You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2009/07/22 00:04:02 UTC
svn commit: r796556 - in /directory/apacheds/trunk:
core/src/main/java/org/apache/directory/server/core/authn/
server-integ/src/test/java/org/apache/directory/server/operations/bind/
Author: elecharny
Date: Tue Jul 21 22:04:02 2009
New Revision: 796556
URL: http://svn.apache.org/viewvc?rev=796556&view=rev
Log:
Fix for DIRSERVER-1383 : A user can still read therootDSE even if not bound (ie doing a simple search), but anonymous access are forbidden if the allowAnonymousAccess is set to false.
Modified:
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java
directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/MiscBindIT.java
directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java
directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SimpleBindIT.java
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java?rev=796556&r1=796555&r2=796556&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java Tue Jul 21 22:04:02 2009
@@ -50,12 +50,8 @@
*/
public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
{
- // We only allow Anonymous binds if the service allows them _or_
- // if the user wants to bind on the rootDSE
- // TODO : Fix this ASAP !!! This is a backdoor, we should not allow
- // a user to get in as anonymous simply because the bind request DN
- // is empty !
- if ( getDirectoryService().isAllowAnonymousAccess() || opContext.getDn().isEmpty() )
+ // We only allow Anonymous binds if the service allows them
+ if ( getDirectoryService().isAllowAnonymousAccess() )
{
return LdapPrincipal.ANONYMOUS;
}
Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/MiscBindIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/MiscBindIT.java?rev=796556&r1=796555&r2=796556&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/MiscBindIT.java (original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/MiscBindIT.java Tue Jul 21 22:04:02 2009
@@ -39,6 +39,13 @@
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPUrl;
+
import org.apache.directory.server.core.DefaultDirectoryService;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.integ.IntegrationUtils;
@@ -190,44 +197,28 @@
env.put( Context.SECURITY_AUTHENTICATION, "none" );
env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
- boolean connected = false;
- while ( !connected )
- {
- try
- {
- ic = new InitialDirContext( env );
- connected = true;
- }
- catch ( Exception e )
- {
- // We should not get here
- fail();
- }
- }
-
- ldapServer.getDirectoryService().setAllowAnonymousAccess( false );
-
try
{
- ic.search( "", "(objectClass=*)", new SearchControls() );
- fail( "If anonymous binds are disabled we should never get here!" );
+ ic = new InitialDirContext( env );
+ fail();
}
- catch ( NoPermissionException e )
+ catch ( Exception e )
{
+ // We should get here
}
- Attributes attrs = new BasicAttributes( true );
- Attribute oc = new BasicAttribute( "objectClass" );
- attrs.put( oc );
- oc.add( "top" );
- oc.add( "organizationalUnit" );
-
try
{
- ic.createSubcontext( "ou=blah", attrs );
+ // Use the netscape API as JNDI cannot be used to do a search without
+ // first binding.
+ LDAPUrl url = new LDAPUrl( "localhost", ldapServer.getPort(), "ou=system", new String[]{"vendorName"}, 0, "(ObjectClass=*)" );
+ LDAPSearchResults results = LDAPConnection.search( url );
+
+ fail();
}
- catch ( NoPermissionException e )
+ catch ( LDAPException e )
{
+ // Expected result
}
}
Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java?rev=796556&r1=796555&r2=796556&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java (original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java Tue Jul 21 22:04:02 2009
@@ -30,7 +30,6 @@
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
-import javax.naming.NoPermissionException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
@@ -299,40 +298,6 @@
/**
- * Tests to make sure binds below the RootDSE require authentication.
- */
- @Test
- public void testAnonymousBelowRootDSE()
- {
- ldapServer.getDirectoryService().setAllowAnonymousAccess( false );
-
- try
- {
- Hashtable<String, String> env = new Hashtable<String, String>();
- env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
- env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapServer.getPort() );
-
- DirContext context = new InitialDirContext( env );
-
- String[] attrIDs =
- { "vendorName" };
-
- context.getAttributes( "dc=example,dc=com", attrIDs );
-
- fail( "Should not have gotten here." );
- }
- catch ( NoPermissionException npe )
- {
- assertTrue( npe.getMessage().contains( "error code 50" ) );
- }
- catch ( NamingException ne )
- {
- fail( "Should not have gotten here" );
- }
- }
-
-
- /**
* Tests to make sure CRAM-MD5 binds below the RootDSE work.
