directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r584655 - in /directory/apacheds/branches/bigbang/core/src: main/java/org/apache/directory/server/core/ main/java/org/apache/directory/server/core/authn/ main/java/org/apache/directory/server/core/jndi/ test/java/org/apache/directory/server...
Date Mon, 15 Oct 2007 02:09:04 GMT
Author: akarasulu
Date: Sun Oct 14 19:09:03 2007
New Revision: 584655

URL: http://svn.apache.org/viewvc?rev=584655&view=rev
Log:
exposing a means to get a JNDI context and create an LdapPrincipal without the need for authentication:
we will use a security manager to control access to these sensitive operations so stored procedures
cannot hijack the server

Modified:
    directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
    directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java
    directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java
    directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/jndi/ServerContext.java
    directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/jndi/ServerDirContext.java
    directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java
    directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/interceptor/InterceptorChainTest.java

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java?rev=584655&r1=584654&r2=584655&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
(original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
Sun Oct 14 19:09:03 2007
@@ -496,9 +496,27 @@
     }
 
 
-    public DirContext getJndiContext( String rootDN ) throws NamingException
+    public DirContext getJndiContext() throws NamingException
     {
-        return this.getJndiContext( null, null, null, "none", rootDN );
+        return this.getJndiContext( null, null, null, "none", "" );
+    }
+
+
+    public DirContext getJndiContext( String dn ) throws NamingException
+    {
+        return this.getJndiContext( null, null, null, "none", dn );
+    }
+
+
+    public DirContext getJndiContext( LdapPrincipal principal ) throws NamingException
+    {
+        return new ServerLdapContext( this, principal, new LdapDN() );
+    }
+
+
+    public DirContext getJndiContext( LdapPrincipal principal, String dn ) throws NamingException
+    {
+        return new ServerLdapContext( this, principal, new LdapDN( dn ) );
     }
 
 

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java?rev=584655&r1=584654&r2=584655&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java
(original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java
Sun Oct 14 19:09:03 2007
@@ -20,6 +20,7 @@
 package org.apache.directory.server.core;
 
 
+import org.apache.directory.server.core.authn.LdapPrincipal;
 import org.apache.directory.server.core.interceptor.Interceptor;
 import org.apache.directory.server.core.interceptor.InterceptorChain;
 import org.apache.directory.server.core.jndi.AbstractContextFactory;
@@ -34,7 +35,6 @@
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.DirContext;
-
 import java.io.File;
 import java.util.Hashtable;
 import java.util.List;
@@ -103,10 +103,47 @@
 
 
     /**
-     * Returns an anonymous JNDI {@link Context} with the specified <tt>baseName</tt>
+     * Gets a JNDI {@link Context} to the RootDSE as an anonymous user.
+     * This bypasses authentication within the server.
+     *
+     * @return a JNDI context to the RootDSE
+     * @throws NamingException if failed to create a context
+     */
+    public abstract DirContext getJndiContext() throws NamingException;
+
+
+    /**
+     * Gets a JNDI {@link Context} to a specific entry as an anonymous user.
+     * This bypasses authentication within the server.
+     *
+     * @param dn the distinguished name of the entry
+     * @return a JNDI context to the entry at the specified DN
+     * @throws NamingException if failed to create a context
+     */
+    public abstract DirContext getJndiContext( String dn ) throws NamingException;
+
+
+    /**
+     * Gets a JNDI {@link Context} to the RootDSE as a specific LDAP user principal.
+     * This bypasses authentication within the server.
+     *
+     * @param principal the user to associate with the context
+     * @return a JNDI context to the RootDSE as a specific user
+     * @throws NamingException if failed to create a context
+     */
+    public abstract DirContext getJndiContext( LdapPrincipal principal ) throws NamingException;
+
+
+    /**
+     * Gets a JNDI {@link Context} to a specific entry as a specific LDAP user principal.
+     * This bypasses authentication within the server.
+     *
+     * @param principal the user to associate with the context
+     * @param dn the distinguished name of the entry
+     * @return a JNDI context to the specified entry as a specific user
      * @throws NamingException if failed to create a context
      */
-    public abstract DirContext getJndiContext( String baseName ) throws NamingException;
+    public abstract DirContext getJndiContext( LdapPrincipal principal, String dn ) throws
NamingException;
 
