directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r613608 [5/15] - in /directory/sandbox/akarasulu/bigbang/apacheds: ./ bootstrap-plugin/ bootstrap-plugin/src/main/java/org/apache/directory/server/core/bootstrap/plugin/ core-entry/ core-entry/src/main/java/org/apache/directory/server/core/...
Date Sun, 20 Jan 2008 16:59:36 GMT
Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java Sun Jan 20 08:59:10 2008
@@ -30,6 +30,7 @@
 import java.util.Set;
 
 import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.entry.ServerEntry;
 import org.apache.directory.server.core.interceptor.BaseInterceptor;
 import org.apache.directory.server.core.interceptor.Interceptor;
 import org.apache.directory.server.core.interceptor.NextInterceptor;
@@ -54,7 +55,6 @@
 import org.apache.directory.shared.ldap.exception.LdapAuthenticationException;
 import org.apache.directory.shared.ldap.message.MessageTypeEnum;
 import org.apache.directory.shared.ldap.name.LdapDN;
-import org.apache.directory.shared.ldap.util.AttributeUtils;
 import org.apache.directory.shared.ldap.util.StringTools;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -197,7 +197,7 @@
         if ( IS_DEBUG )
         {
             LOG.debug( "Adding the entry " +
-                    AttributeUtils.toString( opContext.getEntry() ) +
+                    opContext.getEntry() +
                     " for DN = '" + opContext.getDn().getUpName() + "'" );
         }
 
@@ -231,7 +231,7 @@
     }
 
 
-    public Attributes getRootDSE( NextInterceptor next, GetRootDSEOperationContext opContext ) throws NamingException
+    public ServerEntry getRootDSE( NextInterceptor next, GetRootDSEOperationContext opContext ) throws NamingException
     {
         if ( IS_DEBUG )
         {

Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java Sun Jan 20 08:59:10 2008
@@ -23,8 +23,6 @@
 import java.io.Serializable;
 import java.security.Principal;
 
-import javax.naming.Name;
-
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.name.LdapDN;
 import org.apache.directory.shared.ldap.util.StringTools;

Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java Sun Jan 20 08:59:10 2008
@@ -32,8 +32,6 @@
 
 import javax.naming.Context;
 import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
 
 import org.apache.commons.collections.map.LRUMap;
 import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
@@ -50,8 +48,14 @@
 import org.apache.directory.server.core.schema.SchemaInterceptor;
 import org.apache.directory.server.core.subtree.SubentryInterceptor;
 import org.apache.directory.server.core.collective.CollectiveAttributeInterceptor;
+import org.apache.directory.server.core.entry.ServerAttribute;
+import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
+import org.apache.directory.server.core.entry.ServerStringValue;
+import org.apache.directory.server.core.entry.ServerValue;
 import org.apache.directory.server.core.event.EventInterceptor;
 import org.apache.directory.server.core.trigger.TriggerInterceptor;
+import org.apache.directory.server.schema.registries.Registries;
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.constants.LdapSecurityConstants;
 import org.apache.directory.shared.ldap.constants.SchemaConstants;
@@ -185,7 +189,7 @@
      * @return A byte array which can be empty if the password was not found
      * @throws NamingException If we have a problem during the lookup operation
      */
-    private LdapPrincipal getStoredPassword( LdapDN principalDN ) throws NamingException
+    private LdapPrincipal getStoredPassword( Registries registries, LdapDN principalDN ) throws NamingException
     {
         LdapPrincipal principal;
         String principalNorm = principalDN.getNormName();
@@ -201,7 +205,7 @@
         {
             // Not found in the cache
             // Get the user password from the backend
-            storedPassword = lookupUserPassword( principalDN );
+            storedPassword = lookupUserPassword( registries, principalDN );
             
             
             // Deal with the special case where the user didn't enter a password
@@ -304,7 +308,7 @@
         // ---- extract password from JNDI environment
         byte[] credentials = getCredentials( ctx );
         
