You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2010/05/29 19:36:49 UTC
svn commit: r949425 - in
/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core:
authz/DefaultAuthorizationInterceptor.java
exception/ExceptionInterceptor.java
Author: elecharny
Date: Sat May 29 17:36:49 2010
New Revision: 949425
URL: http://svn.apache.org/viewvc?rev=949425&view=rev
Log:
Some more cleanup for the modify operation : mainly cleaning DN operations.
Modified:
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java?rev=949425&r1=949424&r2=949425&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java Sat May 29 17:36:49 2010
@@ -51,8 +51,8 @@ import org.apache.directory.server.core.
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
-import org.apache.directory.shared.ldap.entry.EntryAttribute;
import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.entry.EntryAttribute;
import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.name.DN;
@@ -87,8 +87,8 @@ public class DefaultAuthorizationInterce
/** the distinguished {@link Name} for the administrator group */
private static DN ADMIN_GROUP_DN;
- private Set<String> administrators = new HashSet<String>(2);
-
+ private Set<String> administrators = new HashSet<String>( 2 );
+
private PartitionNexus nexus;
/** A starage for the uniqueMember attributeType */
@@ -111,48 +111,48 @@ public class DefaultAuthorizationInterce
ADMIN_SYSTEM_DN = new DN( ServerDNConstants.ADMIN_SYSTEM_DN );
ADMIN_SYSTEM_DN.normalize( schemaManager.getNormalizerMapping() );
-
+
GROUP_BASE_DN = new DN( ServerDNConstants.GROUPS_SYSTEM_DN );
GROUP_BASE_DN.normalize( schemaManager.getNormalizerMapping() );
-
+
ADMIN_GROUP_DN = new DN( ServerDNConstants.ADMINISTRATORS_GROUP_DN );
ADMIN_GROUP_DN.normalize( schemaManager.getNormalizerMapping() );
uniqueMemberAT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.UNIQUE_MEMBER_AT_OID );
-
+
loadAdministrators( directoryService );
}
-
-
+
+
private void loadAdministrators( DirectoryService directoryService ) throws Exception
{
// read in the administrators and cache their normalized names
Set<String> newAdministrators = new HashSet<String>( 2 );
DN adminDn = new DN( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
adminDn.normalize( directoryService.getSchemaManager().getNormalizerMapping() );
- CoreSession adminSession = new DefaultCoreSession(
- new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), directoryService );
+ CoreSession adminSession = new DefaultCoreSession( new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ),
+ directoryService );
Entry adminGroup = nexus.lookup( new LookupOperationContext( adminSession, ADMIN_GROUP_DN ) );
-
+
if ( adminGroup == null )
{
return;
}
-
+
EntryAttribute uniqueMember = adminGroup.get( uniqueMemberAT );
-
- for ( Value<?> value:uniqueMember )
+
+ for ( Value<?> value : uniqueMember )
{
DN memberDn = new DN( value.getString() );
memberDn.normalize( directoryService.getSchemaManager().getNormalizerMapping() );
newAdministrators.add( memberDn.getNormName() );
}
-
+
administrators = newAdministrators;
}
-
+
// Note:
// Lookup, search and list operations need to be handled using a filter
// and so we need access to the filter service.
@@ -180,7 +180,7 @@ public class DefaultAuthorizationInterce
LOG.error( msg );
throw new LdapNoPermissionException( msg );
}
-
+
DN principalDN = getPrincipal().getDNRef();
if ( dn.equals( ADMIN_SYSTEM_DN ) )
@@ -198,7 +198,7 @@ public class DefaultAuthorizationInterce
LOG.error( msg );
throw new LdapNoPermissionException( msg );
}
-
+
if ( dn.isChildOf( GROUP_BASE_DN ) )
{
String msg = I18n.err( I18n.ERR_16, principalDN.getName(), dn.getName() );
@@ -210,18 +210,18 @@ public class DefaultAuthorizationInterce
nextInterceptor.delete( opContext );
}
-
+
private boolean isTheAdministrator( DN normalizedDn )
{
return normalizedDn.equals( ADMIN_SYSTEM_DN );
}
-
-
+
+
private boolean isAnAdministrator( DN dn )
{
return isTheAdministrator( dn ) || administrators.contains( dn.getNormName() );
}
-
+
// ------------------------------------------------------------------------
// Entry Modification Operations
@@ -233,18 +233,17 @@ public class DefaultAuthorizationInterce
* users to self access these resources. As far as we're concerned no one but
* the admin needs access.
