directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r414035 [2/8] - in /directory/trunks/apacheds: ./ core-plugin/ core-shared/ core-unit/ core-unit/src/main/java/org/apache/directory/server/core/unit/ core-unit/src/test/java/org/apache/directory/server/core/ core-unit/src/test/java/org/apac...
Date Wed, 14 Jun 2006 03:22:12 GMT
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java Tue Jun 13 20:22:05 2006
@@ -18,6 +18,7 @@
 
 
 import org.apache.directory.server.core.DirectoryServiceConfiguration;
+import org.apache.directory.server.core.ServerUtils;
 import org.apache.directory.server.core.authn.LdapPrincipal;
 import org.apache.directory.server.core.authz.support.ACDFEngine;
 import org.apache.directory.server.core.configuration.InterceptorConfiguration;
@@ -34,6 +35,7 @@
 import org.apache.directory.server.core.partition.DirectoryPartitionNexusProxy;
 import org.apache.directory.server.core.schema.AttributeTypeRegistry;
 import org.apache.directory.server.core.schema.ConcreteNameComponentNormalizer;
+import org.apache.directory.server.core.schema.OidRegistry;
 import org.apache.directory.server.core.subtree.SubentryService;
 import org.apache.directory.shared.ldap.aci.ACIItem;
 import org.apache.directory.shared.ldap.aci.ACIItemParser;
@@ -41,13 +43,13 @@
 import org.apache.directory.shared.ldap.exception.LdapNamingException;
 import org.apache.directory.shared.ldap.filter.ExprNode;
 import org.apache.directory.shared.ldap.message.ResultCodeEnum;
-import org.apache.directory.shared.ldap.name.DnParser;
-import org.apache.directory.shared.ldap.name.LdapName;
+import org.apache.directory.shared.ldap.name.LdapDN;
+import org.apache.directory.shared.ldap.schema.AttributeType;
+import org.apache.directory.shared.ldap.util.AttributeUtils;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.NamingEnumeration;
 import javax.naming.directory.*;
@@ -131,8 +133,6 @@
     private GroupCache groupCache;
     /** a normalizing ACIItem parser */
     private ACIItemParser aciParser;
-    /** a normalizing DN parser */
-    private DnParser dnParser;
     /** use and instance of the ACDF engine */
     private ACDFEngine engine;
     /** interceptor chain */
@@ -144,7 +144,14 @@
     /** the system wide subschemaSubentryDn */
     private String subschemaSubentryDn;
 
+    private AttributeType objectClassType;
+    private AttributeType acSubentryType;
+    
+    private String objectClassOid;
+    private String subentryOid;
+    private String acSubentryOid;
 
+    
     /**
      * Initializes this interceptor based service by getting a handle on the nexus, setting up
      * the tupe and group membership caches and the ACIItem parser and the ACDF engine.
@@ -159,8 +166,16 @@
         tupleCache = new TupleCache( factoryCfg );
         groupCache = new GroupCache( factoryCfg );
         attrRegistry = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry();
-        aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( attrRegistry ) );
-        dnParser = new DnParser( new ConcreteNameComponentNormalizer( attrRegistry ) );
+        OidRegistry oidRegistry = factoryCfg.getGlobalRegistries().getOidRegistry();
+        
+        // look up some constant information
+        objectClassOid = oidRegistry.getOid( "objectClass" );
+        subentryOid = oidRegistry.getOid( "subentry" );
+        acSubentryOid = oidRegistry.getOid( AC_SUBENTRY_ATTR );
+        objectClassType = attrRegistry.lookup( objectClassOid );
+        acSubentryType = attrRegistry.lookup( acSubentryOid );
+        
+        aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( attrRegistry, oidRegistry ) );
         engine = new ACDFEngine( factoryCfg.getGlobalRegistries().getOidRegistry(), attrRegistry );
         chain = factoryCfg.getInterceptorChain();
         enabled = factoryCfg.getStartupConfiguration().isAccessControlEnabled();
@@ -168,7 +183,17 @@
         // stuff for dealing with subentries (garbage for now)
         String subschemaSubentry = ( String ) factoryCfg.getPartitionNexus().getRootDSE().get( "subschemaSubentry" )
             .get();
-        subschemaSubentryDn = new LdapName( subschemaSubentry ).toString().toLowerCase();
+        LdapDN subschemaSubentryDnName = new LdapDN( subschemaSubentry );
+        subschemaSubentryDnName.normalize();
+        subschemaSubentryDn = subschemaSubentryDnName.toNormName();
+    }
+
+
+    private LdapDN parseNormalized( String name ) throws NamingException
+    {
+        LdapDN dn = new LdapDN( name );
+        dn.normalize();
+        return dn;
     }
 
 
@@ -185,9 +210,11 @@
      * @param entry the target entry that access to is being controled
      * @throws NamingException if there are problems accessing attribute values
      */
-    private void addPerscriptiveAciTuples( DirectoryPartitionNexusProxy proxy, Collection tuples, Name dn,
+    private void addPerscriptiveAciTuples( DirectoryPartitionNexusProxy proxy, Collection tuples, LdapDN dn,
         Attributes entry ) throws NamingException
     {
+        Attribute oc = ServerUtils.getAttribute( objectClassType, entry );
+        
         /*
          * If the protected entry is a subentry, then the entry being evaluated
          * for perscriptiveACIs is in fact the administrative entry.  By
@@ -197,14 +224,14 @@
          * to be in the same naming context as their access point so the subentries
          * effecting their parent entry applies to them as well.
          */
-        if ( entry.get( "objectClass" ).contains( "subentry" ) )
+        if ( AttributeUtils.containsValue( oc, "subentry", objectClassType ) || oc.contains( subentryOid ) )
         {
-            Name parentDn = ( Name ) dn.clone();
+            LdapDN parentDn = ( LdapDN ) dn.clone();
             parentDn.remove( dn.size() - 1 );
             entry = proxy.lookup( parentDn, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         }
 
-        Attribute subentries = entry.get( AC_SUBENTRY_ATTR );
+        Attribute subentries = ServerUtils.getAttribute( acSubentryType, entry );
         if ( subentries == null )
         {
             return;
@@ -263,7 +290,7 @@
      * @param entry the target entry that access to is being regulated
      * @throws NamingException if there are problems accessing attribute values
      */
-    private void addSubentryAciTuples( DirectoryPartitionNexusProxy proxy, Collection tuples, Name dn, Attributes entry )
+    private void addSubentryAciTuples( DirectoryPartitionNexusProxy proxy, Collection tuples, LdapDN dn, Attributes entry )
         throws NamingException
     {
         // only perform this for subentries
@@ -274,7 +301,7 @@
 
         // get the parent or administrative entry for this subentry since it
         // will contain the subentryACI attributes that effect subentries
-        Name parentDn = ( Name ) dn.clone();
+        LdapDN parentDn = ( LdapDN ) dn.clone();
         parentDn.remove( dn.size() - 1 );
         Attributes administrativeEntry = proxy.lookup( parentDn, new String[]
             { SUBENTRYACI_ATTR }, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
@@ -327,26 +354,26 @@
      * -------------------------------------------------------------------------------
      */
 
-    public void add( NextInterceptor next, String upName, Name normName, Attributes entry ) throws NamingException
+    public void add( NextInterceptor next, LdapDN normName, Attributes entry ) throws NamingException
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        Name userName = dnParser.parse( principal.getName() );
+        LdapDN userName = parseNormalized( principal.getName() );
 
         // bypass authz code if we are disabled
         if ( !enabled )
         {
-            next.add( upName, normName, entry );
+            next.add( normName, entry );
             return;
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toNormName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
         {
-            next.add( upName, normName, entry );
-            tupleCache.subentryAdded( upName, normName, entry );
-            groupCache.groupAdded( upName, normName, entry );
+            next.add( normName, entry );
+            tupleCache.subentryAdded( normName.toNormName(), normName, entry );
+            groupCache.groupAdded( normName.toNormName(), normName, entry );
             return;
         }
 