*/
@Test
Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SimpleBindIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SimpleBindIT.java?rev=796556&r1=796555&r2=796556&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SimpleBindIT.java (original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SimpleBindIT.java Tue Jul 21 22:04:02 2009
@@ -34,12 +34,21 @@
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResult;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPUrl;
+
import org.apache.directory.server.core.integ.Level;
import org.apache.directory.server.core.integ.annotations.ApplyLdifs;
import org.apache.directory.server.core.integ.annotations.CleanupLevel;
import org.apache.directory.server.integ.SiRunner;
import org.apache.directory.server.ldap.LdapServer;
+import static org.apache.directory.server.integ.ServerIntegrationUtils.getWiredConnection;
import static org.junit.Assert.fail;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertEquals;
@@ -47,6 +56,9 @@
import org.junit.Test;
import org.junit.runner.RunWith;
+import static org.apache.directory.server.integ.ServerIntegrationUtils.getWiredConnection;
+import static org.apache.directory.server.integ.ServerIntegrationUtils.getWiredContextThrowOnRefferal;
+
/**
* An {@link AbstractServerTest} testing SIMPLE authentication.
@@ -262,37 +274,62 @@
try
{
ctx = new InitialDirContext(env);
+ fail();
}
catch ( NamingException ne )
{
- fail();
+ // Expected, as the server forbid anonymous access
}
- // We should be anonymous here.
// Check that we can read the rootDSE
try
{
- Attributes attrs = ctx.getAttributes( "", attrIDs );
-
- assertNotNull( attrs );
- assertEquals( "Apache Software Foundation", attrs.get( "vendorName" ).get() );
+ // Use the netscape API as JNDI cannot be used to do a search without
+ // first binding.
+ LDAPUrl url = new LDAPUrl( "localhost", ldapServer.getPort(), "", new String[]{"vendorName"}, 0, "(ObjectClass=*)" );
+ LDAPSearchResults results = LDAPConnection.search( url );
+
+ if ( results.hasMoreElements() )
+ {
+ LDAPEntry entry = results.next();
+
+ LDAPAttribute vendorName = entry.getAttribute( "vendorName" );
+
+ if ( vendorName != null )
+ {
+ assertEquals( "Apache Software Foundation", vendorName.getStringValueArray()[0] );
+ }
+ else
+ {
+ fail();
+ }
+ }
+ else
+ {
+ fail();
+ }
}
- catch ( NamingException ne )
+ catch ( LDAPException e )
{
- fail();
+ e.printStackTrace();
+ fail( "Should not have caught exception." );
}
// Check that we cannot read another entry being anonymous
try
{
- Attributes attrs = ctx.getAttributes( "uid=admin,ou=system", attrIDs );
-
- assertNotNull( attrs );
- assertEquals( 0, attrs.size() );
- fail( "Should not be able to read the root DSE" );
+ // Use the netscape API as JNDI cannot be used to do a search without
+ // first binding.
+ LDAPUrl url = new LDAPUrl( "localhost", ldapServer.getPort(),
+ "uid=admin,ou=system", attrIDs, 0, "(ObjectClass=*)" );
+ LDAPSearchResults results = LDAPConnection.search( url );
+
+ fail();
}
- catch ( NamingException ne )
+ catch ( LDAPException e )
{
+ // Expected
+ assertTrue( true);
}
ldapServer.getDirectoryService().setAllowAnonymousAccess( oldValue );
@@ -364,34 +401,40 @@
* The configuration for this test case MUST disable anonymous access.
*/
@Test
- public void testAnonymousRootDSE()
+ public void testAnonymousRootDSESearch()
{
+
boolean oldValue = ldapServer.getDirectoryService().isAllowAnonymousAccess();
ldapServer.getDirectoryService().setAllowAnonymousAccess( false );
try
{
- Hashtable<String, String> env = new Hashtable<String, String>();
- env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
- env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapServer.getPort() );
-
- DirContext context = new InitialDirContext( env );
+ // Use the netscape API as JNDI cannot be used to do a search without
+ // first binding.
+ LDAPUrl url = new LDAPUrl( "localhost", ldapServer.getPort(), "", new String[]{"vendorName"}, 0, "(ObjectClass=*)" );
+ LDAPSearchResults results = LDAPConnection.search( url );
- String[] attrIDs =
- { "vendorName" };
-
- Attributes attrs = context.getAttributes( "", attrIDs );
+ if ( results.hasMoreElements() )
+ {
+ LDAPEntry entry = results.next();
- String vendorName = null;
+ LDAPAttribute vendorName = entry.getAttribute( "vendorName" );
- if ( attrs.get( "vendorName" ) != null )
+ if ( vendorName != null )
+ {
+ assertEquals( "Apache Software Foundation", vendorName.getStringValueArray()[0] );
+ }
+ else
+ {
+ fail();
+ }
+ }
+ else
{
- vendorName = ( String ) attrs.get( "vendorName" ).get();
+ fail();
}
-
- assertEquals( "Apache Software Foundation", vendorName );
}
- catch ( NamingException e )
+ catch ( LDAPException e )
{
e.printStackTrace();
fail( "Should not have caught exception." );