directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r516288 [2/2] - in /directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support: ./ bind/
Date Fri, 09 Mar 2007 04:12:59 GMT
Added: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java?view=auto&rev=516288
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java
(added)
+++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java
Thu Mar  8 20:12:57 2007
@@ -0,0 +1,78 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.ldap.support.bind;
+
+
+import org.apache.directory.shared.ldap.message.BindRequest;
+import org.apache.directory.shared.ldap.message.BindResponse;
+import org.apache.directory.shared.ldap.message.LdapResult;
+import org.apache.directory.shared.ldap.message.ResultCodeEnum;
+import org.apache.mina.common.IoSession;
+import org.apache.mina.handler.chain.IoHandlerCommand;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+/**
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class ReturnSuccess implements IoHandlerCommand
+{
+    private static final Logger log = LoggerFactory.getLogger( ReturnSuccess.class );
+
+    private static final String SASL_STATE = "saslState";
+
+    // Server has bound, specifically the bind requires QoP processing on all messages (similar
to SSL).
+    private static final Boolean SASL_STATE_BOUND = true;
+
+
+    public void execute( NextCommand next, IoSession session, Object message ) throws Exception
+    {
+        /*
+         * We have now both authenticated the client and retrieved a JNDI context for them.
+         * We can return a success message to the client.
+         */
+        BindRequest request = ( BindRequest ) message;
+        LdapResult result = request.getResultResponse().getLdapResult();
+
+        byte[] tokenBytes = ( byte[] ) session.getAttribute( "saslCreds" );
+
+        result.setResultCode( ResultCodeEnum.SUCCESS );
+        BindResponse response = ( BindResponse ) request.getResultResponse();
+        response.setServerSaslCreds( tokenBytes );
+        session.write( response );
+
+        log.debug( "Returned SUCCESS message." );
+
+        String sessionMechanism = ( String ) session.getAttribute( "sessionMechanism" );
+
+        /*
+         * This is how we tell the SaslFilter to turn on.
+         */
+        if ( sessionMechanism.equals( "DIGEST-MD5" ) || sessionMechanism.equals( "GSSAPI"
) )
+        {
+            log.debug( "Enabling SaslFilter to engage negotiated security layer." );
+            session.setAttribute( SASL_STATE, SASL_STATE_BOUND );
+        }
+
+        next.execute( session, message );
+    }
+}