-        LdapPrincipal principal = getStoredPassword( principalDn );
+        LdapPrincipal principal = getStoredPassword( getDirectoryService().getRegistries(), principalDn );
         
         // Get the stored password, either from cache or from backend
         byte[] storedPassword = principal.getUserPassword();
@@ -573,19 +577,22 @@
      * @return the credentials from the backend
      * @throws NamingException if there are problems accessing backend
      */
-    private byte[] lookupUserPassword( LdapDN principalDn ) throws NamingException
+    private byte[] lookupUserPassword( Registries registries, LdapDN principalDn ) throws NamingException
     {
         // ---- lookup the principal entry's userPassword attribute
         Invocation invocation = InvocationStack.getInstance().peek();
         PartitionNexusProxy proxy = invocation.getProxy();
-        Attributes userEntry;
+        ServerEntry userEntry;
 
         try
         {
-            LookupOperationContext lookupContex  = new LookupOperationContext( new String[] { SchemaConstants.USER_PASSWORD_AT } );
+            LookupOperationContext lookupContex  = new LookupOperationContext( registries, new String[] { SchemaConstants.USER_PASSWORD_AT } );
             lookupContex.setDn( principalDn );
             
-            userEntry = proxy.lookup( lookupContex, USERLOOKUP_BYPASS );
+            userEntry = ServerEntryUtils.toServerEntry( 
+                proxy.lookup( lookupContex, USERLOOKUP_BYPASS ), 
+                principalDn,
+                registries );
 
             if ( userEntry == null )
             {
@@ -600,26 +607,28 @@
             throw e;
         }
 
-        Object userPassword;
+        ServerValue<?> userPassword;
 
-        Attribute userPasswordAttr = userEntry.get( SchemaConstants.USER_PASSWORD_AT );
+        ServerAttribute userPasswordAttr = userEntry.get( SchemaConstants.USER_PASSWORD_AT );
 
         // ---- assert that credentials match
         if ( userPasswordAttr == null )
         {
-            userPassword = ArrayUtils.EMPTY_BYTE_ARRAY;
+            return StringTools.EMPTY_BYTES;
         }
         else
         {
             userPassword = userPasswordAttr.get();
 
-            if ( userPassword instanceof String )
+            if ( userPassword instanceof ServerStringValue )
             {
-                userPassword = StringTools.getBytesUtf8( ( String ) userPassword );
+                return StringTools.getBytesUtf8( (String)userPassword.get() );
+            }
+            else
+            {
+                return (byte[])userPassword.get();
             }
         }
-        
-        return ( byte[] ) userPassword;
     }
 
     /**

Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Sun Jan 20 08:59:10 2008
@@ -24,6 +24,10 @@
 import org.apache.directory.server.core.DirectoryService;
 import org.apache.directory.server.core.authn.LdapPrincipal;
 import org.apache.directory.server.core.authz.support.ACDFEngine;
+import org.apache.directory.server.core.entry.ServerAttribute;
+import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
+import org.apache.directory.server.core.entry.ServerValue;
 import org.apache.directory.server.core.enumeration.SearchResultFilter;
 import org.apache.directory.server.core.enumeration.SearchResultFilteringEnumeration;
 import org.apache.directory.server.core.interceptor.BaseInterceptor;
@@ -50,6 +54,7 @@
 import org.apache.directory.server.schema.ConcreteNameComponentNormalizer;
 import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
 import org.apache.directory.server.schema.registries.OidRegistry;
+import org.apache.directory.server.schema.registries.Registries;
 import org.apache.directory.shared.ldap.aci.ACIItem;
 import org.apache.directory.shared.ldap.aci.ACIItemParser;
 import org.apache.directory.shared.ldap.aci.ACITuple;
@@ -61,12 +66,9 @@
 import org.apache.directory.shared.ldap.message.ResultCodeEnum;
 import org.apache.directory.shared.ldap.name.LdapDN;
 import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaUtils;
-import org.apache.directory.shared.ldap.util.AttributeUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.naming.Name;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.Attribute;
@@ -76,6 +78,7 @@
 import javax.naming.directory.SearchResult;
 
 import java.text.ParseException;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -166,8 +169,11 @@
     /** interceptor chain */
     private InterceptorChain chain;
     
