You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2011/01/17 16:54:20 UTC
svn commit: r1059961 -
/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
Author: elecharny
Date: Mon Jan 17 15:54:20 2011
New Revision: 1059961
URL: http://svn.apache.org/viewvc?rev=1059961&view=rev
Log:
Fix for https://issues.apache.org/jira/browse/DIRSERVER-1524 : the tuple and group cache are now reloaded at startup.
Modified:
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=1059961&r1=1059960&r2=1059961&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Mon Jan 17 15:54:20 2011
@@ -37,7 +37,6 @@ import org.apache.directory.server.core.
import org.apache.directory.server.core.LdapPrincipal;
import org.apache.directory.server.core.authz.support.ACDFEngine;
import org.apache.directory.server.core.authz.support.AciContext;
-import org.apache.directory.server.core.authz.GroupCache;
import org.apache.directory.server.core.entry.ClonedServerEntry;
import org.apache.directory.server.core.entry.ServerEntryUtils;
import org.apache.directory.server.core.filtering.EntryFilter;
@@ -59,6 +58,7 @@ import org.apache.directory.server.core.
import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.interceptor.context.SearchingOperationContext;
import org.apache.directory.server.core.partition.ByPassConstants;
+import org.apache.directory.server.core.partition.PartitionNexus;
import org.apache.directory.server.core.subtree.SubentryInterceptor;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.shared.ldap.aci.ACIItem;
@@ -71,10 +71,16 @@ import org.apache.directory.shared.ldap.
import org.apache.directory.shared.ldap.entry.Entry;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
import org.apache.directory.shared.ldap.entry.Modification;
+import org.apache.directory.shared.ldap.entry.StringValue;
import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.exception.LdapOperationErrorException;
+import org.apache.directory.shared.ldap.exception.LdapOperationException;
+import org.apache.directory.shared.ldap.filter.EqualityNode;
+import org.apache.directory.shared.ldap.filter.ExprNode;
+import org.apache.directory.shared.ldap.filter.OrNode;
+import org.apache.directory.shared.ldap.message.AliasDerefMode;
import org.apache.directory.shared.ldap.name.DN;
import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.schema.SchemaManager;
@@ -167,8 +173,8 @@ public class AciAuthorizationInterceptor
/** The ObjectClass AttributeType */
private static AttributeType OBJECT_CLASS_AT;
- /** The AccessControlSubentry AttributeType */
- private static AttributeType ACCESS_CONTROL_SUBENTRY_AT;
+ /** The AccessControlSubentries AttributeType */
+ private static AttributeType ACCESS_CONTROL_SUBENTRIES_AT;
/** A storage for the entryACI attributeType */
private static AttributeType ENTRY_ACI_AT;
@@ -176,10 +182,106 @@ public class AciAuthorizationInterceptor
/** the subentry ACI attribute type */
private static AttributeType SUBENTRY_ACI_AT;
+ /** A reference to the nexus for direct backend operations */
+ private PartitionNexus nexus;
+
+ /** A reference to the DirectoryService instance */
+ private DirectoryService directoryService;
+
public static final SearchControls DEFAULT_SEARCH_CONTROLS = new SearchControls();
/**
+ * Load the Tuples into the cache
+ */
+ private void initTupleCache() throws LdapException
+ {
+ // Load all the prescriptiveACI : they are stored in AccessControlSubentry entries
+ DN adminDn = new DN( ServerDNConstants.ADMIN_SYSTEM_DN, schemaManager );
+
+ SearchControls controls = new SearchControls();
+ controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
+ controls.setReturningAttributes( new String[]
+ { SchemaConstants.PRESCRIPTIVE_ACI_AT } );
+
+ ExprNode filter =
+ new EqualityNode<String>( OBJECT_CLASS_AT, new StringValue( SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC ) );
+
+ CoreSession adminSession = new DefaultCoreSession( new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ),
