1=158945&r2=158946
==============================================================================
--- directory/protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java (original)
+++ directory/protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java Thu Mar 24 13:08:56 2005
@@ -32,6 +32,7 @@
import org.apache.ldap.common.message.LdapResultImpl;
import org.apache.ldap.common.message.ResultCodeEnum;
import org.apache.ldap.common.util.ExceptionUtils;
+
import org.apache.mina.protocol.ProtocolSession;
import org.apache.mina.protocol.DemuxingProtocolHandler.MessageHandler;
@@ -50,31 +51,69 @@
public void messageReceived( ProtocolSession session, Object request )
{
InitialLdapContext ictx;
+
BindRequest req = ( BindRequest ) request;
+
BindResponse resp = new BindResponseImpl( req.getMessageId() );
+
LdapResult result = new LdapResultImpl( resp );
+
resp.setLdapResult( result );
+
Hashtable env = SessionRegistry.getSingleton().getEnvironment();
// if the bind request is not simple then we freak: no strong auth yet
if ( ! req.isSimple() )
{
result.setResultCode( ResultCodeEnum.AUTHMETHODNOTSUPPORTED );
+
result.setErrorMessage( "Only simple binds currently supported" );
+
+ session.write( resp );
+
+ return;
+ }
+
+ boolean allowAnonymousBinds = true;
+
+ if ( env.containsKey( "server.disable.anonymous" ) )
+ {
+ allowAnonymousBinds = false;
+ }
+
+ boolean emptyCredentials = req.getCredentials() == null || req.getCredentials().length == 0;
+
+ boolean emptyDn = req.getName() == null || req.getName().length() == 0;
+
+ if ( emptyCredentials && emptyDn && ! allowAnonymousBinds )
+ {
+ result.setResultCode( ResultCodeEnum.INSUFFICIENTACCESSRIGHTS );
+
+ String msg = "Bind failure: Anonymous binds have been disabled!";
+
+ result.setErrorMessage( msg );
+
session.write( resp );
+
return;
}
// clone the environment first then add the required security settings
+
String dn = req.getName();
+
byte[] creds = req.getCredentials();
env = ( Hashtable ) env.clone();
+
env.put( Context.SECURITY_PRINCIPAL, dn );
+
env.put( Context.SECURITY_CREDENTIALS, creds );
+
env.put( Context.SECURITY_AUTHENTICATION, "simple" );
Control[] connCtls = ( Control[] ) req.getControls().toArray( EMPTY );
+
try
{
ictx = new InitialLdapContext( env, connCtls );
@@ -92,15 +131,22 @@
}
String msg = "Bind failure:\n" + ExceptionUtils.getStackTrace( e );
+
msg += "\n\nBindRequest = \n" + req.toString();
+
result.setErrorMessage( msg );
+
session.write( resp );
+
return;
}
SessionRegistry.getSingleton().setInitialLdapContext( session, ictx );
+
result.setResultCode( ResultCodeEnum.SUCCESS );
+
result.setMatchedDn( req.getName() );
+
session.write( resp );
}
}