+    /** Global registries */
+    private Registries registries;
+    
     /** attribute type registry */
-    private AttributeTypeRegistry attrRegistry;
+    private AttributeTypeRegistry atRegistry;
     
     /** whether or not this interceptor is activated */
     private boolean enabled;
@@ -201,29 +207,30 @@
 
         tupleCache = new TupleCache( directoryService );
         groupCache = new GroupCache( directoryService );
-        attrRegistry = directoryService.getRegistries().getAttributeTypeRegistry();
-        OidRegistry oidRegistry = directoryService.getRegistries().getOidRegistry();
+        registries = directoryService.getRegistries();
+        atRegistry = registries.getAttributeTypeRegistry();
+        OidRegistry oidRegistry = registries.getOidRegistry();
         
         // look up some constant information
         String objectClassOid = oidRegistry.getOid( SchemaConstants.OBJECT_CLASS_AT );
         subentryOid = oidRegistry.getOid( SchemaConstants.SUBENTRY_OC );
         String acSubentryOid = oidRegistry.getOid( AC_SUBENTRY_ATTR );
-        objectClassType = attrRegistry.lookup( objectClassOid );
-        acSubentryType = attrRegistry.lookup( acSubentryOid );
-        entryAciType = attrRegistry.lookup( SchemaConstants.ENTRY_ACI_AT_OID ); 
-        subentryAciType = attrRegistry.lookup( SchemaConstants.SUBENTRY_ACI_AT_OID );
+        objectClassType = atRegistry.lookup( objectClassOid );
+        acSubentryType = atRegistry.lookup( acSubentryOid );
+        entryAciType = atRegistry.lookup( SchemaConstants.ENTRY_ACI_AT_OID ); 
+        subentryAciType = atRegistry.lookup( SchemaConstants.SUBENTRY_ACI_AT_OID );
         
-        aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( attrRegistry, oidRegistry ), attrRegistry.getNormalizerMapping() );
-        engine = new ACDFEngine( directoryService.getRegistries().getOidRegistry(), attrRegistry );
+        aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( atRegistry, oidRegistry ), atRegistry.getNormalizerMapping() );
+        engine = new ACDFEngine( registries.getOidRegistry(), atRegistry );
         chain = directoryService.getInterceptorChain();
         enabled = directoryService.isAccessControlEnabled();
 
         // stuff for dealing with subentries (garbage for now)
-        String subschemaSubentry = 
-        	( String ) directoryService.getPartitionNexus().getRootDSE( null ).
+        ServerValue<?> subschemaSubentry = 
+        	directoryService.getPartitionNexus().getRootDSE( null ).
         		get( SchemaConstants.SUBSCHEMA_SUBENTRY_AT ).get();
-        LdapDN subschemaSubentryDnName = new LdapDN( subschemaSubentry );
-        subschemaSubentryDnName.normalize( attrRegistry.getNormalizerMapping() );
+        LdapDN subschemaSubentryDnName = new LdapDN( (String)(subschemaSubentry.get()) );
+        subschemaSubentryDnName.normalize( atRegistry.getNormalizerMapping() );
         subschemaSubentryDn = subschemaSubentryDnName.toNormName();
     }
 
@@ -254,7 +261,7 @@
     private LdapDN parseNormalized( String name ) throws NamingException
     {
         LdapDN dn = new LdapDN( name );
-        dn.normalize( attrRegistry.getNormalizerMapping() );
+        dn.normalize( atRegistry.getNormalizerMapping() );
         return dn;
     }
 
