directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r522142 - in /directory/apacheds/branches/apacheds-sasl-branch: protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ server-jndi/src/main/java/org/apache/directory/server/jndi/
Date Sun, 25 Mar 2007 02:04:52 GMT
Author: erodriguez
Date: Sat Mar 24 19:04:51 2007
New Revision: 522142

URL: http://svn.apache.org/viewvc?view=rev&rev=522142
Log:
Enhancement to SASL in the SASL branch:
o  Inserting SaslFilter into IoFilterChain only when needed.

Modified:
    directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java
    directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java
    directory/apacheds/branches/apacheds-sasl-branch/server-jndi/src/main/java/org/apache/directory/server/jndi/ServerContextFactory.java

Modified: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java?view=diff&rev=522142&r1=522141&r2=522142
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java
(original)
+++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java
Sat Mar 24 19:04:51 2007
@@ -20,10 +20,13 @@
 package org.apache.directory.server.ldap.support.bind;
 
 
+import javax.security.sasl.SaslServer;
+
 import org.apache.directory.shared.ldap.message.BindRequest;
 import org.apache.directory.shared.ldap.message.BindResponse;
 import org.apache.directory.shared.ldap.message.LdapResult;
 import org.apache.directory.shared.ldap.message.ResultCodeEnum;
+import org.apache.mina.common.IoFilterChain;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 import org.slf4j.Logger;
@@ -31,6 +34,14 @@
 
 
 /**
+ * An {@link IoHandlerCommand} for finalizing a successful bind.  A successful bind
+ * will require both authentication and LDAP context acquisition.  If the LDAP client
+ * is both authenticated and able to acquire an LDAP context, an LDAP SUCCESS message
+ * is returned.  If the authentication mechanism was either DIGEST-MD5 or GSSAPI, a
+ * {@link SaslFilter} is constructed with the initialized {@link SaslServer} context
+ * and the {@link SaslFilter} is inserted into the {@link IoFilterChain} for this
+ * instance of the LDAP protocol.
+ * 
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  * @version $Rev$, $Date$
  */
@@ -38,10 +49,7 @@
 {
     private static final Logger log = LoggerFactory.getLogger( ReturnSuccess.class );
 
-    private static final String SASL_STATE = "saslState";
-
-    // Server has bound, specifically the bind requires QoP processing on all messages (similar
to SSL).
-    private static final Boolean SASL_STATE_BOUND = true;
+    private static final String SASL_CONTEXT = "saslContext";
 
 
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
@@ -58,20 +66,32 @@
         result.setResultCode( ResultCodeEnum.SUCCESS );
         BindResponse response = ( BindResponse ) request.getResultResponse();
         response.setServerSaslCreds( tokenBytes );
-        session.write( response );
-
-        log.debug( "Returned SUCCESS message." );
 
         String sessionMechanism = ( String ) session.getAttribute( "sessionMechanism" );
 
         /*
-         * This is how we tell the SaslFilter to turn on.
+         * If the SASL mechanism is DIGEST-MD5 or GSSAPI, we insert a SASLFilter.
          */
         if ( sessionMechanism.equals( "DIGEST-MD5" ) || sessionMechanism.equals( "GSSAPI"
) )
         {
-            log.debug( "Enabling SaslFilter to engage negotiated security layer." );
-            session.setAttribute( SASL_STATE, SASL_STATE_BOUND );
+            log.debug( "Inserting SaslFilter to engage negotiated security layer." );
+
+            IoFilterChain chain = session.getFilterChain();
+            if ( !chain.contains( "SASL" ) )
+            {
+                SaslServer saslContext = ( SaslServer ) session.getAttribute( SASL_CONTEXT
);
+                chain.addBefore( "codec", "SASL", new SaslFilter( saslContext ) );
+            }
+
+            /*
+             * We disable the SASL security layer once, to write the outbound SUCCESS
+             * message without SASL security layer processing.
+             */
+            session.setAttribute( SaslFilter.DISABLE_SECURITY_LAYER_ONCE, Boolean.TRUE );
         }
+
+        session.write( response );
+        log.debug( "Returned SUCCESS message." );
 
         next.execute( session, message );
     }

Modified: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java?view=diff&rev=522142&r1=522141&r2=522142
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java
(original)
+++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java
Sat Mar 24 19:04:51 2007
@@ -32,8 +32,12 @@
 
 
 /**
- * An {@link IoFilterAdapter} that handles privacy and confidentiality protection
- * for a SASL bound session.
+ * An {@link IoFilterAdapter} that handles integrity and confidentiality protection
+ * for a SASL bound session.  The SaslFilter must be constructed with a SASL
+ * context that has completed SASL negotiation.  Some SASL mechanisms, such as
+ * CRAM-MD5, only support authentication and thus do not need this filter.  DIGEST-MD5
+ * and GSSAPI do support message integrity and confidentiality and, therefore,
+ * do need this filter.
  * 
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  * @version $Rev$, $Date$
@@ -42,30 +46,46 @@
 {
     private static final Logger log = LoggerFactory.getLogger( SaslFilter.class );
 
-    private static final String SASL_CONTEXT = "saslContext";
-    private static final String SASL_STATE = "saslState";
-
+    /**
+     * A session attribute key that makes next one write request bypass
+     * this filter (not adding a security layer).  This is a marker attribute,
+     * which means that you can put whatever as its value. ({@link Boolean#TRUE}
+     * is preferred.)  The attribute is automatically removed from the session
+     * attribute map as soon as {@link IoSession#write(Object)} is invoked,
+     * and therefore should be put again if you want to make more messages
+     * bypass this filter.
+     */
+    public static final String DISABLE_SECURITY_LAYER_ONCE = SaslFilter.class.getName() +
".DisableSecurityLayerOnce";
 