@@ -360,7 +387,7 @@
         }
 
         // Assemble all the information required to make an access control decision
-        Set userGroups = groupCache.getGroups( userName.toString() );
+        Set userGroups = groupCache.getGroups( userName.toNormName() );
         Collection tuples = new HashSet();
 
         // Build the total collection of tuples to be considered for add rights
@@ -386,23 +413,23 @@
         }
 
         // if we've gotten this far then access has been granted
-        next.add( upName, normName, entry );
+        next.add( normName, entry );
 
         // if the entry added is a subentry or a groupOf[Unique]Names we must
         // update the ACITuple cache and the groups cache to keep them in sync
-        tupleCache.subentryAdded( upName, normName, entry );
-        groupCache.groupAdded( upName, normName, entry );
+        tupleCache.subentryAdded( normName.toNormName(), normName, entry );
+        groupCache.groupAdded( normName.toNormName(), normName, entry );
     }
 
 
-    public void delete( NextInterceptor next, Name name ) throws NamingException
+    public void delete( NextInterceptor next, LdapDN name ) throws NamingException
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        Name userName = dnParser.parse( principal.getName() );
+        LdapDN userName = parseNormalized( principal.getName() );
 
         // bypass authz code if we are disabled
         if ( !enabled )
@@ -412,7 +439,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
         {
             next.delete( name );
             tupleCache.subentryDeleted( name, entry );
@@ -435,14 +462,14 @@
     }
 
 
-    public void modify( NextInterceptor next, Name name, int modOp, Attributes mods ) throws NamingException
+    public void modify( NextInterceptor next, LdapDN name, int modOp, Attributes mods ) throws NamingException
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        Name userName = dnParser.parse( principal.getName() );
+        LdapDN userName = parseNormalized( principal.getName() );
 
         // bypass authz code if we are disabled
         if ( !enabled )
@@ -452,7 +479,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
         {
             next.modify( name, modOp, mods );
             tupleCache.subentryModified( name, modOp, mods, entry );
@@ -500,14 +527,14 @@
     }
 
 
-    public void modify( NextInterceptor next, Name name, ModificationItem[] mods ) throws NamingException
+    public void modify( NextInterceptor next, LdapDN name, ModificationItem[] mods ) throws NamingException
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        Name userName = dnParser.parse( principal.getName() );
+        LdapDN userName = parseNormalized( principal.getName() );
 
         // bypass authz code if we are disabled
         if ( !enabled )
@@ -517,7 +544,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
         {
             next.modify( name, mods );
             tupleCache.subentryModified( name, mods, entry );
@@ -564,21 +591,21 @@
     }
 
 
-    public boolean hasEntry( NextInterceptor next, Name name ) throws NamingException
+    public boolean hasEntry( NextInterceptor next, LdapDN name ) throws NamingException
     {
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        Name userName = dnParser.parse( principal.getName() );
+        LdapDN userName = parseNormalized( principal.getName() );
 
-        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled
+        if ( userName.toNormName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled
             || name.toString().trim().equals( "" ) ) // no checks on the rootdse
         {
             return next.hasEntry( name );
         }
 
-        Set userGroups = groupCache.getGroups( userName.toString() );
+        Set userGroups = groupCache.getGroups( userName.toNormName() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
@@ -602,12 +629,12 @@
      * perms to attributes and their values results in their removal when returning
      * the entry.
      *
-     * @param user the user associated with the call
+     * @param principal the user associated with the call
      * @param dn the name of the entry being looked up
      * @param entry the raw entry pulled from the nexus
      * @throws NamingException
      */
-    private void checkLookupAccess( LdapPrincipal principal, Name dn, Attributes entry ) throws NamingException
+    private void checkLookupAccess( LdapPrincipal principal, LdapDN dn, Attributes entry ) throws NamingException
     {
         // no permissions checks on the RootDSE
         if ( dn.toString().trim().equals( "" ) )
@@ -616,8 +643,8 @@
         }
 
         DirectoryPartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
-        Name userName = dnParser.parse( principal.getName() );
-        Set userGroups = groupCache.getGroups( userName.toString() );
+        LdapDN userName = parseNormalized( principal.getName() );
+        Set userGroups = groupCache.getGroups( userName.toNormName() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, dn, entry );
         addEntryAciTuples( tuples, entry );
@@ -641,14 +668,16 @@
     }
 
 
-    public Attributes lookup( NextInterceptor next, Name dn, String[] attrIds ) throws NamingException
+    public Attributes lookup( NextInterceptor next, LdapDN dn, String[] attrIds ) throws NamingException
     {
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( dn, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-
-        if ( principal.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled )
+        LdapDN principalDn = new LdapDN( principal.getName() );
+        principalDn.normalize();
+        
+        if ( principalDn.toNormName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled )
         {
             return next.lookup( dn, attrIds );
         }
@@ -658,14 +687,15 @@
     }
 
 
-    public Attributes lookup( NextInterceptor next, Name name ) throws NamingException
+    public Attributes lookup( NextInterceptor next, LdapDN name ) throws NamingException
     {
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled )
+        LdapDN principalDn = parseNormalized( user.getName() );
+        
+        if ( principalDn.toNormName().equals( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled )
         {
             return next.lookup( name );
         }
@@ -675,17 +705,17 @@
     }
 
 
-    public void modifyRn( NextInterceptor next, Name name, String newRn, boolean deleteOldRn ) throws NamingException
+    public void modifyRn( NextInterceptor next, LdapDN name, String newRn, boolean deleteOldRn ) throws NamingException
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        Name userName = dnParser.parse( principal.getName() );
-        Name newName = ( Name ) name.clone();
+        LdapDN userName = parseNormalized( principal.getName() );
+        LdapDN newName = ( LdapDN ) name.clone();
         newName.remove( name.size() - 1 );
-        newName.add( dnParser.parse( newRn ).get( 0 ) );
+        newName.add( parseNormalized( newRn ).get( 0 ) );
 
         // bypass authz code if we are disabled
         if ( !enabled )
@@ -695,7 +725,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
         {
             next.modifyRn( name, newRn, deleteOldRn );
             tupleCache.subentryRenamed( name, newName );
@@ -747,7 +777,7 @@
     }
 
 
-    public void move( NextInterceptor next, Name oriChildName, Name newParentName, String newRn, boolean deleteOldRn )
+    public void move( NextInterceptor next, LdapDN oriChildName, LdapDN newParentName, String newRn, boolean deleteOldRn )
         throws NamingException
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
@@ -755,8 +785,8 @@
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( oriChildName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        Name userName = dnParser.parse( principal.getName() );
-        Name newName = ( Name ) newParentName.clone();
+        LdapDN userName = parseNormalized( principal.getName() );
+        LdapDN newName = ( LdapDN ) newParentName.clone();
         newName.add( newRn );
 
         // bypass authz code if we are disabled
@@ -767,7 +797,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
         {
             next.move( oriChildName, newParentName, newRn, deleteOldRn );
             tupleCache.subentryRenamed( oriChildName, newName );
@@ -824,16 +854,16 @@
     }
 
 
-    public void move( NextInterceptor next, Name oriChildName, Name newParentName ) throws NamingException
+    public void move( NextInterceptor next, LdapDN oriChildName, LdapDN newParentName ) throws NamingException
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( oriChildName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
-        Name newName = ( Name ) newParentName.clone();
+        LdapDN newName = ( LdapDN ) newParentName.clone();
         newName.add( oriChildName.get( oriChildName.size() - 1 ) );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        Name userName = dnParser.parse( principal.getName() );
+        LdapDN userName = parseNormalized( principal.getName() );
 
