directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r375368 - in /directory/sandbox/akarasulu/rc1refactor/apacheds: core-unit/src/test/java/org/apache/ldap/server/authz/ core/src/main/java/org/apache/ldap/server/authz/ core/src/main/java/org/apache/ldap/server/authz/support/
Date Mon, 06 Feb 2006 20:52:35 GMT
Author: akarasulu
Date: Mon Feb  6 12:52:33 2006
New Revision: 375368

URL: http://svn.apache.org/viewcvs?rev=375368&view=rev
Log:
fix for DIREVE-328

Modified:
    directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/SearchAuthorizationTest.java
    directory/sandbox/akarasulu/rc1refactor/apacheds/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
    directory/sandbox/akarasulu/rc1refactor/apacheds/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java

Modified: directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/SearchAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/SearchAuthorizationTest.java?rev=375368&r1=375367&r2=375368&view=diff
==============================================================================
--- directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/SearchAuthorizationTest.java
(original)
+++ directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/SearchAuthorizationTest.java
Mon Feb  6 12:52:33 2006
@@ -384,6 +384,36 @@
 
 
     /**
+     * Checks to make sure name based userClass works for search operations
+     * when we vary the case of the DN.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testGrantSearchByNameUserDnCase() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanSearchAs( "BillyD", "billyd" ) );
+
+        // now add a subentry that enables user billyd to add an entry below ou=system
+        createAccessControlSubentry( "billydSearch", "{ " +
+                "identificationTag \"searchAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+        // should work now that billyd is authorized by name
+        assertTrue( checkCanSearchAs( "BillyD", "billyd" ) );
+    }
+
+
+    /**
      * Checks to make sure subtree based userClass works for search operations.
      *
      * @throws javax.naming.NamingException if the test encounters an error

Modified: directory/sandbox/akarasulu/rc1refactor/apacheds/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
URL: http://svn.apache.org/viewcvs/directory/sandbox/akarasulu/rc1refactor/apacheds/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java?rev=375368&r1=375367&r2=375368&view=diff
==============================================================================
--- directory/sandbox/akarasulu/rc1refactor/apacheds/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
(original)
+++ directory/sandbox/akarasulu/rc1refactor/apacheds/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
Mon Feb  6 12:52:33 2006
@@ -330,7 +330,8 @@
     {
         // Access the principal requesting the operation, and bypass checks if it is the
admin
         Invocation invocation = InvocationStack.getInstance().peek();
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        Name userName = dnParser.parse( principal.getName() );
 
         // bypass authz code if we are disabled
         if ( ! enabled )
@@ -340,7 +341,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) )
         {
             next.add( upName, normName, entry );
             tupleCache.subentryAdded( upName, normName, entry );
@@ -358,7 +359,7 @@
         }
 
         // Assemble all the information required to make an access control decision
-        Set userGroups = groupCache.getGroups( user.getName() );
+        Set userGroups = groupCache.getGroups( userName.toString() );
         Collection tuples = new HashSet();
 
         // Build the total collection of tuples to be considered for add rights
@@ -368,7 +369,7 @@
 
         // check if entry scope permission is granted
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
                 normName, null, null, ADD_PERMS, tuples, subentryAttrs );
 
         // now we must check if attribute type and value scope permission is granted
@@ -378,8 +379,8 @@
             Attribute attr = ( Attribute ) attributeList.next();
             for ( int ii = 0; ii < attr.size(); ii++ )
             {
-                engine.checkPermission( proxy, userGroups, user.getJndiName(),
-                        user.getAuthenticationLevel(), normName, attr.getID(),
+                engine.checkPermission( proxy, userGroups, userName,
+                        principal.getAuthenticationLevel(), normName, attr.getID(),
                         attr.get( ii ), ADD_PERMS, tuples, entry );
             }
         }
@@ -400,7 +401,8 @@
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        Name userName = dnParser.parse( principal.getName() );
 
         // bypass authz code if we are disabled
         if ( ! enabled )
@@ -410,7 +412,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) )
         {
             next.delete( name );
             tupleCache.subentryDeleted( name, entry );
@@ -418,13 +420,13 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( user.getName() );
+        Set userGroups = groupCache.getGroups( userName.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
name, null,
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
name, null,
                 null, REMOVE_PERMS, tuples, entry );
 
         next.delete( name );
@@ -439,7 +441,8 @@
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        Name userName = dnParser.parse( principal.getName() );
 