-    public void messageReceived( NextFilter nextFilter, IoSession session, Object message
) throws SaslException
-    {
-        log.debug( "Message received:  " + message );
+    private SaslServer context;
 
-        /*
-         * Guard clause:  check if in SASL bound mode.
-         */
-        Boolean useSasl = ( Boolean ) session.getAttribute( SASL_STATE );
 
-        if ( useSasl == null || !useSasl.booleanValue() )
+    /**
+     * Creates a new instance of SaslFilter.  The SaslFilter must be constructed
+     * with a SASL context that has completed SASL negotiation.  The SASL context
+     * will be used to provide message integrity and, optionally, message
+     * confidentiality.
+     *
+     * @param context The initialized SASL context.
+     */
+    public SaslFilter( SaslServer context )
+    {
+        if ( context == null )
         {
-            log.debug( "Will not use SASL on received message." );
-            nextFilter.messageReceived( session, message );
-            return;
+            throw new IllegalStateException();
         }
 
+        this.context = context;
+    }
+
+
+    public void messageReceived( NextFilter nextFilter, IoSession session, Object message
) throws SaslException
+    {
+        log.debug( "Message received:  " + message );
+
         /*
          * Unwrap the data for mechanisms that support QoP (DIGEST-MD5, GSSAPI).
          */
-        SaslServer context = getContext( session );
         String qop = ( String ) context.getNegotiatedProperty( Sasl.QOP );
         boolean hasSecurityLayer = ( qop != null && ( qop.equals( "auth-int" ) ||
qop.equals( "auth-conf" ) ) );
 
@@ -96,13 +116,13 @@
         log.debug( "Filtering write request:  " + writeRequest );
 
         /*
-         * Guard clause:  check if in SASL bound mode.
+         * Check if security layer processing should be disabled once.
          */
-        Boolean useSasl = ( Boolean ) session.getAttribute( SASL_STATE );
-
-        if ( useSasl == null || !useSasl.booleanValue() )
+        if ( session.containsAttribute( DISABLE_SECURITY_LAYER_ONCE ) )
         {
-            log.debug( "Will not use SASL on write request." );
+            // Remove the marker attribute because it is temporary.
+            log.debug( "Disabling SaslFilter once; will not use SASL on write request." );
+            session.removeAttribute( DISABLE_SECURITY_LAYER_ONCE );
             nextFilter.filterWrite( session, writeRequest );
             return;
         }
@@ -110,7 +130,6 @@
         /*
          * Wrap the data for mechanisms that support QoP (DIGEST-MD5, GSSAPI).
          */
-        SaslServer context = getContext( session );
         String qop = ( String ) context.getNegotiatedProperty( Sasl.QOP );
         boolean hasSecurityLayer = ( qop != null && ( qop.equals( "auth-int" ) ||
qop.equals( "auth-conf" ) ) );
 
@@ -147,29 +166,5 @@
             log.debug( "Will not use SASL on write request." );
             nextFilter.filterWrite( session, writeRequest );
         }
-    }
-
-
-    /**
-     * Helper method to get the {@link SaslServer} and perform basic checks.
-     *  
-     * @param session The {@link IoSession}
-     * @return {@link SaslServer} The {@link SaslServer} stored in the session.
-     */
-    private SaslServer getContext( IoSession session )
-    {
-        SaslServer context = null;
-
-        if ( session.containsAttribute( SASL_CONTEXT ) )
-        {
-            context = ( SaslServer ) session.getAttribute( SASL_CONTEXT );
-        }
-
-        if ( context == null )
-        {
-            throw new IllegalStateException();
-        }
-
-        return context;
     }
 }

Modified: directory/apacheds/branches/apacheds-sasl-branch/server-jndi/src/main/java/org/apache/directory/server/jndi/ServerContextFactory.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/server-jndi/src/main/java/org/apache/directory/server/jndi/ServerContextFactory.java?view=diff&rev=522142&r1=522141&r2=522142
==============================================================================
--- directory/apacheds/branches/apacheds-sasl-branch/server-jndi/src/main/java/org/apache/directory/server/jndi/ServerContextFactory.java
(original)
+++ directory/apacheds/branches/apacheds-sasl-branch/server-jndi/src/main/java/org/apache/directory/server/jndi/ServerContextFactory.java
Sat Mar 24 19:04:51 2007
@@ -52,7 +52,6 @@
 import org.apache.directory.server.ldap.ExtendedOperationHandler;
 import org.apache.directory.server.ldap.LdapConfiguration;
 import org.apache.directory.server.ldap.LdapProtocolProvider;
-import org.apache.directory.server.ldap.support.bind.SaslFilter;
 import org.apache.directory.server.ldap.support.ssl.LdapsInitializer;
 import org.apache.directory.server.ntp.NtpConfiguration;
 import org.apache.directory.server.ntp.NtpServer;
@@ -425,7 +424,6 @@
         }
 
         DefaultIoFilterChainBuilder chain = new DefaultIoFilterChainBuilder();
-        chain.addLast( "SASL", new SaslFilter() );
 
         startLDAP0( ldapConfig, env, ldapConfig.getIpPort(), chain );
     }



Mime
View raw message