         // bypass authz code if we are disabled
         if ( !enabled )
@@ -843,7 +873,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
         {
             next.move( oriChildName, newParentName );
             tupleCache.subentryRenamed( oriChildName, newName );
@@ -875,13 +905,13 @@
     public static final SearchControls DEFUALT_SEARCH_CONTROLS = new SearchControls();
 
 
-    public NamingEnumeration list( NextInterceptor next, Name base ) throws NamingException
+    public NamingEnumeration list( NextInterceptor next, LdapDN base ) throws NamingException
     {
         Invocation invocation = InvocationStack.getInstance().peek();
         ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
         LdapPrincipal user = ctx.getPrincipal();
         NamingEnumeration e = next.list( base );
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled )
+        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled )
         {
             return e;
         }
@@ -890,18 +920,21 @@
     }
 
 
-    public NamingEnumeration search( NextInterceptor next, Name base, Map env, ExprNode filter,
+    public NamingEnumeration search( NextInterceptor next, LdapDN base, Map env, ExprNode filter,
         SearchControls searchCtls ) throws NamingException
     {
         Invocation invocation = InvocationStack.getInstance().peek();
         ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
         LdapPrincipal user = ctx.getPrincipal();
+        LdapDN principalDn = new LdapDN( user.getName() );
+        principalDn.normalize();
+        
         NamingEnumeration e = next.search( base, env, filter, searchCtls );
 
-        boolean isSubschemaSubentryLookup = subschemaSubentryDn.equals( base.toString() );
+        boolean isSubschemaSubentryLookup = subschemaSubentryDn.equals( base.toNormName() );
         boolean isRootDSELookup = base.size() == 0 && searchCtls.getSearchScope() == SearchControls.OBJECT_SCOPE;
-        if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled || isRootDSELookup
-            || isSubschemaSubentryLookup )
+        if ( principalDn.toNormName().equals( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled || 
+            isRootDSELookup || isSubschemaSubentryLookup )
         {
             return e;
         }
@@ -910,21 +943,21 @@
     }
 
 
-    public boolean compare( NextInterceptor next, Name name, String oid, Object value ) throws NamingException
+    public boolean compare( NextInterceptor next, LdapDN name, String oid, Object value ) throws NamingException
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        Name userName = dnParser.parse( principal.getName() );
+        LdapDN userName = parseNormalized( principal.getName() );
 
-        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled )
+        if ( userName.toNormName().equals( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled )
         {
             return next.compare( name, oid, value );
         }
 
-        Set userGroups = groupCache.getGroups( userName.toString() );
+        Set userGroups = groupCache.getGroups( userName.toNormName() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
@@ -939,36 +972,28 @@
     }
 
 
-    public Name getMatchedName( NextInterceptor next, Name dn, boolean normalized ) throws NamingException
+    public LdapDN getMatchedName ( NextInterceptor next, LdapDN dn ) throws NamingException
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         DirectoryPartitionNexusProxy proxy = invocation.getProxy();
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        Name userName = dnParser.parse( principal.getName() );
-        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || !enabled )
+        LdapDN userName = parseNormalized( principal.getName() );
+        if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled )
         {
-            return next.getMatchedName( dn, normalized );
+            return next.getMatchedName( dn );
         }
 
         // get the present matched name
         Attributes entry;
-        Name matched = next.getMatchedName( dn, normalized );
+        LdapDN matched = next.getMatchedName( dn );
 
         // check if we have disclose on error permission for the entry at the matched dn
         // if not remove rdn and check that until nothing is left in the name and return
         // that but if permission is granted then short the process and return the dn
         while ( matched.size() > 0 )
         {
-            if ( normalized )
-            {
-                entry = proxy.lookup( matched, DirectoryPartitionNexusProxy.GETMATCHEDDN_BYPASS );
-            }
-            else
-            {
-                entry = proxy.lookup( matched, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
-            }
-
+            entry = proxy.lookup( matched, DirectoryPartitionNexusProxy.GETMATCHEDDN_BYPASS );
             Set userGroups = groupCache.getGroups( userName.toString() );
             Collection tuples = new HashSet();
             addPerscriptiveAciTuples( proxy, tuples, matched, entry );
@@ -988,13 +1013,13 @@
     }
 
 
-    public void cacheNewGroup( String upName, Name normName, Attributes entry ) throws NamingException
+    public void cacheNewGroup( String upName, LdapDN normName, Attributes entry ) throws NamingException
     {
         this.groupCache.groupAdded( upName, normName, entry );
     }
 
 
-    private boolean filter( Invocation invocation, Name normName, SearchResult result ) throws NamingException
+    private boolean filter( Invocation invocation, LdapDN normName, SearchResult result ) throws NamingException
     {
         /*
          * First call hasPermission() for entry level "Browse" and "ReturnDN" perm
@@ -1003,8 +1028,8 @@
          */
         Attributes entry = invocation.getProxy().lookup( normName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
-        Name userDn = dnParser.parse( ctx.getPrincipal().getName() );
-        Set userGroups = groupCache.getGroups( userDn.toString() );
+        LdapDN userDn = parseNormalized( ctx.getPrincipal().getName() );
+        Set userGroups = groupCache.getGroups( userDn.toNormName() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( invocation.getProxy(), tuples, normName, entry );
         addEntryAciTuples( tuples, entry );
@@ -1061,35 +1086,16 @@
         return true;
     }
 
+
     /**
      * WARNING: create one of these filters fresh every time for each new search.
      */
     class AuthorizationFilter implements SearchResultFilter
     {
-        /** dedicated normalizing parser for this search - cheaper than synchronization */
-        final DnParser parser;
-
-
-        public AuthorizationFilter() throws NamingException
-        {
-            parser = new DnParser( new ConcreteNameComponentNormalizer( attrRegistry ) );
-        }
-
-
         public boolean accept( Invocation invocation, SearchResult result, SearchControls controls )
             throws NamingException
         {
-            Name normName = parser.parse( result.getName() );
-
-            // looks like isRelative returns true even when the names for results are absolute!!!!
-            // @todo this is a big bug in JNDI provider
-
-            //            if ( result.isRelative() )
-            //            {
-            //                Name base = parser.parse( ctx.getNameInNamespace() );
-            //                normName = base.addAll( normName );
-            //            }
-
+            LdapDN normName = parseNormalized( result.getName() );
             return filter( invocation, normName, result );
         }
     }

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java Tue Jun 13 20:22:05 2006
@@ -40,11 +40,9 @@
 import org.apache.directory.server.core.invocation.InvocationStack;
 import org.apache.directory.server.core.jndi.ServerContext;
 import org.apache.directory.server.core.partition.DirectoryPartitionNexus;
-import org.apache.directory.server.core.schema.AttributeTypeRegistry;
-import org.apache.directory.server.core.schema.ConcreteNameComponentNormalizer;
 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
 import org.apache.directory.shared.ldap.filter.ExprNode;
-import org.apache.directory.shared.ldap.name.DnParser;
+import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -61,22 +59,24 @@
     /**
      * the administrator's distinguished {@link Name}
      */
-    private static final Name ADMIN_DN = DirectoryPartitionNexus.getAdminName();
+    private static LdapDN ADMIN_DN;
 
     /**
      * the base distinguished {@link Name} for all users
      */
-    private static final Name USER_BASE_DN = DirectoryPartitionNexus.getUsersBaseName();
+    private static LdapDN USER_BASE_DN;
+    private static LdapDN USER_BASE_DN_NORMALIZED;
 