         // bypass authz code if we are disabled
         if ( ! enabled )
@@ -449,7 +452,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) )
         {
             next.modify( name, modOp, mods );
             tupleCache.subentryModified( name, modOp, mods, entry );
@@ -457,13 +460,13 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( user.getName() );
+        Set userGroups = groupCache.getGroups( userName.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
name, null,
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
name, null,
                 null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
 
         NamingEnumeration attrList = mods.getAll();
@@ -486,7 +489,7 @@
             Attribute attr = ( Attribute ) attrList.next();
             for ( int ii = 0; ii < attr.size(); ii++ )
             {
-                engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+                engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
                         name, attr.getID(), attr.get( ii ), perms, tuples, entry );
             }
         }
@@ -503,7 +506,8 @@
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        Name userName = dnParser.parse( principal.getName() );
 
         // bypass authz code if we are disabled
         if ( ! enabled )
@@ -513,7 +517,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) )
         {
             next.modify( name, mods );
             tupleCache.subentryModified( name, mods, entry );
@@ -521,13 +525,13 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( user.getName() );
+        Set userGroups = groupCache.getGroups( userName.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
name, null,
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
name, null,
                 null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
 
         Collection perms = null;
@@ -549,7 +553,7 @@
             Attribute attr = mods[ii].getAttribute();
             for ( int jj = 0; jj < attr.size(); jj++ )
             {
-                engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+                engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
                         name, attr.getID(), attr.get( jj ), perms, tuples, entry );
             }
         }
@@ -565,22 +569,23 @@
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        Name userName = dnParser.parse( principal.getName() );
 
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) || ! enabled
                 || name.toString().trim().equals( "" ) ) // no checks on the rootdse
         {
             return next.hasEntry( name );
         }
 
-        Set userGroups = groupCache.getGroups( user.getName() );
+        Set userGroups = groupCache.getGroups( userName.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
         // check that we have browse access to the entry
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
name, null,
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
name, null,
                 null, BROWSE_PERMS, tuples, entry );
 
         return next.hasEntry( name );
@@ -602,7 +607,7 @@
      * @param entry the raw entry pulled from the nexus
      * @throws NamingException
      */
-    private void checkLookupAccess( LdapPrincipal user, Name dn, Attributes entry )
+    private void checkLookupAccess( LdapPrincipal principal, Name dn, Attributes entry )
             throws NamingException
     {
         // no permissions checks on the RootDSE
@@ -612,14 +617,15 @@
         }
 
         DirectoryPartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
-        Set userGroups = groupCache.getGroups( user.getName() );
+        Name userName = dnParser.parse( principal.getName() );
+        Set userGroups = groupCache.getGroups( userName.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, dn, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, dn, entry );
 
         // check that we have read access to the entry
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
dn, null,
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
dn, null,
                 null, LOOKUP_PERMS, tuples, entry );
 
         // check that we have read access to every attribute type and value
@@ -629,7 +635,7 @@
             Attribute attr = ( Attribute ) attributeList.next();
             for ( int ii = 0; ii < attr.size(); ii++ )
             {
-                engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
dn,
+                engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
dn,
                         attr.getID(), attr.get( ii ), READ_PERMS, tuples, entry );
             }
         }
@@ -641,15 +647,14 @@
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( dn, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
 
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled )
+        if ( principal.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) || ! enabled )
         {
             return next.lookup( dn, attrIds );
         }
 
-        checkLookupAccess( user, dn, entry );
-
+        checkLookupAccess( principal, dn, entry );
         return next.lookup( dn, attrIds );
     }
 
@@ -667,7 +672,6 @@
         }
 
         checkLookupAccess( user, name, entry );
-
         return next.lookup( name );
     }
 
@@ -678,7 +682,8 @@
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        Name userName = dnParser.parse( principal.getName() );
         Name newName = ( Name ) name.clone();
         newName.remove( name.size() - 1 );
         newName.add( dnParser.parse( newRn ).get( 0 ) );
@@ -692,7 +697,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) )
         {
             next.modifyRn( name, newRn, deleteOldRn );
             tupleCache.subentryRenamed( name, newName );
@@ -702,13 +707,13 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( user.getName() );
+        Set userGroups = groupCache.getGroups( userName.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
name, null,
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
name, null,
                 null, RENAME_PERMS, tuples, entry );
 
 //        if ( deleteOldRn )
@@ -751,7 +756,8 @@
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( oriChildName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        Name userName = dnParser.parse( principal.getName() );
         Name newName = ( Name ) newParentName.clone();
         newName.add( newRn );
 