+ directoryService );
+
+ SearchOperationContext searchOperationContext = new SearchOperationContext( adminSession, DN.EMPTY_DN, filter,
+ controls );
+
+ searchOperationContext.setAliasDerefMode( AliasDerefMode.NEVER_DEREF_ALIASES );
+
+ EntryFilteringCursor results = nexus.search( searchOperationContext );
+
+ try
+ {
+ while ( results.next() )
+ {
+ Entry entry = results.get();
+
+ tupleCache.subentryAdded( entry.getDn(), entry );
+ }
+
+ results.close();
+ }
+ catch ( Exception e )
+ {
+ throw new LdapOperationException( e.getMessage() );
+ }
+ }
+
+
+ /**
+ * Load the Groups into the cache
+ */
+ private void initGroupCache() throws LdapException
+ {
+ // Load all the member/uniqueMember : they are stored in groupOfNames/groupOfUniqueName
+ DN adminDn = new DN( ServerDNConstants.ADMIN_SYSTEM_DN, schemaManager );
+
+ SearchControls controls = new SearchControls();
+ controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
+ controls.setReturningAttributes( new String[]
+ { SchemaConstants.MEMBER_AT, SchemaConstants.UNIQUE_MEMBER_AT } );
+
+ ExprNode filter =
+ new OrNode(
+ new EqualityNode<String>( OBJECT_CLASS_AT, new StringValue( SchemaConstants.GROUP_OF_NAMES_OC ) ),
+ new EqualityNode<String>( OBJECT_CLASS_AT, new StringValue( SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC ) ) );
+
+ CoreSession adminSession = new DefaultCoreSession( new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ),
+ directoryService );
+
+ SearchOperationContext searchOperationContext = new SearchOperationContext( adminSession, DN.EMPTY_DN, filter,
+ controls );
+
+ searchOperationContext.setAliasDerefMode( AliasDerefMode.NEVER_DEREF_ALIASES );
+
+ EntryFilteringCursor results = nexus.search( searchOperationContext );
+
+ try
+ {
+ while ( results.next() )
+ {
+ Entry entry = results.get();
+
+ groupCache.groupAdded( entry.getDn(), entry );
+ }
+
+ results.close();
+ }
+ catch ( Exception e )
+ {
+ throw new LdapOperationException( e.getMessage() );
+ }
+ }
+
+
+ /**
* Initializes this interceptor based service by getting a handle on the nexus, setting up
* the tuple and group membership caches, the ACIItem parser and the ACDF engine.
*
@@ -188,7 +290,10 @@ public class AciAuthorizationInterceptor
*/
public void init( DirectoryService directoryService ) throws LdapException
{
- super.init( directoryService );
+ LOG.debug( "Initializing the AciAuthorizationInterceptor" );
+
+ this.directoryService = directoryService;
+ nexus = directoryService.getPartitionNexus();
DN adminDn = directoryService.getDNFactory().create( ServerDNConstants.ADMIN_SYSTEM_DN );
CoreSession adminSession = new DefaultCoreSession( new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ),
@@ -202,7 +307,7 @@ public class AciAuthorizationInterceptor
// look up some constant information
OBJECT_CLASS_AT = schemaManager.getAttributeType( SchemaConstants.OBJECT_CLASS_AT );
- ACCESS_CONTROL_SUBENTRY_AT = schemaManager.getAttributeType( SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT );
+ ACCESS_CONTROL_SUBENTRIES_AT = schemaManager.getAttributeType( SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT );
ENTRY_ACI_AT = schemaManager.getAttributeType( SchemaConstants.ENTRY_ACI_AT_OID );
SUBENTRY_ACI_AT = schemaManager.getAttributeType( SchemaConstants.SUBENTRY_ACI_AT_OID );
@@ -215,6 +320,10 @@ public class AciAuthorizationInterceptor
SchemaConstants.SUBSCHEMA_SUBENTRY_AT ).get();
DN subschemaSubentryDnName = directoryService.getDNFactory().create( subschemaSubentry.getString() );
subschemaSubentryDn = subschemaSubentryDnName.getNormName();
+
+ // Init the caches now
+ initTupleCache();
+ initGroupCache();
}
@@ -284,7 +393,7 @@ public class AciAuthorizationInterceptor
originalEntry = opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS );
}
- EntryAttribute subentries = originalEntry.get( ACCESS_CONTROL_SUBENTRY_AT );
+ EntryAttribute subentries = originalEntry.get( ACCESS_CONTROL_SUBENTRIES_AT );
if ( subentries == null )
{