     /**
      * the base distinguished {@link Name} for all groups
      */
-    private static final Name GROUP_BASE_DN = DirectoryPartitionNexus.getGroupsBaseName();
+    private static LdapDN GROUP_BASE_DN;
+    private static LdapDN GROUP_BASE_DN_NORMALIZED;
 
     /**
      * the name parser used by this service
      */
-    private DnParser dnParser;
+    //private DnParser dnParser;
     private boolean enabled = true;
 
 
@@ -90,11 +90,18 @@
 
     public void init( DirectoryServiceConfiguration factoryCfg, InterceptorConfiguration cfg ) throws NamingException
     {
-        AttributeTypeRegistry atr = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry();
-        dnParser = new DnParser( new ConcreteNameComponentNormalizer( atr ) );
+        //AttributeTypeRegistry atr = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry();
+        //dnParser = new DnParser( new ConcreteNameComponentNormalizer( atr ) );
 
         // disable this static module if basic access control mechanisms are enabled
         enabled = !factoryCfg.getStartupConfiguration().isAccessControlEnabled();
+        ADMIN_DN = DirectoryPartitionNexus.getAdminName(); 
+        
+        USER_BASE_DN = DirectoryPartitionNexus.getUsersBaseName();
+        USER_BASE_DN_NORMALIZED = LdapDN.normalize( USER_BASE_DN );
+        
+        GROUP_BASE_DN = DirectoryPartitionNexus.getGroupsBaseName();
+        GROUP_BASE_DN_NORMALIZED = LdapDN.normalize( GROUP_BASE_DN );
     }
 
 
@@ -102,7 +109,7 @@
     //    Lookup, search and list operations need to be handled using a filter
     // and so we need access to the filter service.
 
-    public void delete( NextInterceptor nextInterceptor, Name name ) throws NamingException
+    public void delete( NextInterceptor nextInterceptor, LdapDN name ) throws NamingException
     {
         if ( !enabled )
         {
@@ -152,7 +159,7 @@
      * the provider for optimization purposes so there is no reason for us to
      * start to constrain it.
      */
-    public boolean hasEntry( NextInterceptor nextInterceptor, Name name ) throws NamingException
+    public boolean hasEntry( NextInterceptor nextInterceptor, LdapDN name ) throws NamingException
     {
         return super.hasEntry( nextInterceptor, name );
     }
@@ -168,7 +175,7 @@
      * users to self access these resources.  As far as we're concerned no one but
      * the admin needs access.
      */
-    public void modify( NextInterceptor nextInterceptor, Name name, int modOp, Attributes attrs )
+    public void modify( NextInterceptor nextInterceptor, LdapDN name, int modOp, Attributes attrs )
         throws NamingException
     {
         if ( enabled )
@@ -186,7 +193,7 @@
      * self access these resources.  As far as we're concerned no one but the admin
      * needs access.
      */
-    public void modify( NextInterceptor nextInterceptor, Name name, ModificationItem[] items ) throws NamingException
+    public void modify( NextInterceptor nextInterceptor, LdapDN name, ModificationItem[] items ) throws NamingException
     {
         if ( enabled )
         {
@@ -196,19 +203,20 @@
     }
 
 
-    private void protectModifyAlterations( Name dn ) throws LdapNoPermissionException
+    private void protectModifyAlterations( LdapDN dn ) throws NamingException
     {
-        Name principalDn = getPrincipal().getJndiName();
+        LdapDN principalDn = new LdapDN( getPrincipal().getJndiName() );
+        principalDn.normalize();
 
-        if ( dn.toString().equals( "" ) )
+        if ( dn.size() == 0 )
         {
             String msg = "The rootDSE cannot be modified!";
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( !principalDn.equals( ADMIN_DN ) )
+        if ( !principalDn.toNormName().equals( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
         {
-            if ( dn.equals( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+            if ( dn.toNormName().equals( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
             {
                 String msg = "User " + principalDn;
                 msg += " does not have permission to modify the account of the";
@@ -246,7 +254,7 @@
     //  o The administrator entry cannot be moved or renamed by anyone
     // ------------------------------------------------------------------------
 
-    public void modifyRn( NextInterceptor nextInterceptor, Name name, String newRn, boolean deleteOldRn )
+    public void modifyRn( NextInterceptor nextInterceptor, LdapDN name, String newRn, boolean deleteOldRn )
         throws NamingException
     {
         if ( enabled )
@@ -257,7 +265,7 @@
     }
 
 
-    public void move( NextInterceptor nextInterceptor, Name oriChildName, Name newParentName ) throws NamingException
+    public void move( NextInterceptor nextInterceptor, LdapDN oriChildName, LdapDN newParentName ) throws NamingException
     {
         if ( enabled )
         {
@@ -267,8 +275,8 @@
     }
 
 
-    public void move( NextInterceptor nextInterceptor, Name oriChildName, Name newParentName, String newRn,
-        boolean deleteOldRn ) throws NamingException
+    public void move( NextInterceptor nextInterceptor, LdapDN oriChildName, LdapDN newParentName, String newRn,
+                      boolean deleteOldRn ) throws NamingException
     {
         if ( enabled )
         {
@@ -316,7 +324,7 @@
     }
 
 
-    public Attributes lookup( NextInterceptor nextInterceptor, Name name ) throws NamingException
+    public Attributes lookup( NextInterceptor nextInterceptor, LdapDN name ) throws NamingException
     {
         Attributes attributes = nextInterceptor.lookup( name );
         if ( !enabled || attributes == null )
@@ -329,7 +337,7 @@
     }
 
 
-    public Attributes lookup( NextInterceptor nextInterceptor, Name name, String[] attrIds ) throws NamingException
+    public Attributes lookup( NextInterceptor nextInterceptor, LdapDN name, String[] attrIds ) throws NamingException
     {
         Attributes attributes = nextInterceptor.lookup( name, attrIds );
         if ( !enabled || attributes == null )
@@ -342,45 +350,46 @@
     }
 
 
-    private void protectLookUp( Name dn ) throws NamingException
+    private void protectLookUp( Name normalizedDn ) throws NamingException
     {
         LdapContext ctx = ( LdapContext ) InvocationStack.getInstance().peek().getCaller();
-        Name principalDn = ( ( ServerContext ) ctx ).getPrincipal().getJndiName();
+        LdapDN principalDn = new LdapDN( ( ( ServerContext ) ctx ).getPrincipal().getJndiName() );
+        principalDn.normalize();
 
         if ( !principalDn.equals( ADMIN_DN ) )
         {
-            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) )
+            if ( normalizedDn.size() > 2 && normalizedDn.startsWith( USER_BASE_DN ) )
             {
                 // allow for self reads
-                if ( dn.toString().equals( principalDn.toString() ) )
+                if ( normalizedDn.toString().equals( principalDn.toString() ) )
                 {
                     return;
                 }
 
-                String msg = "Access to user account '" + dn + "' not permitted";
+                String msg = "Access to user account '" + normalizedDn + "' not permitted";
                 msg += " for user '" + principalDn + "'.  Only the admin can";
                 msg += " access user account information";
                 throw new LdapNoPermissionException( msg );
             }
 
-            if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) )
+            if ( normalizedDn.size() > 2 && normalizedDn.startsWith( GROUP_BASE_DN ) )
             {
                 // allow for self reads
-                if ( dn.toString().equals( principalDn.toString() ) )
+                if ( normalizedDn.toString().equals( principalDn.toString() ) )
                 {
                     return;
                 }
 
-                String msg = "Access to group '" + dn + "' not permitted";
+                String msg = "Access to group '" + normalizedDn + "' not permitted";
                 msg += " for user '" + principalDn + "'.  Only the admin can";
                 msg += " access group information";
                 throw new LdapNoPermissionException( msg );
             }
 
