Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 35141 invoked from network); 9 Mar 2007 04:13:21 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Mar 2007 04:13:21 -0000 Received: (qmail 7018 invoked by uid 500); 9 Mar 2007 04:13:29 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 6959 invoked by uid 500); 9 Mar 2007 04:13:29 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 6948 invoked by uid 99); 9 Mar 2007 04:13:29 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Mar 2007 20:13:29 -0800 X-ASF-Spam-Status: No, hits=-99.5 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Mar 2007 20:13:20 -0800 Received: by eris.apache.org (Postfix, from userid 65534) id E2C601A983E; Thu, 8 Mar 2007 20:12:59 -0800 (PST) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r516288 [2/2] - in /directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support: ./ bind/ Date: Fri, 09 Mar 2007 04:12:59 -0000 To: commits@directory.apache.org From: erodriguez@apache.org X-Mailer: svnmailer-1.1.0 Message-Id: <20070309041259.E2C601A983E@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Added: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java?view=auto&rev=516288 ============================================================================== --- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java (added) +++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java Thu Mar 8 20:12:57 2007 @@ -0,0 +1,78 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.directory.server.ldap.support.bind; + + +import org.apache.directory.shared.ldap.message.BindRequest; +import org.apache.directory.shared.ldap.message.BindResponse; +import org.apache.directory.shared.ldap.message.LdapResult; +import org.apache.directory.shared.ldap.message.ResultCodeEnum; +import org.apache.mina.common.IoSession; +import org.apache.mina.handler.chain.IoHandlerCommand; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + + +/** + * @author Apache Directory Project + * @version $Rev$, $Date$ + */ +public class ReturnSuccess implements IoHandlerCommand +{ + private static final Logger log = LoggerFactory.getLogger( ReturnSuccess.class ); + + private static final String SASL_STATE = "saslState"; + + // Server has bound, specifically the bind requires QoP processing on all messages (similar to SSL). + private static final Boolean SASL_STATE_BOUND = true; + + + public void execute( NextCommand next, IoSession session, Object message ) throws Exception + { + /* + * We have now both authenticated the client and retrieved a JNDI context for them. + * We can return a success message to the client. + */ + BindRequest request = ( BindRequest ) message; + LdapResult result = request.getResultResponse().getLdapResult(); + + byte[] tokenBytes = ( byte[] ) session.getAttribute( "saslCreds" ); + + result.setResultCode( ResultCodeEnum.SUCCESS ); + BindResponse response = ( BindResponse ) request.getResultResponse(); + response.setServerSaslCreds( tokenBytes ); + session.write( response ); + + log.debug( "Returned SUCCESS message." ); + + String sessionMechanism = ( String ) session.getAttribute( "sessionMechanism" ); + + /* + * This is how we tell the SaslFilter to turn on. + */ + if ( sessionMechanism.equals( "DIGEST-MD5" ) || sessionMechanism.equals( "GSSAPI" ) ) + { + log.debug( "Enabling SaslFilter to engage negotiated security layer." ); + session.setAttribute( SASL_STATE, SASL_STATE_BOUND ); + } + + next.execute( session, message ); + } +} Propchange: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/ReturnSuccess.java ------------------------------------------------------------------------------ svn:eol-style = native Added: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java?view=auto&rev=516288 ============================================================================== --- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java (added) +++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java Thu Mar 8 20:12:57 2007 @@ -0,0 +1,175 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.directory.server.ldap.support.bind; + + +import javax.security.sasl.Sasl; +import javax.security.sasl.SaslException; +import javax.security.sasl.SaslServer; + +import org.apache.mina.common.ByteBuffer; +import org.apache.mina.common.IoFilterAdapter; +import org.apache.mina.common.IoSession; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + + +/** + * An {@link IoFilterAdapter} that handles privacy and confidentiality protection + * for a SASL bound session. + * + * @author Apache Directory Project + * @version $Rev$, $Date$ + */ +public class SaslFilter extends IoFilterAdapter +{ + private static final Logger log = LoggerFactory.getLogger( SaslFilter.class ); + + private static final String SASL_CONTEXT = "saslContext"; + private static final String SASL_STATE = "saslState"; + + + public