directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r158946 - in directory: apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java
Date Thu, 24 Mar 2005 21:08:58 GMT
Author: akarasulu
Date: Thu Mar 24 13:08:56 2005
New Revision: 158946

URL: http://svn.apache.org/viewcvs?view=rev&rev=158946
Log:
While fixing the problem with the broken server.disable.anonymous property I 
noticed that anonymous binds are still possible with the bind operation.  Here's
why ...

In LDAP an anonymous bind is when an operation is requested without having had
a successful bind take place first.  For example a search can be attempted 
before bothering with performing a bind op.  This feature was there for all reqs
minus the bind request.  So you could bind first anonymously to establish a 
logical session then execute a command like search as the user "" with no 
credentials.  This was a security hole. 

I fixed this by preventing a bind as well as other operations when certain 
conditions indicative of an anonymous bind are in effect.  

Modified:
    directory/apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java
    directory/protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java

Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java?view=diff&r1=158945&r2=158946
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java
(original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/jndi/SimpleAuthenticationTest.java
Thu Mar 24 13:08:56 2005
@@ -20,10 +20,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.util.Hashtable;
-import javax.naming.ConfigurationException;
-import javax.naming.Context;
-import javax.naming.InitialContext;
-import javax.naming.NamingException;
+import javax.naming.*;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.DirContext;
@@ -337,12 +334,27 @@
     {
         // Use the SUN JNDI provider to hit server port and bind as anonymous
 
-        Hashtable env = new Hashtable();
+        final Hashtable env = new Hashtable();
+
         env.put( Context.PROVIDER_URL, "ldap://localhost:" + port + "/ou=system" );
-        env.put( Context.SECURITY_PRINCIPAL, "none" );
 
-        InitialContext ctx = new InitialContext( env );
-        
-        assertNotNull( ctx );
+        env.put( Context.SECURITY_AUTHENTICATION, "none" );
+
+        env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
+
+        InitialContext ctx = null;
+
+        try
+        {
+            ctx = new InitialContext( env );
+
+            fail( "If anonymous binds are disabled we should never get here!" );
+        }
+        catch ( NoPermissionException e )
+        {
+            assertNull( ctx );
+
+            assertNotNull( e );
+        }
     }
 }

Modified: directory/protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java?view=diff&r1=158945&r2=158946
==============================================================================
--- directory/protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java
(original)
+++ directory/protocol-providers/ldap/trunk/src/main/java/org/apache/ldap/server/protocol/BindHandler.java
Thu Mar 24 13:08:56 2005
@@ -32,6 +32,7 @@
 import org.apache.ldap.common.message.LdapResultImpl;
 import org.apache.ldap.common.message.ResultCodeEnum;
 import org.apache.ldap.common.util.ExceptionUtils;
+
 import org.apache.mina.protocol.ProtocolSession;
 import org.apache.mina.protocol.DemuxingProtocolHandler.MessageHandler;
 
@@ -50,31 +51,69 @@
     public void messageReceived( ProtocolSession session, Object request )
     {
         InitialLdapContext ictx;
+
         BindRequest req = ( BindRequest ) request;
+
         BindResponse resp = new BindResponseImpl( req.getMessageId() );
+
         LdapResult result = new LdapResultImpl( resp );
+
         resp.setLdapResult( result );
+
         Hashtable env = SessionRegistry.getSingleton().getEnvironment();
 
         // if the bind request is not simple then we freak: no strong auth yet
         if ( ! req.isSimple() )
         {
             result.setResultCode( ResultCodeEnum.AUTHMETHODNOTSUPPORTED );
+
             result.setErrorMessage( "Only simple binds currently supported" );
+
+            session.write( resp );
+
+            return;
+        }
+
+        boolean allowAnonymousBinds = true;
+
+        if ( env.containsKey( "server.disable.anonymous" ) )
+        {
+            allowAnonymousBinds = false;
+        }
+
+        boolean emptyCredentials = req.getCredentials() == null || req.getCredentials().length
== 0;
+
+        boolean emptyDn = req.getName() == null || req.getName().length() == 0;
+
+        if ( emptyCredentials && emptyDn && ! allowAnonymousBinds )
+        {
+            result.setResultCode( ResultCodeEnum.INSUFFICIENTACCESSRIGHTS );
+
+            String msg = "Bind failure: Anonymous binds have been disabled!";
+
+            result.setErrorMessage( msg );
+
             session.write( resp );
+
             return;
         }
 
         // clone the environment first then add the required security settings
+
         String dn = req.getName();
+
         byte[] creds = req.getCredentials();
 
         env = ( Hashtable ) env.clone();
+
         env.put( Context.SECURITY_PRINCIPAL, dn );
+
         env.put( Context.SECURITY_CREDENTIALS, creds );
+
         env.put( Context.SECURITY_AUTHENTICATION, "simple" );
 
         Control[] connCtls = ( Control[] ) req.getControls().toArray( EMPTY );
+
         try
         {
             ictx = new InitialLdapContext( env, connCtls );
@@ -92,15 +131,22 @@
             }
 
             String msg = "Bind failure:\n" + ExceptionUtils.getStackTrace( e );
+
             msg += "\n\nBindRequest = \n" + req.toString();
+
             result.setErrorMessage( msg );
+
             session.write( resp );
+
             return;
         }
 
         SessionRegistry.getSingleton().setInitialLdapContext( session, ictx );
+
         result.setResultCode( ResultCodeEnum.SUCCESS );
+
         result.setMatchedDn( req.getName() );
+
         session.write( resp );
     }
 }



Mime
View raw message