-            if ( dn.equals( ADMIN_DN ) )
+            if ( normalizedDn.equals( ADMIN_DN ) )
             {
                 // allow for self reads
-                if ( dn.toString().equals( principalDn.toString() ) )
+                if ( normalizedDn.toString().equals( principalDn.toString() ) )
                 {
                     return;
                 }
@@ -394,8 +403,8 @@
     }
 
 
-    public NamingEnumeration search( NextInterceptor nextInterceptor, Name base, Map env, ExprNode filter,
-        SearchControls searchCtls ) throws NamingException
+    public NamingEnumeration search( NextInterceptor nextInterceptor, LdapDN base, Map env, ExprNode filter,
+                                     SearchControls searchCtls ) throws NamingException
     {
         NamingEnumeration e = nextInterceptor.search( base, env, filter, searchCtls );
         if ( !enabled )
@@ -419,7 +428,7 @@
     }
 
 
-    public NamingEnumeration list( NextInterceptor nextInterceptor, Name base ) throws NamingException
+    public NamingEnumeration list( NextInterceptor nextInterceptor, LdapDN base ) throws NamingException
     {
         NamingEnumeration e = nextInterceptor.list( base );
         if ( !enabled )
@@ -441,32 +450,47 @@
 
     private boolean isSearchable( Invocation invocation, SearchResult result ) throws NamingException
     {
-        Name dn;
-        Name principalDn = ( ( ServerContext ) invocation.getCaller() ).getPrincipal().getJndiName();
+        LdapDN principalDn = ( LdapDN ) ( ( ServerContext ) invocation.getCaller() ).getPrincipal().getJndiName();
+        principalDn.normalize();
 
-        synchronized ( dnParser )
-        {
-            dn = dnParser.parse( result.getName() );
-            principalDn = dnParser.parse( principalDn.toString() );
-        }
-
-        if ( !principalDn.equals( ADMIN_DN ) )
-        {
-            if ( dn.size() > 2 )
-            {
-            	if ( ( dn.startsWith( USER_BASE_DN ) && ( !dn.equals( principalDn )  )) || dn.startsWith( GROUP_BASE_DN ) )
-                {
-                    return false;
-                }
-            }
-
-            if ( dn.equals( ADMIN_DN ) )
+        LdapDN dn;
+        dn = new LdapDN( result.getName() );
+        dn.normalize();
+
+        boolean isAdmin = principalDn.toNormName().equals( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
+        
+        // Admin user gets full access to all entries
+        if ( isAdmin )
+        {
+            return true;
+        }
+        
+        // Users reading their own entries should be allowed to see all
+        boolean isSelfRead = dn.toNormName().equals( principalDn.toNormName() );
+        if ( isSelfRead )
+        {
+            return true;
+        }
+        
+        // Block off reads to anything under ou=users and ou=groups if not a self read
+        if ( dn.size() > 2 )
+        {
+            // stuff this if in here instead of up in outer if to prevent 
+            // constant needless reexecution for all entries in other depths
+            
+            if ( dn.toNormName().endsWith( USER_BASE_DN_NORMALIZED.toNormName() ) 
+                || dn.toNormName().endsWith( GROUP_BASE_DN_NORMALIZED.toNormName() ) )
             {
                 return false;
             }
-
         }
-
+        
+        // Non-admin users cannot read the admin entry
+        if ( dn.toNormName().equals( DirectoryPartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        {
+            return false;
+        }
+        
         return true;
     }
 }

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java Tue Jun 13 20:22:05 2006
@@ -19,11 +19,9 @@
 
 import org.apache.directory.server.core.DirectoryServiceConfiguration;
 import org.apache.directory.server.core.partition.DirectoryPartitionNexus;
-import org.apache.directory.server.core.schema.ConcreteNameComponentNormalizer;
 import org.apache.directory.shared.ldap.filter.BranchNode;
 import org.apache.directory.shared.ldap.filter.SimpleNode;
-import org.apache.directory.shared.ldap.name.DnParser;
-import org.apache.directory.shared.ldap.name.LdapName;
+import org.apache.directory.shared.ldap.name.LdapDN;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -61,8 +59,6 @@
     private final DirectoryPartitionNexus nexus;
     /** the env to use for searching */
     private final Hashtable env;
-    /** the normalizing Dn parser for member names */
-    private DnParser parser;
 
 
     /**
@@ -74,12 +70,18 @@
     {
         this.nexus = factoryCfg.getPartitionNexus();
         this.env = ( Hashtable ) factoryCfg.getEnvironment().clone();
-        this.parser = new DnParser( new ConcreteNameComponentNormalizer( factoryCfg.getGlobalRegistries()
-            .getAttributeTypeRegistry() ) );
         initialize();
     }
 
 
+    private LdapDN parseNormalized( String name ) throws NamingException
+    {
+        LdapDN dn = new LdapDN( name );
+        dn.normalize();
+        return dn;
+    }
+
+
     private void initialize() throws NamingException
     {
         // search all naming contexts for static groups and generate
@@ -89,11 +91,11 @@
         filter.addNode( new SimpleNode( OC_ATTR, GROUPOFNAMES_OC, SimpleNode.EQUALITY ) );
         filter.addNode( new SimpleNode( OC_ATTR, GROUPOFUNIQUENAMES_OC, SimpleNode.EQUALITY ) );
 
-        Iterator suffixes = nexus.listSuffixes( true );
+        Iterator suffixes = nexus.listSuffixes();
         while ( suffixes.hasNext() )
         {
             String suffix = ( String ) suffixes.next();
-            Name baseDn = new LdapName( suffix );
+            LdapDN baseDn = new LdapDN( suffix );
             SearchControls ctls = new SearchControls();
             ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
             NamingEnumeration results = nexus.search( baseDn, env, filter, ctls );
@@ -102,7 +104,7 @@
             {
                 SearchResult result = ( SearchResult ) results.next();
                 String groupDn = result.getName();
-                groupDn = parser.parse( groupDn ).toString();
+                groupDn = parseNormalized( groupDn ).toString();
                 Attribute members = getMemberAttribute( result.getAttributes() );
 
                 if ( members != null )
@@ -182,7 +184,7 @@
 
             try
             {
-                memberDn = parser.parse( memberDn ).toString();
+                memberDn = parseNormalized( memberDn ).toString();
             }
             catch ( NamingException e )
             {
@@ -210,7 +212,7 @@
 
             try
             {
-                memberDn = parser.parse( memberDn ).toString();
+                memberDn = parseNormalized( memberDn ).toString();
             }
             catch ( NamingException e )
             {
@@ -401,7 +403,7 @@
     {
         try
         {
-            member = parser.parse( member ).toString();
+            member = parseNormalized( member ).toString();
         }
         catch ( NamingException e )
         {
@@ -432,7 +434,7 @@
                     memberGroups = new HashSet();
                 }
 
-                memberGroups.add( new LdapName( group ) );
+                memberGroups.add( new LdapDN( group ) );
             }
         }
 

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java Tue Jun 13 20:22:05 2006
@@ -33,14 +33,14 @@
 import org.apache.directory.server.core.partition.DirectoryPartitionNexus;
 import org.apache.directory.server.core.schema.AttributeTypeRegistry;
 import org.apache.directory.server.core.schema.ConcreteNameComponentNormalizer;
+import org.apache.directory.server.core.schema.OidRegistry;
 import org.apache.directory.shared.ldap.aci.ACIItem;
 import org.apache.directory.shared.ldap.aci.ACIItemParser;
 import org.apache.directory.shared.ldap.exception.LdapSchemaViolationException;
 import org.apache.directory.shared.ldap.filter.ExprNode;
 import org.apache.directory.shared.ldap.filter.SimpleNode;
 import org.apache.directory.shared.ldap.message.ResultCodeEnum;
-import org.apache.directory.shared.ldap.name.DnParser;
-import org.apache.directory.shared.ldap.name.LdapName;
+import org.apache.directory.shared.ldap.name.LdapDN;
 import org.apache.directory.shared.ldap.name.NameComponentNormalizer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -74,8 +74,6 @@
     private final DirectoryPartitionNexus nexus;
     /** a normalizing ACIItem parser */
     private final ACIItemParser aciParser;
-    /** a normalizing DN parser */
-    private final DnParser dnParser;
 