@@ -274,9 +281,9 @@
      * @param proxy the partition nexus proxy object
      */
     private void addPerscriptiveAciTuples( PartitionNexusProxy proxy, Collection<ACITuple> tuples, LdapDN dn,
-        Attributes entry ) throws NamingException
+        ServerEntry entry ) throws NamingException
     {
-        Attribute oc = AttributeUtils.getAttribute( entry, objectClassType );
+        ServerAttribute oc = entry.get( objectClassType );
         
         /*
          * If the protected entry is a subentry, then the entry being evaluated
@@ -287,24 +294,26 @@
          * to be in the same naming context as their access point so the subentries
          * effecting their parent entry applies to them as well.
          */
-        if ( AttributeUtils.containsValue( oc, SchemaConstants.SUBENTRY_OC, objectClassType ) || 
-             AttributeUtils.containsValue( oc, subentryOid, objectClassType ) )
+        if ( oc.contains( SchemaConstants.SUBENTRY_OC ) || oc.contains( subentryOid ) )
         {
             LdapDN parentDn = ( LdapDN ) dn.clone();
             parentDn.remove( dn.size() - 1 );
-            entry = proxy.lookup( new LookupOperationContext( parentDn), PartitionNexusProxy.LOOKUP_BYPASS );
+            entry = ServerEntryUtils.toServerEntry( 
+                proxy.lookup( new LookupOperationContext( registries, parentDn), PartitionNexusProxy.LOOKUP_BYPASS ),
+                parentDn,
+                registries );
         }
 
-        Attribute subentries = AttributeUtils.getAttribute( entry, acSubentryType );
+        ServerAttribute subentries = entry.get( acSubentryType );
         
         if ( subentries == null )
         {
             return;
         }
         
-        for ( int ii = 0; ii < subentries.size(); ii++ )
+        for ( ServerValue<?> value:subentries )
         {
-            String subentryDn = ( String ) subentries.get( ii );
+            String subentryDn = ( String ) value.get();
             tuples.addAll( tupleCache.getACITuples( subentryDn ) );
         }
     }
@@ -318,18 +327,18 @@
      * @param entry the target entry that access to is being regulated
      * @throws NamingException if there are problems accessing attribute values
      */
-    private void addEntryAciTuples( Collection<ACITuple> tuples, Attributes entry ) throws NamingException
+    private void addEntryAciTuples( Collection<ACITuple> tuples, ServerEntry entry ) throws NamingException
     {
-        Attribute entryAci = AttributeUtils.getAttribute( entry, entryAciType );
+        ServerAttribute entryAci = entry.get( entryAciType );
         
         if ( entryAci == null )
         {
             return;
         }
 
-        for ( int ii = 0; ii < entryAci.size(); ii++ )
+        for ( ServerValue<?> value:entryAci )
         {
-            String aciString = ( String ) entryAci.get( ii );
+            String aciString = ( String ) value.get();
             ACIItem item;
 
             try
@@ -358,11 +367,11 @@
      * @throws NamingException if there are problems accessing attribute values
      * @param proxy the partition nexus proxy object
      */
-    private void addSubentryAciTuples( PartitionNexusProxy proxy, Collection<ACITuple> tuples, LdapDN dn, Attributes entry )
+    private void addSubentryAciTuples( PartitionNexusProxy proxy, Collection<ACITuple> tuples, LdapDN dn, ServerEntry entry )
         throws NamingException
     {
         // only perform this for subentries
-        if ( !AttributeUtils.containsValueCaseIgnore( entry.get( SchemaConstants.OBJECT_CLASS_AT ), SchemaConstants.SUBENTRY_OC ) )
+        if ( !entry.contains( SchemaConstants.OBJECT_CLASS_AT, SchemaConstants.SUBENTRY_OC ) )
         {
             return;
         }
@@ -371,19 +380,23 @@
         // will contain the subentryACI attributes that effect subentries
         LdapDN parentDn = ( LdapDN ) dn.clone();
         parentDn.remove( dn.size() - 1 );
-        Attributes administrativeEntry = proxy.lookup( 
-        		new LookupOperationContext( parentDn, new String[]
-            { SchemaConstants.SUBENTRY_ACI_AT }) , PartitionNexusProxy.LOOKUP_BYPASS );
-        Attribute subentryAci = AttributeUtils.getAttribute( administrativeEntry, subentryAciType );
+        ServerEntry administrativeEntry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( 
+        		new LookupOperationContext( registries, parentDn, new String[]
+            { SchemaConstants.SUBENTRY_ACI_AT }) , PartitionNexusProxy.LOOKUP_BYPASS ),
+            parentDn,
+            registries );
+        
+        ServerAttribute subentryAci = administrativeEntry.get( subentryAciType );
 