 
     /**
@@ -114,13 +151,16 @@
      * (<tt>principal</tt>, <tt>credential</tt>, and <tt>authentication</tt>)
and
      * <tt>baseName</tt>.
      * 
+     * @param principalDn the distinguished name of the bind principal
      * @param principal {@link Context#SECURITY_PRINCIPAL} value
      * @param credential {@link Context#SECURITY_CREDENTIALS} value
      * @param authentication {@link Context#SECURITY_AUTHENTICATION} value
+     * @param dn the distinguished name of the entry
+     * @return a JNDI context to the specified entry as a specific user
      * @throws NamingException if failed to create a context
      */
     public abstract DirContext getJndiContext( LdapDN principalDn, String principal, byte[]
credential,
-        String authentication, String baseName ) throws NamingException;
+        String authentication, String dn ) throws NamingException;
 
 
     public abstract void setInstanceId( String instanceId );

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java?rev=584655&r1=584654&r2=584655&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java
(original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java
Sun Oct 14 19:09:03 2007
@@ -50,7 +50,9 @@
     /** the authentication level for this principal */
     private final AuthenticationLevel authenticationLevel;
     
-    /** The userPassword */
+    /** The userPassword
+     * @todo security risk remove this immediately
+     */
     private byte[] userPassword;
 
 
@@ -60,7 +62,7 @@
      * trusted principal.
      *
      * @param name the normalized distinguished name of the principal
-     * @param authenticationLevel
+     * @param authenticationLevel the authentication level for this principal
      */
     public LdapPrincipal( LdapDN name, AuthenticationLevel authenticationLevel )
     {
@@ -75,7 +77,7 @@
      * trusted principal.
      *
      * @param name the normalized distinguished name of the principal
-     * @param authenticationLevel
+     * @param authenticationLevel the authentication level for this principal
      * @param userPassword The user password
      */
     public LdapPrincipal( LdapDN name, AuthenticationLevel authenticationLevel, byte[] userPassword
)
@@ -90,7 +92,7 @@
      * Creates a principal for the no name anonymous user whose DN is the empty
      * String.
      */
-    private LdapPrincipal()
+    public LdapPrincipal()
     {
         name = new LdapDN();
         authenticationLevel = AuthenticationLevel.NONE;

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/jndi/ServerContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/jndi/ServerContext.java?rev=584655&r1=584654&r2=584655&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/jndi/ServerContext.java
(original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/jndi/ServerContext.java
Sun Oct 14 19:09:03 2007
@@ -20,49 +20,10 @@
 package org.apache.directory.server.core.jndi;
 
 
-import java.io.Serializable;
-import java.util.HashSet;
-import java.util.Hashtable;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import javax.naming.Context;
-import javax.naming.InvalidNameException;
-import javax.naming.Name;
-import javax.naming.NameNotFoundException;
-import javax.naming.NameParser;
-import javax.naming.NamingEnumeration;
-import javax.naming.NamingException;
-import javax.naming.Reference;
-import javax.naming.Referenceable;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
-import javax.naming.directory.DirContext;
-import javax.naming.directory.SearchControls;
-import javax.naming.directory.SearchResult;
-import javax.naming.event.EventContext;
-import javax.naming.event.NamingListener;
-import javax.naming.ldap.Control;
-import javax.naming.spi.DirStateFactory;
-import javax.naming.spi.DirectoryManager;
-
 import org.apache.directory.server.core.DirectoryService;
 import org.apache.directory.server.core.authn.AuthenticationInterceptor;
 import org.apache.directory.server.core.authn.LdapPrincipal;
-import org.apache.directory.server.core.interceptor.context.AddOperationContext;
-import org.apache.directory.server.core.interceptor.context.BindOperationContext;
-import org.apache.directory.server.core.interceptor.context.DeleteOperationContext;
-import org.apache.directory.server.core.interceptor.context.EntryOperationContext;
-import org.apache.directory.server.core.interceptor.context.GetRootDSEOperationContext;
-import org.apache.directory.server.core.interceptor.context.ListOperationContext;
-import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
-import org.apache.directory.server.core.interceptor.context.ModifyOperationContext;
-import org.apache.directory.server.core.interceptor.context.MoveAndRenameOperationContext;
-import org.apache.directory.server.core.interceptor.context.MoveOperationContext;
-import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
-import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
+import org.apache.directory.server.core.interceptor.context.*;
 import org.apache.directory.server.core.partition.PartitionNexus;
 import org.apache.directory.server.core.partition.PartitionNexusProxy;
 import org.apache.directory.shared.ldap.constants.JndiPropertyConstants;
@@ -71,8 +32,8 @@
 import org.apache.directory.shared.ldap.exception.LdapSchemaViolationException;
 import org.apache.directory.shared.ldap.filter.ExprNode;
 import org.apache.directory.shared.ldap.filter.PresenceNode;
-import org.apache.directory.shared.ldap.message.AttributesImpl;
 import org.apache.directory.shared.ldap.message.AttributeImpl;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
 import org.apache.directory.shared.ldap.message.ModificationItemImpl;
 import org.apache.directory.shared.ldap.message.ResultCodeEnum;
 import org.apache.directory.shared.ldap.name.AttributeTypeAndValue;
@@ -81,6 +42,16 @@
 import org.apache.directory.shared.ldap.util.AttributeUtils;
 import org.apache.directory.shared.ldap.util.StringTools;
 