 
     /**
@@ -86,25 +84,33 @@
     public TupleCache(DirectoryServiceConfiguration factoryCfg) throws NamingException
     {
         this.nexus = factoryCfg.getPartitionNexus();
-        AttributeTypeRegistry registry = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry();
-        NameComponentNormalizer ncn = new ConcreteNameComponentNormalizer( registry );
+        AttributeTypeRegistry attributeRegistry = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry();
+        OidRegistry oidRegistry = factoryCfg.getGlobalRegistries().getOidRegistry();
+        NameComponentNormalizer ncn = new ConcreteNameComponentNormalizer( attributeRegistry, oidRegistry );
         aciParser = new ACIItemParser( ncn );
-        dnParser = new DnParser( ncn );
         env = ( Hashtable ) factoryCfg.getEnvironment().clone();
         initialize();
     }
 
+    
+    private LdapDN parseNormalized( String name ) throws NamingException
+    {
+        LdapDN dn = new LdapDN( name );
+        dn.normalize();
+        return dn;
+    }
+
 
     private void initialize() throws NamingException
     {
         // search all naming contexts for access control subentenries
         // generate ACITuple Arrays for each subentry
         // add that subentry to the hash
-        Iterator suffixes = nexus.listSuffixes( true );
+        Iterator suffixes = nexus.listSuffixes();
         while ( suffixes.hasNext() )
         {
             String suffix = ( String ) suffixes.next();
-            Name baseDn = new LdapName( suffix );
+            LdapDN baseDn = parseNormalized( suffix );
             ExprNode filter = new SimpleNode( OC_ATTR, ACSUBENTRY_OC, SimpleNode.EQUALITY );
             SearchControls ctls = new SearchControls();
             ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
@@ -120,7 +126,7 @@
                     continue;
                 }
 
-                Name normName = dnParser.parse( subentryDn );
+                LdapDN normName = parseNormalized( subentryDn );
                 subentryAdded( subentryDn, normName, result.getAttributes() );
             }
             results.close();
@@ -147,7 +153,7 @@
     }
 
 
-    public void subentryAdded( String upName, Name normName, Attributes entry ) throws NamingException
+    public void subentryAdded( String upName, LdapDN normName, Attributes entry ) throws NamingException
     {
         // only do something if the entry contains prescriptiveACI
         Attribute aci = entry.get( ACI_ATTR );
@@ -173,7 +179,7 @@
 
             entryTuples.addAll( item.toTuples() );
         }
-        tuples.put( normName.toString(), entryTuples );
+        tuples.put( normName.toNormName(), entryTuples );
     }
 
 
@@ -188,7 +194,7 @@
     }
 
 
-    public void subentryModified( Name normName, ModificationItem[] mods, Attributes entry ) throws NamingException
+    public void subentryModified( LdapDN normName, ModificationItem[] mods, Attributes entry ) throws NamingException
     {
         if ( !hasPrescriptiveACI( entry ) )
         {
@@ -203,12 +209,12 @@
         if ( isAciModified )
         {
             subentryDeleted( normName, entry );
-            subentryAdded( normName.toString(), normName, entry );
+            subentryAdded( normName.toUpName(), normName, entry );
         }
     }
 
 
-    public void subentryModified( Name normName, int modOp, Attributes mods, Attributes entry ) throws NamingException
+    public void subentryModified( LdapDN normName, int modOp, Attributes mods, Attributes entry ) throws NamingException
     {
         if ( !hasPrescriptiveACI( entry ) )
         {
@@ -218,7 +224,7 @@
         if ( mods.get( ACI_ATTR ) != null )
         {
             subentryDeleted( normName, entry );
-            subentryAdded( normName.toString(), normName, entry );
+            subentryAdded( normName.toUpName(), normName, entry );
         }
     }
 

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java Tue Jun 13 20:22:05 2006
@@ -21,7 +21,6 @@
 
 import java.util.*;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
 
@@ -33,11 +32,10 @@
 import org.apache.directory.server.core.subtree.RefinementEvaluator;
 import org.apache.directory.server.core.subtree.RefinementLeafEvaluator;
 import org.apache.directory.server.core.subtree.SubtreeEvaluator;
-import org.apache.directory.shared.ldap.aci.ACIItem;
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -84,7 +82,8 @@
 
         filters = new ACITupleFilter[]
             { new RelatedUserClassFilter( subtreeEvaluator ),
-                new RelatedProtectedItemFilter( refinementEvaluator, entryEvaluator ), new MaxValueCountFilter(),
+                new RelatedProtectedItemFilter( refinementEvaluator, entryEvaluator, oidRegistry, attrTypeRegistry ), 
+                new MaxValueCountFilter(),
                 new MaxImmSubFilter(), new RestrictedByFilter(), new MicroOperationFilter(),
                 new HighestPrecedenceFilter(), new MostSpecificUserClassFilter(),
                 new MostSpecificProtectedItemFilter(), };
@@ -99,18 +98,18 @@
      * @param proxy the proxy to the partition nexus
      * @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs
      * @param username the DN of the user who is trying to access the resource
-     * @param entryName the DN of the entry the user is trying to access 
+     * @param entryName the DN of the entry the user is trying to access
      * @param attrId the attribute type of the attribute the user is trying to access.
      *               <tt>null</tt> if the user is not accessing a specific attribute type.
      * @param attrValue the attribute value of the attribute the user is trying to access.
      *                  <tt>null</tt> if the user is not accessing a specific attribute value.
-     * @param microOperations the {@link MicroOperation}s to perform
-     * @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
+     * @param microOperations the {@link org.apache.directory.shared.ldap.aci.MicroOperation}s to perform
+     * @param aciTuples {@link org.apache.directory.shared.ldap.aci.ACITuple}s translated from {@link org.apache.directory.shared.ldap.aci.ACIItem}s in the subtree entries
      * @throws NamingException if failed to evaluate ACI items
      */
-    public void checkPermission( DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name username,
-        AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue,
-        Collection microOperations, Collection aciTuples, Attributes entry ) throws NamingException
+    public void checkPermission( DirectoryPartitionNexusProxy proxy, Collection userGroupNames, LdapDN username,
+                                 AuthenticationLevel authenticationLevel, LdapDN entryName, String attrId, Object attrValue,
+                                 Collection microOperations, Collection aciTuples, Attributes entry ) throws NamingException
     {
         if ( !hasPermission( proxy, userGroupNames, username, authenticationLevel, entryName, attrId, attrValue,
             microOperations, aciTuples, entry ) )
@@ -143,17 +142,17 @@
      * @param proxy the proxy to the partition nexus
      * @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs
      * @param userName the DN of the user who is trying to access the resource
-     * @param entryName the DN of the entry the user is trying to access 
+     * @param entryName the DN of the entry the user is trying to access
      * @param attrId the attribute type of the attribute the user is trying to access.
      *               <tt>null</tt> if the user is not accessing a specific attribute type.
      * @param attrValue the attribute value of the attribute the user is trying to access.
      *                  <tt>null</tt> if the user is not accessing a specific attribute value.
-     * @param microOperations the {@link MicroOperation}s to perform
-     * @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
+     * @param microOperations the {@link org.apache.directory.shared.ldap.aci.MicroOperation}s to perform
+     * @param aciTuples {@link org.apache.directory.shared.ldap.aci.ACITuple}s translated from {@link org.apache.directory.shared.ldap.aci.ACIItem}s in the subtree entries
      */
-    public boolean hasPermission( DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName,
-        AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue,
-        Collection microOperations, Collection aciTuples, Attributes entry ) throws NamingException
+    public boolean hasPermission( DirectoryPartitionNexusProxy proxy, Collection userGroupNames, LdapDN userName,
+                                  AuthenticationLevel authenticationLevel, LdapDN entryName, String attrId, Object attrValue,
+                                  Collection microOperations, Collection aciTuples, Attributes entry ) throws NamingException
     {
         if ( entryName == null )
         {