         if ( subentryAci == null )
         {
             return;
         }
 
-        for ( int ii = 0; ii < subentryAci.size(); ii++ )
+        for ( ServerValue<?> value:subentryAci )
         {
-            String aciString = ( String ) subentryAci.get( ii );
+            String aciString = ( String ) value.get();
             ACIItem item;
 
             try
@@ -430,7 +443,9 @@
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         LdapDN principalDn = principal.getJndiName();
         
-        Attributes entry = addContext.getEntry();
+        ServerEntry serverEntry = addContext.getEntry(); 
+        //Attributes entry = ServerEntryUtils.toAttributesImpl( serverEntry );
+
         LdapDN name = addContext.getDn();
 
         // bypass authz code if we are disabled
@@ -444,23 +459,22 @@
         if ( isPrincipalAnAdministrator( principalDn ) )
         {
             next.add( addContext );
-            tupleCache.subentryAdded( name, entry );
-            groupCache.groupAdded( name, entry );
+            tupleCache.subentryAdded( name, serverEntry );
+            groupCache.groupAdded( name, serverEntry );
             return;
         }
 
         // perform checks below here for all non-admin users
         SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() );
-        Attributes subentryAttrs = subentryInterceptor.getSubentryAttributes( name, entry );
-        NamingEnumeration<? extends Attribute> attrList = entry.getAll();
+        ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( name, serverEntry );
         
-        while ( attrList.hasMore() )
+        for ( ServerAttribute attribute:serverEntry )
         {
-            subentryAttrs.put( attrList.next() );
+            subentryAttrs.put( attribute );
         }
 
         // Assemble all the information required to make an access control decision
-        Set<Name> userGroups = groupCache.getGroups( principalDn.toNormName() );
+        Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toNormName() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
 
         // Build the total collection of tuples to be considered for add rights
@@ -470,20 +484,16 @@
 
         // check if entry scope permission is granted
         PartitionNexusProxy proxy = invocation.getProxy();
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             ADD_PERMS, tuples, subentryAttrs, null );
 
         // now we must check if attribute type and value scope permission is granted
-        NamingEnumeration<? extends Attribute> attributeList = entry.getAll();
-        
-        while ( attributeList.hasMore() )
+        for ( ServerAttribute attribute:serverEntry )
         {
-            Attribute attr = attributeList.next();
-        
-            for ( int ii = 0; ii < attr.size(); ii++ )
+            for ( ServerValue<?> value:attribute )
             {
-                engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, attr
-                    .getID(), attr.get( ii ), ADD_PERMS, tuples, entry, null );
+                engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, attribute
+                    .getUpId(), value.get(), ADD_PERMS, tuples, serverEntry, null );
             }
         }
 
@@ -492,8 +502,8 @@
 
         // if the entry added is a subentry or a groupOf[Unique]Names we must
         // update the ACITuple cache and the groups cache to keep them in sync
-        tupleCache.subentryAdded( name, entry );
-        groupCache.groupAdded( name, entry );
+        tupleCache.subentryAdded( name, serverEntry );
+        groupCache.groupAdded( name, serverEntry );
     }
 