+import javax.naming.*;
+import javax.naming.directory.*;
+import javax.naming.event.EventContext;
+import javax.naming.event.NamingListener;
+import javax.naming.ldap.Control;
+import javax.naming.spi.DirStateFactory;
+import javax.naming.spi.DirectoryManager;
+import java.io.Serializable;
+import java.util.*;
+
 
 /**
  * A non-federated abstract Context implementation.
@@ -173,17 +144,19 @@
      *
      * @param principal the directory user principal that is propagated
      * @param dn the distinguished name of this context
+     * @param service the directory service core
+     * @throws NamingException if there is a problem creating the new context
      */
-    @SuppressWarnings(value={"unchecked"})
-    protected ServerContext(DirectoryService service, LdapPrincipal principal, Name dn) throws
NamingException
+    public ServerContext( DirectoryService service, LdapPrincipal principal, Name dn ) throws
NamingException
     {
         this.service = service;
         this.dn = ( LdapDN ) dn.clone();
 
-        this.env = ( Hashtable<String, Object> ) service.getEnvironment().clone();
+        this.env = new Hashtable<String, Object>();
+        this.env.putAll( service.getEnvironment() );
         this.env.put( PROVIDER_URL, dn.toString() );
+        this.env.put( DirectoryService.JNDI_KEY, service );
         this.nexusProxy = new PartitionNexusProxy( this, service );
-
         this.principal = principal;
     }
     
@@ -201,6 +174,8 @@
     
     /**
      * Used to encapsulate [de]marshalling of controls before and after add operations.
+     * @param attributes
+     * @param target
      */
     protected void doAddOperation( LdapDN target, Attributes attributes ) throws NamingException
     {
@@ -219,6 +194,7 @@
     
     /**
      * Used to encapsulate [de]marshalling of controls before and after delete operations.
+     * @param target
      */
     protected void doDeleteOperation( LdapDN target ) throws NamingException
     {
@@ -237,8 +213,13 @@
     
     /**
      * Used to encapsulate [de]marshalling of controls before and after list operations.
+     * @param dn
+     * @param env
+     * @param filter
+     * @param searchControls
+     * @return
      */
-    protected NamingEnumeration<SearchResult> doSearchOperation( LdapDN dn, Map env,
ExprNode filter, SearchControls searchControls ) 
+    protected NamingEnumeration<SearchResult> doSearchOperation( LdapDN dn, Map env,
ExprNode filter, SearchControls searchControls )
         throws NamingException
     {
         // setup the op context and populate with request controls
@@ -430,14 +411,18 @@
 
     
     /**
-     * Get's a handle on the root context of the DIT.  The RootDSE as the present user.
-     * @throws NamingException 
+     * Gets a handle on the root context of the DIT.  The RootDSE as the present user.
+     *
+     * @return the rootDSE context
+     * @throws NamingException if this fails
      */
     public abstract ServerContext getRootContext() throws NamingException;
     
     
     /**
-     * Returns the {@link DirectoryService} which manages this context.
+     * Gets the {@link DirectoryService} associated with this context.
+     *
+     * @return the directory service associated with this context
      */
     public DirectoryService getService()
     {
@@ -447,6 +432,8 @@
 