Propchange: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java?view=auto&rev=516288
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java
(added)
+++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java
Thu Mar  8 20:12:57 2007
@@ -0,0 +1,175 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.directory.server.ldap.support.bind;
+
+
+import javax.security.sasl.Sasl;
+import javax.security.sasl.SaslException;
+import javax.security.sasl.SaslServer;
+
+import org.apache.mina.common.ByteBuffer;
+import org.apache.mina.common.IoFilterAdapter;
+import org.apache.mina.common.IoSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+/**
+ * An {@link IoFilterAdapter} that handles privacy and confidentiality protection
+ * for a SASL bound session.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class SaslFilter extends IoFilterAdapter
+{
+    private static final Logger log = LoggerFactory.getLogger( SaslFilter.class );
+
+    private static final String SASL_CONTEXT = "saslContext";
+    private static final String SASL_STATE = "saslState";
+
+
+    public void messageReceived( NextFilter nextFilter, IoSession session, Object message
) throws SaslException
+    {
+        log.debug( "Message received:  " + message );
+
+        /*
+         * Guard clause:  check if in SASL bound mode.
+         */
+        Boolean useSasl = ( Boolean ) session.getAttribute( SASL_STATE );
+
+        if ( useSasl == null || !useSasl.booleanValue() )
+        {
+            log.debug( "Will not use SASL on received message." );
+            nextFilter.messageReceived( session, message );
+            return;
+        }
+
+        /*
+         * Unwrap the data for mechanisms that support QoP (DIGEST-MD5, GSSAPI).
+         */
+        SaslServer context = getContext( session );
+        String qop = ( String ) context.getNegotiatedProperty( Sasl.QOP );
+        boolean hasSecurityLayer = ( qop != null && ( qop.equals( "auth-int" ) ||
qop.equals( "auth-conf" ) ) );
+
+        if ( hasSecurityLayer )
+        {
+            /*
+             * Get the buffer as bytes.  First 4 bytes are length as int.
+             */
+            ByteBuffer buf = ( ByteBuffer ) message;
+            int bufferLength = buf.getInt();
+            byte[] bufferBytes = new byte[bufferLength];
+            buf.get( bufferBytes );
+
+            log.debug( "Will use SASL to unwrap received message of length:  " + bufferLength
);
+            byte[] token = context.unwrap( bufferBytes, 0, bufferBytes.length );
+            nextFilter.messageReceived( session, ByteBuffer.wrap( token ) );
+        }
+        else
+        {
+            log.debug( "Will not use SASL on received message." );
+            nextFilter.messageReceived( session, message );
+        }
+    }
+
+
+    public void filterWrite( NextFilter nextFilter, IoSession session, WriteRequest writeRequest
) throws SaslException
+    {
+        log.debug( "Filtering write request:  " + writeRequest );
+
+        /*
+         * Guard clause:  check if in SASL bound mode.
+         */
+        Boolean useSasl = ( Boolean ) session.getAttribute( SASL_STATE );
+
+        if ( useSasl == null || !useSasl.booleanValue() )
+        {
+            log.debug( "Will not use SASL on write request." );
+            nextFilter.filterWrite( session, writeRequest );
+            return;
+        }
+
+        /*
+         * Wrap the data for mechanisms that support QoP (DIGEST-MD5, GSSAPI).
+         */
+        SaslServer context = getContext( session );
+        String qop = ( String ) context.getNegotiatedProperty( Sasl.QOP );
+        boolean hasSecurityLayer = ( qop != null && ( qop.equals( "auth-int" ) ||
qop.equals( "auth-conf" ) ) );
+
+        ByteBuffer saslLayerBuffer = null;
+
+        if ( hasSecurityLayer )
+        {
+            /*
+             * Get the buffer as bytes.
+             */
+            ByteBuffer buf = ( ByteBuffer ) writeRequest.getMessage();
+            int bufferLength = buf.remaining();
+            byte[] bufferBytes = new byte[bufferLength];
+            buf.get( bufferBytes );
+
+            log.debug( "Will use SASL to wrap message of length:  " + bufferLength );
+
+            byte[] saslLayer = context.wrap( bufferBytes, 0, bufferBytes.length );
+
+            /*
+             * Prepend 4 byte length.
+             */
+            saslLayerBuffer = ByteBuffer.allocate( 4 + saslLayer.length );
+            saslLayerBuffer.putInt( saslLayer.length );
+            saslLayerBuffer.put( saslLayer );
+            saslLayerBuffer.position( 0 );
+            saslLayerBuffer.limit( 4 + saslLayer.length );
+
+            log.debug( "Sending encrypted token of length " + saslLayerBuffer.limit() );
+            nextFilter.filterWrite( session, new WriteRequest( saslLayerBuffer, writeRequest.getFuture()
) );
+        }
+        else
+        {
+            log.debug( "Will not use SASL on write request." );
+            nextFilter.filterWrite( session, writeRequest );
+        }
+    }
+
+
+    /**
+     * Helper method to get the {@link SaslServer} and perform basic checks.
+     *  
+     * @param session The {@link IoSession}
+     * @return {@link SaslServer} The {@link SaslServer} stored in the session.
+     */
+    private SaslServer getContext( IoSession session )
+    {
+        SaslServer context = null;
+
+        if ( session.containsAttribute( SASL_CONTEXT ) )
+        {
+            context = ( SaslServer ) session.getAttribute( SASL_CONTEXT );
+        }
+
+        if ( context == null )
+        {
+            throw new IllegalStateException();
+        }
+
+        return context;
+    }
+}

Propchange: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/package-info.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/package-info.java?view=auto&rev=516288
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/package-info.java
(added)
+++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/package-info.java
Thu Mar  8 20:12:57 2007
@@ -0,0 +1,8 @@
+/**
+ * Contains the {@link IoHandlerChain} implementing LDAP binds
+ * with Simple and SASL authentication mechanisms.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+package org.apache.directory.server.ldap.support.bind;

Propchange: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/package-info.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message