@@ -763,7 +769,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) )
         {
             next.move( oriChildName, newParentName, newRn, deleteOldRn );
             tupleCache.subentryRenamed( oriChildName, newName );
@@ -771,20 +777,20 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( user.getName() );
+        Set userGroups = groupCache.getGroups( userName.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, oriChildName, entry );
 
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
                 oriChildName, null, null, MOVERENAME_PERMS, tuples, entry );
 
         Collection destTuples = new HashSet();
         addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
         addEntryAciTuples( destTuples, entry );
         addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
                 oriChildName, null, null, IMPORT_PERMS, tuples, entry );
 
 //        if ( deleteOldRn )
@@ -828,7 +834,8 @@
         Attributes entry = proxy.lookup( oriChildName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         Name newName = ( Name ) newParentName.clone();
         newName.add( oriChildName.get( oriChildName.size() - 1 ) );
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        Name userName = dnParser.parse( principal.getName() );
 
         // bypass authz code if we are disabled
         if ( ! enabled )
@@ -838,7 +845,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) )
         {
             next.move( oriChildName, newParentName );
             tupleCache.subentryRenamed( oriChildName, newName );
@@ -846,20 +853,20 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( user.getName() );
+        Set userGroups = groupCache.getGroups( userName.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, oriChildName, entry );
 
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
                 oriChildName, null, null, EXPORT_PERMS, tuples, entry );
 
         Collection destTuples = new HashSet();
         addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
         addEntryAciTuples( destTuples, entry );
         addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
                 oriChildName, null, null, IMPORT_PERMS, tuples, entry );
 
         next.move( oriChildName, newParentName );
@@ -911,21 +918,23 @@
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled )
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        Name userName = dnParser.parse( principal.getName() );
+
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) || ! enabled )
         {
             return next.compare( name, oid, value );
         }
 
-        Set userGroups = groupCache.getGroups( user.getName() );
+        Set userGroups = groupCache.getGroups( userName.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
name, null,
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
name, null,
                 null, READ_PERMS, tuples, entry );
-        engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
name, oid,
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
name, oid,
                 value, COMPARE_PERMS, tuples, entry );
 
         return next.compare( name, oid, value );
@@ -937,8 +946,9 @@
         // Access the principal requesting the operation, and bypass checks if it is the
admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
-        LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) ||
! enabled )
+        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        Name userName = dnParser.parse( principal.getName() );
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL
) || ! enabled )
         {
             return next.getMatchedName( dn, normalized );
         }
@@ -961,14 +971,14 @@
                 entry = proxy.lookup( matched, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
             }
 
-            Set userGroups = groupCache.getGroups( user.getName() );
+            Set userGroups = groupCache.getGroups( userName.toString() );
             Collection tuples = new HashSet();
             addPerscriptiveAciTuples( proxy, tuples, matched, entry );
             addEntryAciTuples( tuples, entry );
             addSubentryAciTuples( proxy, tuples, matched, entry );
 
-            if ( engine.hasPermission( proxy, userGroups, user.getJndiName(),
-                    user.getAuthenticationLevel(), matched, null, null,
+            if ( engine.hasPermission( proxy, userGroups, userName,
+                    principal.getAuthenticationLevel(), matched, null, null,
                     MATCHEDNAME_PERMS, tuples, entry ) )
             {
                 return matched;
@@ -996,7 +1006,7 @@
         */
         Attributes entry = invocation.getProxy().lookup( normName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
         ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
-        Name userDn = ctx.getPrincipal().getJndiName();
+        Name userDn = dnParser.parse( ctx.getPrincipal().getName() );
         Set userGroups = groupCache.getGroups( userDn.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( invocation.getProxy(), tuples, normName, entry );

Modified: directory/sandbox/akarasulu/rc1refactor/apacheds/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java
URL: http://svn.apache.org/viewcvs/directory/sandbox/akarasulu/rc1refactor/apacheds/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java?rev=375368&r1=375367&r2=375368&view=diff
==============================================================================
--- directory/sandbox/akarasulu/rc1refactor/apacheds/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java
(original)
+++ directory/sandbox/akarasulu/rc1refactor/apacheds/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java
Mon Feb  6 12:52:33 2006
@@ -43,7 +43,7 @@
  */
 public class RelatedUserClassFilter implements ACITupleFilter
 {
-    private static final LdapName ROOTDSE_NAME = new LdapName();
+    private static final LdapName ROOTDSE_NAME = LdapName.EMPTY_LDAP_NAME;
 
     private final SubtreeEvaluator subtreeEvaluator;
 



Mime
View raw message