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java Tue Jun 13 20:22:05 2006
@@ -28,6 +28,7 @@
 import org.apache.directory.server.core.partition.DirectoryPartitionNexusProxy;
 import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
 import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -61,7 +62,8 @@
      * @throws NamingException if failed to filter the specifiec tuples
      */
     Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
-        Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
-        Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+                       Collection userGroupNames, LdapDN userName, Attributes userEntry,
+                       AuthenticationLevel authenticationLevel, LdapDN entryName, String attrId,
+                       Object attrValue, Attributes entry, Collection microOperations )
         throws NamingException;
 }

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java Tue Jun 13 20:22:05 2006
@@ -22,13 +22,13 @@
 import java.util.Collection;
 import java.util.Iterator;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
 
 import org.apache.directory.server.core.partition.DirectoryPartitionNexusProxy;
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
+import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -41,8 +41,8 @@
 public class HighestPrecedenceFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
-        Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
-        Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+                              Collection userGroupNames, LdapDN userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+                              LdapDN entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
         throws NamingException
     {
         if ( tuples.size() <= 1 )

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java Tue Jun 13 20:22:05 2006
@@ -21,7 +21,6 @@
 
 import java.util.*;
 
-import javax.naming.Name;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
@@ -33,6 +32,7 @@
 import org.apache.directory.shared.ldap.aci.ProtectedItem;
 import org.apache.directory.shared.ldap.filter.ExprNode;
 import org.apache.directory.shared.ldap.filter.PresenceNode;
+import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -57,8 +57,8 @@
 
 
     public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
-        Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
-        Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+                              Collection userGroupNames, LdapDN userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+                              LdapDN entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
         throws NamingException
     {
         if ( entryName.size() == 0 )
@@ -125,13 +125,13 @@
     }
 
 
-    private int getImmSubCount( DirectoryPartitionNexusProxy proxy, Name entryName ) throws NamingException
+    private int getImmSubCount( DirectoryPartitionNexusProxy proxy, LdapDN entryName ) throws NamingException
     {
         int cnt = 0;
         NamingEnumeration e = null;
         try
         {
-            e = proxy.search( entryName.getPrefix( 1 ), new HashMap(), childrenFilter, childrenSearchControls,
+            e = proxy.search( ( LdapDN ) entryName.getPrefix( 1 ), new HashMap(), childrenFilter, childrenSearchControls,
                 SEARCH_BYPASS );
 
             while ( e.hasMore() )

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java Tue Jun 13 20:22:05 2006
@@ -22,7 +22,6 @@
 import java.util.Collection;
 import java.util.Iterator;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
@@ -32,6 +31,7 @@
 import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
 import org.apache.directory.shared.ldap.aci.ProtectedItem;
 import org.apache.directory.shared.ldap.aci.ProtectedItem.MaxValueCountItem;
+import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -44,8 +44,8 @@
 public class MaxValueCountFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
-        Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
-        Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+                              Collection userGroupNames, LdapDN userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+                              LdapDN entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
         throws NamingException
     {
         if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java Tue Jun 13 20:22:05 2006
@@ -19,10 +19,9 @@
 package org.apache.directory.server.core.authz.support;
 
 
-import java.util.Collection;
+import java.util.Collection;  
 import java.util.Iterator;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
 
@@ -30,6 +29,7 @@
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
 import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -43,8 +43,8 @@
 public class MicroOperationFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
-        Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
-        Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+                              Collection userGroupNames, LdapDN userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+                              LdapDN entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
         throws NamingException
     {
         if ( tuples.size() == 0 )

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java Tue Jun 13 20:22:05 2006
@@ -23,7 +23,6 @@
 import java.util.Collection;
 import java.util.Iterator;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
 
@@ -31,6 +30,7 @@
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
 import org.apache.directory.shared.ldap.aci.ProtectedItem;
+import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -51,8 +51,8 @@
 public class MostSpecificProtectedItemFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
-        Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
-        Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+                              Collection userGroupNames, LdapDN userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+                              LdapDN entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
         throws NamingException
     {
         if ( tuples.size() <= 1 )

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java Tue Jun 13 20:22:05 2006
@@ -23,7 +23,6 @@
 import java.util.Collection;
 import java.util.Iterator;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
 
@@ -31,6 +30,7 @@
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
 import org.apache.directory.shared.ldap.aci.UserClass;
+import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -49,8 +49,8 @@
 public class MostSpecificUserClassFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
-        Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
-        Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+                              Collection userGroupNames, LdapDN userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+                              LdapDN entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
         throws NamingException
     {
         if ( tuples.size() <= 1 )

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java Tue Jun 13 20:22:05 2006
@@ -22,19 +22,24 @@
 import java.util.Collection;
 import java.util.Iterator;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 
+import org.apache.directory.server.core.ServerUtils;
 import org.apache.directory.server.core.event.Evaluator;
 import org.apache.directory.server.core.partition.DirectoryPartitionNexusProxy;
+import org.apache.directory.server.core.schema.AttributeTypeRegistry;
+import org.apache.directory.server.core.schema.OidRegistry;
 import org.apache.directory.server.core.subtree.RefinementEvaluator;
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
 import org.apache.directory.shared.ldap.aci.ProtectedItem;
 import org.apache.directory.shared.ldap.aci.ProtectedItem.MaxValueCountItem;
 import org.apache.directory.shared.ldap.aci.ProtectedItem.RestrictedByItem;
+import org.apache.directory.shared.ldap.name.LdapDN;
+import org.apache.directory.shared.ldap.schema.AttributeType;
+import org.apache.directory.shared.ldap.util.AttributeUtils;
 
 
 /**
@@ -48,18 +53,24 @@
 {
     private final RefinementEvaluator refinementEvaluator;
     private final Evaluator entryEvaluator;
+    private final OidRegistry oidRegistry;
+    private final AttributeTypeRegistry attrRegistry;
 
 
-    public RelatedProtectedItemFilter(RefinementEvaluator refinementEvaluator, Evaluator entryEvaluator)
+    public RelatedProtectedItemFilter( RefinementEvaluator refinementEvaluator, Evaluator entryEvaluator, 
+        OidRegistry oidRegistry, AttributeTypeRegistry attrRegistry )
     {
         this.refinementEvaluator = refinementEvaluator;
         this.entryEvaluator = entryEvaluator;
+        this.oidRegistry = oidRegistry;
+        this.attrRegistry = attrRegistry;
     }
 
 
     public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
-        Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
-        Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+                              Collection userGroupNames, LdapDN userName, Attributes userEntry,
+                              AuthenticationLevel authenticationLevel, LdapDN entryName, String attrId,
+                              Object attrValue, Attributes entry, Collection microOperations )
         throws NamingException
     {
         if ( tuples.size() == 0 )
@@ -80,9 +91,15 @@
     }
 