void messageReceived( NextFilter nextFilter, IoSession session, Object message ) throws SaslException + { + log.debug( "Message received: " + message ); + + /* + * Guard clause: check if in SASL bound mode. + */ + Boolean useSasl = ( Boolean ) session.getAttribute( SASL_STATE ); + + if ( useSasl == null || !useSasl.booleanValue() ) + { + log.debug( "Will not use SASL on received message." ); + nextFilter.messageReceived( session, message ); + return; + } + + /* + * Unwrap the data for mechanisms that support QoP (DIGEST-MD5, GSSAPI). + */ + SaslServer context = getContext( session ); + String qop = ( String ) context.getNegotiatedProperty( Sasl.QOP ); + boolean hasSecurityLayer = ( qop != null && ( qop.equals( "auth-int" ) || qop.equals( "auth-conf" ) ) ); + + if ( hasSecurityLayer ) + { + /* + * Get the buffer as bytes. First 4 bytes are length as int. + */ + ByteBuffer buf = ( ByteBuffer ) message; + int bufferLength = buf.getInt(); + byte[] bufferBytes = new byte[bufferLength]; + buf.get( bufferBytes ); + + log.debug( "Will use SASL to unwrap received message of length: " + bufferLength ); + byte[] token = context.unwrap( bufferBytes, 0, bufferBytes.length ); + nextFilter.messageReceived( session, ByteBuffer.wrap( token ) ); + } + else + { + log.debug( "Will not use SASL on received message." ); + nextFilter.messageReceived( session, message ); + } + } + + + public void filterWrite( NextFilter nextFilter, IoSession session, WriteRequest writeRequest ) throws SaslException + { + log.debug( "Filtering write request: " + writeRequest ); + + /* + * Guard clause: check if in SASL bound mode. + */ + Boolean useSasl = ( Boolean ) session.getAttribute( SASL_STATE ); + + if ( useSasl == null || !useSasl.booleanValue() ) + { + log.debug( "Will not use SASL on write request." ); + nextFilter.filterWrite( session, writeRequest ); + return; + } + + /* + * Wrap the data for mechanisms that support QoP (DIGEST-MD5, GSSAPI). + */ + SaslServer context = getContext( session ); + String qop = ( String ) context.getNegotiatedProperty( Sasl.QOP ); + boolean hasSecurityLayer = ( qop != null && ( qop.equals( "auth-int" ) || qop.equals( "auth-conf" ) ) ); + + ByteBuffer saslLayerBuffer = null; + + if ( hasSecurityLayer ) + { + /* + * Get the buffer as bytes. + */ + ByteBuffer buf = ( ByteBuffer ) writeRequest.getMessage(); + int bufferLength = buf.remaining(); + byte[] bufferBytes = new byte[bufferLength]; + buf.get( bufferBytes ); + + log.debug( "Will use SASL to wrap message of length: " + bufferLength ); + + byte[] saslLayer = context.wrap( bufferBytes, 0, bufferBytes.length ); + + /* + * Prepend 4 byte length. + */ + saslLayerBuffer = ByteBuffer.allocate( 4 + saslLayer.length ); + saslLayerBuffer.putInt( saslLayer.length ); + saslLayerBuffer.put( saslLayer ); + saslLayerBuffer.position( 0 ); + saslLayerBuffer.limit( 4 + saslLayer.length ); + + log.debug( "Sending encrypted token of length " + saslLayerBuffer.limit() ); + nextFilter.filterWrite( session, new WriteRequest( saslLayerBuffer, writeRequest.getFuture() ) ); + } + else + { + log.debug( "Will not use SASL on write request." ); + nextFilter.filterWrite( session, writeRequest ); + } + } + + + /** + * Helper method to get the {@link SaslServer} and perform basic checks. + * + * @param session The {@link IoSession} + * @return {@link SaslServer} The {@link SaslServer} stored in the session. + */ + private SaslServer getContext( IoSession session ) + { + SaslServer context = null; + + if ( session.containsAttribute( SASL_CONTEXT ) ) + { + context = ( SaslServer ) session.getAttribute( SASL_CONTEXT ); + } + + if ( context == null ) + { + throw new IllegalStateException(); + } + + return context; + } +} Propchange: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/SaslFilter.java ------------------------------------------------------------------------------ svn:eol-style = native Added: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/package-info.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/package-info.java?view=auto&rev=516288 ============================================================================== --- directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/package-info.java (added) +++ directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/package-info.java Thu Mar 8 20:12:57 2007 @@ -0,0 +1,8 @@ +/** + * Contains the {@link IoHandlerChain} implementing LDAP binds + * with Simple and SASL authentication mechanisms. + * + * @author Apache Directory Project + * @version $Rev$, $Date$ + */ +package org.apache.directory.server.ldap.support.bind; Propchange: directory/apacheds/branches/apacheds-sasl-branch/protocol-ldap/src/main/java/org/apache/directory/server/ldap/support/bind/package-info.java ------------------------------------------------------------------------------ svn:eol-style = native