     /**
      * Gets the principal of the authenticated user which also happens to own
+     *
+     * @return the principal associated with this context
      */
     public LdapPrincipal getPrincipal()
     {
@@ -460,6 +447,9 @@
      * method has been changed to be public but it can only be set by the
      * AuthenticationInterceptor to prevent malicious code from changing the
      * effective principal.
+     *
+     * @param wrapper the wrapper - has to go
+     * @todo get ride of using this wrapper and protect this call with a security manager
      */
     public void setPrincipal( AuthenticationInterceptor.TrustedPrincipalWrapper wrapper )
     {
@@ -502,11 +492,9 @@
      */
     public void close() throws NamingException
     {
-        Iterator list = listeners.iterator();
-        while ( list.hasNext() )
+        for ( NamingListener listener : listeners )
         {
-            ( ( PartitionNexusProxy ) this.nexusProxy ).removeNamingListener( this, ( NamingListener
) list
-                .next() );
+            ( ( PartitionNexusProxy ) this.nexusProxy ).removeNamingListener( this, listener
);
         }
     }
 
@@ -881,7 +869,7 @@
         Object obj;
         LdapDN target = buildTarget( name );
         
-        Attributes attributes = null;
+        Attributes attributes;
         
         if ( name.size() == 0 )
         {

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/jndi/ServerDirContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/jndi/ServerDirContext.java?rev=584655&r1=584654&r2=584655&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/jndi/ServerDirContext.java
(original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/jndi/ServerDirContext.java
Sun Oct 14 19:09:03 2007
@@ -98,7 +98,7 @@
      * @param principal the principal which is propagated
      * @param dn the distinguished name of this context
      */
-    protected ServerDirContext(DirectoryService service, LdapPrincipal principal, Name dn)
throws NamingException
+    public ServerDirContext( DirectoryService service, LdapPrincipal principal, Name dn )
throws NamingException
     {
         super( service, principal, dn );
     }

Modified: directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java?rev=584655&r1=584654&r2=584655&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java
(original)
+++ directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java
Sun Oct 14 19:09:03 2007
@@ -23,6 +23,7 @@
 import junit.framework.Assert;
 import junit.framework.TestCase;
 import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.authn.LdapPrincipal;
 import org.apache.directory.server.core.schema.SchemaManager;
 import org.apache.directory.server.core.interceptor.Interceptor;
 import org.apache.directory.server.core.interceptor.InterceptorChain;
@@ -37,7 +38,6 @@
 import org.apache.directory.shared.ldap.message.AttributesImpl;
 import org.apache.directory.shared.ldap.name.LdapDN;
 
-import javax.naming.Context;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
@@ -256,6 +256,12 @@
         }
 
 
+        public DirContext getJndiContext() throws NamingException
+        {
+            return null;
+        }
+
+
         public DirectoryService getDirectoryService()
         {
             return null;
@@ -263,6 +269,18 @@
 
 
         public DirContext getJndiContext( String baseName ) throws NamingException
+        {
+            return null;
+        }
+
+
+        public DirContext getJndiContext( LdapPrincipal principal ) throws NamingException
+        {
+            return null;
+        }
+
+
+        public DirContext getJndiContext( LdapPrincipal principal, String dn ) throws NamingException
         {
             return null;
         }

Modified: directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/interceptor/InterceptorChainTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/interceptor/InterceptorChainTest.java?rev=584655&r1=584654&r2=584655&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/interceptor/InterceptorChainTest.java
(original)
+++ directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/interceptor/InterceptorChainTest.java
Sun Oct 14 19:09:03 2007
@@ -22,6 +22,7 @@
 
 import junit.framework.TestCase;
 import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.authn.LdapPrincipal;
 import org.apache.directory.server.core.schema.SchemaManager;
 import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
 import org.apache.directory.server.core.invocation.Invocation;
@@ -319,6 +320,12 @@
         }
 
 
+        public DirContext getJndiContext() throws NamingException
+        {
+            return null;
+        }
+
+
         public DirectoryService getDirectoryService()
         {
             return null;
@@ -326,6 +333,18 @@
 
 
         public DirContext getJndiContext( String baseName ) throws NamingException
+        {
+            return null;
+        }
+
+
+        public DirContext getJndiContext( LdapPrincipal principal ) throws NamingException
+        {
+            return null;
+        }
+
+
+        public DirContext getJndiContext( LdapPrincipal principal, String dn ) throws NamingException
         {
             return null;
         }



Mime
View raw message