 
@@ -510,7 +520,11 @@
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         PartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( new LookupOperationContext( name ) , PartitionNexusProxy.LOOKUP_BYPASS );
+        ServerEntry entry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( new LookupOperationContext( registries, name ) , PartitionNexusProxy.LOOKUP_BYPASS ),
+            name,
+            registries );
+
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         LdapDN principalDn = principal.getJndiName();
 
@@ -532,13 +546,13 @@
             return;
         }
 
-        Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+        Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             REMOVE_PERMS, tuples, entry, null );
 
         next.delete( deleteContext );
@@ -555,7 +569,11 @@
         LdapDN name = opContext.getDn();
 
         // Access the principal requesting the operation, and bypass checks if it is the admin
-        Attributes entry = proxy.lookup( new LookupOperationContext( name ), PartitionNexusProxy.LOOKUP_BYPASS );
+        ServerEntry entry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS ),
+            name,
+            registries );
+        
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         LdapDN principalDn = principal.getJndiName();
 
@@ -575,23 +593,23 @@
             /**
              * @TODO: A virtual entry can be created here for not hitting the backend again.
              */
-            Attributes modifiedEntry = proxy.lookup( new LookupOperationContext( name ), PartitionNexusProxy.LOOKUP_BYPASS );
-            tupleCache.subentryModified( name, mods, modifiedEntry );
-            groupCache.groupModified( name, mods, entry );
+            Attributes modifiedEntry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+            tupleCache.subentryModified( name, mods, ServerEntryUtils.toServerEntry( modifiedEntry, name, registries ) );
+            groupCache.groupModified( name, mods, entry, registries );
             return;
         }
 
-        Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+        Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             Collections.singleton( MicroOperation.MODIFY ), tuples, entry, null );
 
         Collection<MicroOperation> perms = null;
-        Attributes entryView = ( Attributes ) entry.clone();
+        ServerEntry entryView = ( ServerEntry ) entry.clone();
         
         for ( ModificationItemImpl mod : mods )
         {
@@ -606,7 +624,7 @@
                     if ( entry.get( attr.getID() ) == null )
                     {
                         // ... we also need to check if adding the attribute is permitted
-                        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
+                        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
                                 attr.getID(), null, perms, tuples, entry, null );
                     }
                     
@@ -614,7 +632,7 @@
 
                 case ( DirContext.REMOVE_ATTRIBUTE ):
                     perms = REMOVE_PERMS;
-                    Attribute entryAttr = entry.get( attr.getID() );
+                    ServerAttribute entryAttr = entry.get( attr.getID() );
 
                     if ( entryAttr != null )
                     {
@@ -622,7 +640,7 @@
                         if ( entryAttr.size() == 1 )
                         {
                             // ... we also need to check if removing the attribute at all is permitted
-                            engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
+                            engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
                                     attr.getID(), null, perms, tuples, entry, null );
                         }
                     }
@@ -647,11 +665,11 @@
              * not the individual Value Additions) we just handle this when the first value of an
              * attribute is being checked for relevant permissions below. 
              */
-            entryView = SchemaUtils.getTargetEntry( mod, entryView );
+            entryView = ServerEntryUtils.getTargetEntry( mod, entryView, registries );
             
             for ( int jj = 0; jj < attr.size(); jj++ )
             {                
-                engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
+                engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
                         attr.getID(), attr.get( jj ), perms, tuples, entry, entryView );
             }
         }
@@ -662,9 +680,9 @@
         /**
          * @TODO: A virtual entry can be created here for not hitting the backend again.
          */
-        Attributes modifiedEntry = proxy.lookup( new LookupOperationContext( name ), PartitionNexusProxy.LOOKUP_BYPASS );
-        tupleCache.subentryModified( name, mods, modifiedEntry );
-        groupCache.groupModified( name, mods, entry );
+        Attributes modifiedEntry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+        tupleCache.subentryModified( name, mods, ServerEntryUtils.toServerEntry( modifiedEntry, name, registries ) );
+        groupCache.groupModified( name, mods, entry, registries );
     }
 
     public boolean hasEntry( NextInterceptor next, EntryOperationContext entryContext ) throws NamingException
@@ -672,7 +690,12 @@
         LdapDN name = entryContext.getDn();
         Invocation invocation = InvocationStack.getInstance().peek();
         PartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( new LookupOperationContext( name ), PartitionNexusProxy.LOOKUP_BYPASS );
+        
+        ServerEntry entry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS ),
+            name,
+            registries );
+        
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         LdapDN principalDn = principal.getJndiName();
 
