db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kmars...@apache.org
Subject svn commit: r586611 - /db/derby/code/branches/10.3/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
Date Fri, 19 Oct 2007 20:59:38 GMT
Author: kmarsden
Date: Fri Oct 19 13:59:37 2007
New Revision: 586611

URL: http://svn.apache.org/viewvc?rev=586611&view=rev
Log:
DERBY-857  LDAP user authentication fails under a security manager

merge from trunk.


Modified:
    db/derby/code/branches/10.3/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java

Modified: db/derby/code/branches/10.3/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.3/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java?rev=586611&r1=586610&r2=586611&view=diff
==============================================================================
--- db/derby/code/branches/10.3/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
(original)
+++ db/derby/code/branches/10.3/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
Fri Oct 19 13:59:37 2007
@@ -37,6 +37,11 @@
 
 
 import java.util.Properties;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.sql.SQLException;
 
 /**
@@ -170,7 +175,10 @@
 			// Connect & authenticate (bind) to the LDAP server now
 
 			// it is happening right here
-			DirContext ctx = new InitialDirContext(env);
+
+            DirContext ctx =   privInitialDirContext(env);
+          
+            
 
 			// if the above was successfull, then username and
 			// password must be correct
@@ -189,7 +197,33 @@
 		throw getLoginSQLException(e);
 	}
 
-	/**
+	
+
+    /**
+     * Call new InitialDirContext in a privilege block
+     * @param env environment used to create the initial DirContext. Null indicates an empty
environment.
+     * @return an initial DirContext using the supplied environment. 
+     */
+    private DirContext privInitialDirContext(final Properties env) throws NamingException
{
+        try {
+            return ((InitialDirContext)AccessController.doPrivileged(
+                    new PrivilegedExceptionAction() {
+                        public Object run() throws SecurityException, NamingException {
+                            return new InitialDirContext(env);
+                    }
+                }));
+    } catch (PrivilegedActionException pae) {
+            Exception e = pae.getException();
+       
+            if (e instanceof NamingException)
+                    throw (NamingException)e;
+            else
+                throw (SecurityException)e;
+        }   
+   
+    }   
+
+    /**
 	 * This method basically tests and sets default/expected JNDI properties
 	 * for the JNDI provider scheme (here it is LDAP).
 	 *
@@ -353,14 +387,38 @@
 		{
 			if (SanityManager.DEBUG_ON(
 						AuthenticationServiceBase.AuthenticationTrace)) {
-				try {
-					initDirContextEnv.put("com.sun.naming.ldap.trace.ber",
-								new java.io.FileOutputStream("CloudLDAP.out"));
-				} catch (java.io.IOException ie) {}
+                             
+                                // This tracing needs some investigation and cleanup.
+                                // 1) It creates the file in user.dir instead of derby.system.home
+                                // 2) It doesn't seem to work. The file is empty after successful
+                                //    and unsuccessful ldap connects.  Perhaps the fileOutputStream
+                                // is never flushed and closed.
+                                // I (Kathey Marsden) wrapped this in a priv block and kept
the previous
+                                // behaviour that it will not stop processing if file 
+                                // creation fails. Perhaps that should be investigated as
well.
+                                FileOutputStream fos = null;
+                                try {
+                                    fos =  ((FileOutputStream)AccessController.doPrivileged(
+                                                new PrivilegedExceptionAction() {
+                                                    public Object run() throws SecurityException,
java.io.IOException {
+                                                        return new  FileOutputStream("DerbyLDAP.out");
+                                                    }
+                                                }));
+                                } catch (PrivilegedActionException pae) {
+                                    // If trace file creation fails do not stop execution.
                                   
+                                }
+                                if (fos != null)
+                                    initDirContextEnv.put("com.sun.naming.ldap.trace.ber",fos);
+
+				
 			}
 		}
 	}
 
+	
+	
+	
+
 	/**
 	 * Search for the full user's DN in the LDAP server.
 	 * LDAP server bind may or not be anonymous.
@@ -389,7 +447,7 @@
 		else
 			env = initDirContextEnv;
 
-		DirContext ctx = new InitialDirContext(env);
+		DirContext ctx = privInitialDirContext(env);
 
 		// Construct Search Filter
 		SearchControls ctls = new SearchControls();



Mime
View raw message