*/
- public void modify( NextInterceptor nextInterceptor, ModifyOperationContext opContext )
- throws Exception
+ public void modify( NextInterceptor nextInterceptor, ModifyOperationContext opContext ) throws Exception
{
if ( !opContext.getSession().getDirectoryService().isAccessControlEnabled() )
{
DN dn = opContext.getDn();
-
+
protectModifyAlterations( dn );
nextInterceptor.modify( opContext );
// update administrators if we change administrators group
- if ( dn.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
+ if ( dn.equals( ADMIN_GROUP_DN ) )
{
loadAdministrators( opContext.getSession().getDirectoryService() );
}
@@ -267,30 +266,30 @@ public class DefaultAuthorizationInterce
throw new LdapNoPermissionException( msg );
}
- if ( ! isAnAdministrator( principalDn ) )
+ if ( !isAnAdministrator( principalDn ) )
{
// allow self modifications
- if ( dn.getNormName().equals( getPrincipal().getName() ) )
+ if ( dn.equals( getPrincipal() ) )
{
return;
}
-
- if ( dn.getNormName().equals( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED ) )
+
+ if ( dn.equals( ServerDNConstants.ADMIN_SYSTEM_DN ) )
{
String msg = I18n.err( I18n.ERR_18, principalDn.getName() );
LOG.error( msg );
throw new LdapNoPermissionException( msg );
}
- if ( dn.size() > 2 )
- {
+ if ( dn.size() > 2 )
+ {
if ( dn.isChildOf( ADMIN_SYSTEM_DN ) )
{
- String msg = I18n.err( I18n.ERR_19, principalDn.getName(), dn.getName() );
+ String msg = I18n.err( I18n.ERR_19, principalDn.getName(), dn.getName() );
LOG.error( msg );
throw new LdapNoPermissionException( msg );
}
-
+
if ( dn.isChildOf( GROUP_BASE_DN ) )
{
String msg = I18n.err( I18n.ERR_20, principalDn.getName(), dn.getName() );
@@ -300,8 +299,8 @@ public class DefaultAuthorizationInterce
}
}
}
-
-
+
+
// ------------------------------------------------------------------------
// DN altering operations are a no no for any user entry. Basically here
// are the rules of conduct to follow:
@@ -311,14 +310,13 @@ public class DefaultAuthorizationInterce
// o The administrator entry cannot be moved or renamed by anyone
// ------------------------------------------------------------------------
- public void rename( NextInterceptor nextInterceptor, RenameOperationContext opContext )
- throws Exception
+ public void rename( NextInterceptor nextInterceptor, RenameOperationContext opContext ) throws Exception
{
if ( !opContext.getSession().getDirectoryService().isAccessControlEnabled() )
{
protectDnAlterations( opContext.getDn() );
}
-
+
nextInterceptor.rename( opContext );
}
@@ -329,18 +327,19 @@ public class DefaultAuthorizationInterce
{
protectDnAlterations( opContext.getDn() );
}
-
+
nextInterceptor.move( opContext );
}
- public void moveAndRename( NextInterceptor nextInterceptor, MoveAndRenameOperationContext opContext ) throws Exception
+ public void moveAndRename( NextInterceptor nextInterceptor, MoveAndRenameOperationContext opContext )
+ throws Exception
{
if ( !opContext.getSession().getDirectoryService().isAccessControlEnabled() )
{
protectDnAlterations( opContext.getDn() );
}
-
+
nextInterceptor.moveAndRename( opContext );
}
@@ -362,7 +361,7 @@ public class DefaultAuthorizationInterce
LOG.error( msg );
throw new LdapNoPermissionException( msg );
}
-
+
if ( isTheAdministrator( dn ) )
{
String msg = I18n.err( I18n.ERR_22, principalDn.getName(), dn.getName() );
@@ -390,14 +389,14 @@ public class DefaultAuthorizationInterce
{
CoreSession session = opContext.getSession();
Entry entry = nextInterceptor.lookup( opContext );
-
+
if ( session.getDirectoryService().isAccessControlEnabled() || ( entry == null ) )
{
return entry;
}
protectLookUp( session.getEffectivePrincipal().getDN(), opContext.getDn() );
-
+
return entry;
}
@@ -408,14 +407,14 @@ public class DefaultAuthorizationInterce
{
if ( normalizedDn.size() > 2 )
{
- if( normalizedDn.isChildOf( ADMIN_SYSTEM_DN ) )
+ if ( normalizedDn.isChildOf( ADMIN_SYSTEM_DN ) )
{
// allow for self reads
if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
{
return;
}
-
+
String msg = I18n.err( I18n.ERR_25, normalizedDn.getName(), principalDn.getName() );
LOG.error( msg );