@@ -682,14 +705,14 @@
             return name.size() == 0 || next.hasEntry( entryContext );
         }
 
-        Set<Name> userGroups = groupCache.getGroups( principalDn.toNormName() );
+        Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toNormName() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
         // check that we have browse access to the entry
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             BROWSE_PERMS, tuples, entry, null );
 
         return next.hasEntry( entryContext );
@@ -711,7 +734,7 @@
      * @param entry the raw entry pulled from the nexus
      * @throws NamingException if undlying access to the DIT fails
      */
-    private void checkLookupAccess( LdapPrincipal principal, LdapDN dn, Attributes entry ) throws NamingException
+    private void checkLookupAccess( LdapPrincipal principal, LdapDN dn, ServerEntry entry ) throws NamingException
     {
         // no permissions checks on the RootDSE
         if ( dn.toString().trim().equals( "" ) )
@@ -721,25 +744,35 @@
 
         PartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
         LdapDN userName = principal.getJndiName();
-        Set<Name> userGroups = groupCache.getGroups( userName.toNormName() );
+        Set<LdapDN> userGroups = groupCache.getGroups( userName.toNormName() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
         addPerscriptiveAciTuples( proxy, tuples, dn, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, dn, entry );
 
         // check that we have read access to the entry
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, null, null,
+        engine.checkPermission( registries, proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, null, null,
             LOOKUP_PERMS, tuples, entry, null );
 
         // check that we have read access to every attribute type and value
-        NamingEnumeration<? extends Attribute> attributeList = entry.getAll();
-        while ( attributeList.hasMore() )
+        for ( ServerAttribute attribute:entry )
         {
-            Attribute attr = attributeList.next();
-            for ( int ii = 0; ii < attr.size(); ii++ )
+            
+            for ( ServerValue<?> value:attribute )
             {
-                engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, attr
-                    .getID(), attr.get( ii ), READ_PERMS, tuples, entry, null );
+                engine.checkPermission( 
+                    registries, 
+                    proxy, 
+                    userGroups, 
+                    userName, 
+                    principal.getAuthenticationLevel(), 
+                    dn, 
+                    attribute.getUpId(), 
+                    value.get(), 
+                    READ_PERMS, 
+                    tuples, 
+                    entry, 
+                    null );
             }
         }
     }
@@ -753,7 +786,7 @@
         
         if ( !principalDn.isNormalized() )
         {
-        	principalDn.normalize( attrRegistry.getNormalizerMapping() );
+        	principalDn.normalize( atRegistry.getNormalizerMapping() );
         }
         
         if ( isPrincipalAnAdministrator( principalDn ) || !enabled )
@@ -762,7 +795,10 @@
         }
 
         PartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( lookupContext, PartitionNexusProxy.LOOKUP_BYPASS );
+        ServerEntry entry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( lookupContext, PartitionNexusProxy.LOOKUP_BYPASS ),
+            lookupContext.getDn(),
+            registries );
         checkLookupAccess( principal, lookupContext.getDn(), entry );
         return next.lookup( lookupContext );
     }
@@ -774,7 +810,12 @@
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         PartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( new LookupOperationContext( name ), PartitionNexusProxy.LOOKUP_BYPASS );
+        
+        ServerEntry entry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS ),
+            name,
+            registries );
+        
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         LdapDN principalDn = principal.getJndiName();
         LdapDN newName = ( LdapDN ) name.clone();
@@ -803,13 +844,13 @@
             return;
         }
 