 
-    private boolean isRelated( ACITuple tuple, OperationScope scope, Name userName, Name entryName, String attrId,
-        Object attrValue, Attributes entry ) throws NamingException, InternalError
+    private boolean isRelated( ACITuple tuple, OperationScope scope, LdapDN userName, LdapDN entryName, String attrId,
+                               Object attrValue, Attributes entry ) throws NamingException, InternalError
     {
+        String oid = null;
+        if ( attrId != null )
+        {
+            oid = oidRegistry.getOid( attrId );
+        }
+        
         for ( Iterator i = tuple.getProtectedItems().iterator(); i.hasNext(); )
         {
             ProtectedItem item = ( ProtectedItem ) i.next();
@@ -100,10 +117,7 @@
                     continue;
                 }
 
-                if ( isUserAttribute( attrId ) )
-                {
-                    return true;
-                }
+                return true;
             }
             else if ( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES_AND_VALUES )
             {
@@ -112,10 +126,7 @@
                     continue;
                 }
 
-                if ( isUserAttribute( attrId ) )
-                {
-                    return true;
-                }
+                return true;
             }
             else if ( item instanceof ProtectedItem.AllAttributeValues )
             {
@@ -127,7 +138,7 @@
                 ProtectedItem.AllAttributeValues aav = ( ProtectedItem.AllAttributeValues ) item;
                 for ( Iterator j = aav.iterator(); j.hasNext(); )
                 {
-                    if ( attrId.equalsIgnoreCase( ( String ) j.next() ) )
+                    if ( oid.equals( oidRegistry.getOid( ( String ) j.next() ) ) )
                     {
                         return true;
                     }
@@ -143,7 +154,7 @@
                 ProtectedItem.AttributeType at = ( ProtectedItem.AttributeType ) item;
                 for ( Iterator j = at.iterator(); j.hasNext(); )
                 {
-                    if ( attrId.equalsIgnoreCase( ( String ) j.next() ) )
+                    if ( oid.equals( oidRegistry.getOid( ( String ) j.next() ) ) )
                     {
                         return true;
                     }
@@ -160,7 +171,10 @@
                 for ( Iterator j = av.iterator(); j.hasNext(); )
                 {
                     Attribute attr = ( Attribute ) j.next();
-                    if ( attrId.equalsIgnoreCase( attr.getID() ) && attr.contains( attrValue ) )
+                    String attrOid = oidRegistry.getOid( attr.getID() );
+                    AttributeType attrType = attrRegistry.lookup( attrOid );
+                    
+                    if ( oid.equals( attrOid ) && AttributeUtils.containsValue( attr, attrValue, attrType ) )
                     {
                         return true;
                     }
@@ -189,7 +203,7 @@
                 for ( Iterator j = mvc.iterator(); j.hasNext(); )
                 {
                     MaxValueCountItem mvcItem = ( MaxValueCountItem ) j.next();
-                    if ( attrId.equalsIgnoreCase( mvcItem.getAttributeType() ) )
+                    if ( oid.equals( oidRegistry.getOid( mvcItem.getAttributeType() ) ) )
                     {
                         return true;
                     }
@@ -214,7 +228,7 @@
                 for ( Iterator j = rb.iterator(); j.hasNext(); )
                 {
                     RestrictedByItem rbItem = ( RestrictedByItem ) j.next();
-                    if ( attrId.equalsIgnoreCase( rbItem.getAttributeType() ) )
+                    if ( oid.equals( oidRegistry.getOid( rbItem.getAttributeType() ) ) )
                     {
                         return true;
                     }
@@ -231,10 +245,11 @@
                 for ( Iterator j = sv.iterator(); j.hasNext(); )
                 {
                     String svItem = String.valueOf( j.next() );
-                    if ( svItem.equalsIgnoreCase( attrId ) )
+                    if ( oid.equals( oidRegistry.getOid( svItem ) ) )
                     {
-                        Attribute attr = entry.get( attrId );
-                        if ( attr != null && ( attr.contains( userName ) || attr.contains( userName.toString() ) ) )
+                        AttributeType attrType = attrRegistry.lookup( oid );
+                        Attribute attr = ServerUtils.getAttribute( attrType, entry );
+                        if ( attr != null && ( ( attr.contains( userName.toNormName() ) || attr.contains( userName.toUpName() ) ) ) )
                         {
                             return true;
                         }
@@ -248,29 +263,5 @@
         }
 
         return false;
-    }
-
-
-    private final boolean isUserAttribute( String attrId )
-    {
-        /* Not used anymore.  Just retaining in case of resurrection. */
-        return true;
-
-        /*
-         try
-         {
-         AttributeType type = attrTypeRegistry.lookup( attrId );
-         if( type != null && type.isCanUserModify() )
-         {
-         return true;
-         }
-         }
-         catch( NamingException e )
-         {
-         // Ignore
-         }
-
-         return false;
-         */
     }
 }

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java Tue Jun 13 20:22:05 2006
@@ -22,7 +22,6 @@
 import java.util.Collection;
 import java.util.Iterator;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
 
@@ -31,7 +30,7 @@
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
 import org.apache.directory.shared.ldap.aci.UserClass;
-import org.apache.directory.shared.ldap.name.LdapName;
+import org.apache.directory.shared.ldap.name.LdapDN;
 import org.apache.directory.shared.ldap.subtree.SubtreeSpecification;
 
 
@@ -44,7 +43,7 @@
  */
 public class RelatedUserClassFilter implements ACITupleFilter
 {
-    private static final LdapName ROOTDSE_NAME = LdapName.EMPTY_LDAP_NAME;
+    private static final LdapDN ROOTDSE_NAME = LdapDN.EMPTY_LDAPDN;
 
     private final SubtreeEvaluator subtreeEvaluator;
 
@@ -56,8 +55,8 @@
 
 
     public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
-        Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
-        Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+        Collection userGroupNames, LdapDN userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+        LdapDN entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
         throws NamingException
     {
         if ( tuples.size() == 0 )
@@ -91,7 +90,7 @@
     }
 
 
-    private boolean isRelated( Collection userGroupNames, Name userName, Attributes userEntry, Name entryName,
+    private boolean isRelated( Collection userGroupNames, LdapDN userName, Attributes userEntry, LdapDN entryName,
         Collection userClasses ) throws NamingException
     {
         for ( Iterator i = userClasses.iterator(); i.hasNext(); )
@@ -121,7 +120,7 @@
                 UserClass.UserGroup userGroupUserClass = ( UserClass.UserGroup ) userClass;
                 for ( Iterator j = userGroupNames.iterator(); j.hasNext(); )
                 {
-                    Name userGroupName = ( Name ) j.next();
+                    LdapDN userGroupName = ( LdapDN ) j.next();
                     if ( userGroupName != null && userGroupUserClass.getNames().contains( userGroupName ) )
                     {
                         return true;
@@ -146,7 +145,7 @@
     }
 
 
-    private boolean matchUserClassSubtree( Name userName, Attributes userEntry, UserClass.Subtree subtree )
+    private boolean matchUserClassSubtree( LdapDN userName, Attributes userEntry, UserClass.Subtree subtree )
         throws NamingException
     {
         for ( Iterator i = subtree.getSubtreeSpecifications().iterator(); i.hasNext(); )

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java?rev=414035&r1=414034&r2=414035&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java Tue Jun 13 20:22:05 2006
@@ -22,7 +22,6 @@
 import java.util.Collection;
 import java.util.Iterator;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
@@ -32,6 +31,7 @@
 import org.apache.directory.shared.ldap.aci.AuthenticationLevel;
 import org.apache.directory.shared.ldap.aci.ProtectedItem;
 import org.apache.directory.shared.ldap.aci.ProtectedItem.RestrictedByItem;
+import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -44,8 +44,8 @@
 public class RestrictedByFilter implements ACITupleFilter
 {
     public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
-        Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
-        Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
+                              Collection userGroupNames, LdapDN userName, Attributes userEntry, AuthenticationLevel authenticationLevel,
+                              LdapDN entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations )
         throws NamingException
     {
         if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )



Mime
View raw message