throw new LdapNoPermissionException( msg );
@@ -428,7 +427,7 @@ public class DefaultAuthorizationInterce
{
return;
}
-
+
String msg = I18n.err( I18n.ERR_26, normalizedDn.getName(), principalDn.getName() );
LOG.error( msg );
throw new LdapNoPermissionException( msg );
@@ -443,7 +442,7 @@ public class DefaultAuthorizationInterce
return;
}
- String msg = I18n.err( I18n.ERR_27, principalDn.getName() );
+ String msg = I18n.err( I18n.ERR_27, principalDn.getName() );
LOG.error( msg );
throw new LdapNoPermissionException( msg );
}
@@ -451,7 +450,8 @@ public class DefaultAuthorizationInterce
}
- public EntryFilteringCursor search( NextInterceptor nextInterceptor, SearchOperationContext opContext ) throws Exception
+ public EntryFilteringCursor search( NextInterceptor nextInterceptor, SearchOperationContext opContext )
+ throws Exception
{
EntryFilteringCursor cursor = nextInterceptor.search( opContext );
@@ -460,7 +460,8 @@ public class DefaultAuthorizationInterce
return cursor;
}
- cursor.addEntryFilter( new EntryFilter() {
+ cursor.addEntryFilter( new EntryFilter()
+ {
public boolean accept( SearchingOperationContext operation, ClonedServerEntry result ) throws Exception
{
return DefaultAuthorizationInterceptor.this.isSearchable( operation, result );
@@ -470,10 +471,11 @@ public class DefaultAuthorizationInterce
}
- public EntryFilteringCursor list( NextInterceptor nextInterceptor, ListOperationContext opContext ) throws Exception
+ public EntryFilteringCursor list( NextInterceptor nextInterceptor, ListOperationContext opContext )
+ throws Exception
{
EntryFilteringCursor cursor = nextInterceptor.list( opContext );
-
+
if ( opContext.getSession().getDirectoryService().isAccessControlEnabled() )
{
return cursor;
@@ -496,7 +498,7 @@ public class DefaultAuthorizationInterce
{
DN principalDn = opContext.getSession().getEffectivePrincipal().getDN();
DN dn = result.getDn();
-
+
if ( !dn.isNormalized() )
{
dn.normalize( opContext.getSession().getDirectoryService().getSchemaManager().getNormalizerMapping() );
@@ -507,30 +509,30 @@ public class DefaultAuthorizationInterce
{
return true;
}
-
+
// Users reading their own entries should be allowed to see all
boolean isSelfRead = dn.getNormName().equals( principalDn.getNormName() );
-
+
if ( isSelfRead )
{
return true;
}
-
+
// Block off reads to anything under ou=users and ou=groups if not a self read
if ( dn.size() > 2 )
{
// stuff this if in here instead of up in outer if to prevent
// constant needless reexecution for all entries in other depths
-
- if ( dn.getNormName().endsWith( ADMIN_SYSTEM_DN.getNormName() )
+
+ if ( dn.getNormName().endsWith( ADMIN_SYSTEM_DN.getNormName() )
|| dn.getNormName().endsWith( GROUP_BASE_DN.getNormName() ) )
{
return false;
}
}
-
+
// Non-admin users cannot read the admin entry
- return ! isTheAdministrator( dn );
+ return !isTheAdministrator( dn );
}
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java?rev=949425&r1=949424&r2=949425&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java Sat May 29 17:36:49 2010
@@ -292,18 +292,21 @@ public class ExceptionInterceptor extend
// handle operations against the schema subentry in the schema service
// and never try to look it up in the nexus below
- if ( opContext.getDn().getNormName().equalsIgnoreCase( subschemSubentryDn.getNormName() ) )
+ if ( opContext.getDn().equals( subschemSubentryDn ) )
{
nextInterceptor.modify( opContext );
return;
}
+ // Check that the entry we read at the beginning exists. If
+ // not, we will throw an exception here
assertHasEntry( opContext, msg );
Entry entry = opContext.getEntry();
List<Modification> items = opContext.getModItems();
+ // Check that we aren't adding a value that already exists in the current entry
for ( Modification item : items )
{
if ( item.getOperation() == ModificationOperation.ADD_ATTRIBUTE )
@@ -317,7 +320,8 @@ public class ExceptionInterceptor extend
{
if ( entryAttr.contains( value ) )
{
- throw new LdapAttributeInUseException( I18n.err( I18n.ERR_254, value, modAttr.getId() ) );
+ throw new LdapAttributeInUseException( I18n.err( I18n.ERR_254_ADD_EXISTING_VALUE, value,
+ modAttr.getId() ) );
}
}
}