-        Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+        Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             RENAME_PERMS, tuples, entry, null );
 
         next.rename( renameContext );
@@ -827,8 +868,13 @@
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         PartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( new LookupOperationContext( oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS );
-        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        
+        ServerEntry entry = ServerEntryUtils.toServerEntry(
+            proxy.lookup( new LookupOperationContext( registries, oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS ),
+            oriChildName,
+            registries );
+        
+            LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         LdapDN principalDn = principal.getJndiName();
         LdapDN newName = ( LdapDN ) newParentName.clone();
         newName.add( moveAndRenameContext.getNewRdn().getUpName() );
@@ -851,13 +897,13 @@
             return;
         }
 
-        Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+        Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
         addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, oriChildName, entry );
 
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
             null, MOVERENAME_PERMS, tuples, entry, null );
 
         // Get the entry again without operational attributes
@@ -865,8 +911,12 @@
         // will not be valid at the new location.
         // This will certainly be fixed by the SubentryInterceptor,
         // but after this service.
-        Attributes importedEntry = proxy.lookup( new LookupOperationContext( oriChildName ), 
-            PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
+        ServerEntry importedEntry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( new LookupOperationContext( registries, oriChildName ), 
+                PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS ),
+            oriChildName,
+            registries );
+            
         
         // As the target entry does not exist yet and so
         // its subentry operational attributes are not there,
@@ -874,12 +924,11 @@
         // at least with minimal requirements which are object class
         // and access control subentry operational attributes.
         SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() );
-        Attributes subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
-        NamingEnumeration<? extends Attribute> attrList = importedEntry.getAll();
+        ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
         
-        while ( attrList.hasMore() )
+        for ( ServerAttribute attribute:importedEntry )
         {
-            subentryAttrs.put( attrList.next() );
+            subentryAttrs.put( attribute );
         }
         
         Collection<ACITuple> destTuples = new HashSet<ACITuple>();
@@ -887,7 +936,7 @@
         addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
         // Evaluate the target context to see whether it
         // allows an entry named newName to be imported as a subordinate.
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
             null, IMPORT_PERMS, destTuples, subentryAttrs, null );
 
 
@@ -905,7 +954,11 @@
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         PartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( new LookupOperationContext( oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS );
+        ServerEntry entry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( new LookupOperationContext( registries, oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS ),
+            oriChildName,
+            registries );
+        
         LdapDN newName = ( LdapDN ) newParentName.clone();
         newName.add( oriChildName.get( oriChildName.size() - 1 ) );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
@@ -929,13 +982,13 @@
             return;
         }
 
-        Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+        Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
         addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, oriChildName, entry );
 
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
             null, EXPORT_PERMS, tuples, entry, null );
         
         // Get the entry again without operational attributes
@@ -943,20 +996,23 @@
         // will not be valid at the new location.
         // This will certainly be fixed by the SubentryInterceptor,
         // but after this service.
-        Attributes importedEntry = proxy.lookup( new LookupOperationContext( oriChildName ), 
-            PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
+        ServerEntry importedEntry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( new LookupOperationContext( registries, oriChildName ), 
+                PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS ),
+            oriChildName,
+            registries );
+            
         // As the target entry does not exist yet and so
         // its subentry operational attributes are not there,
         // we need to construct an entry to represent it
         // at least with minimal requirements which are object class
         // and access control subentry operational attributes.
         SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() );
-        Attributes subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
-        NamingEnumeration<? extends Attribute> attrList = importedEntry.getAll();
+        ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
         
-        while ( attrList.hasMore() )
+        for ( ServerAttribute attribute:importedEntry )
         {
-            subentryAttrs.put( attrList.next() );
+            subentryAttrs.put( attribute );
         }
         
         Collection<ACITuple> destTuples = new HashSet<ACITuple>();
@@ -964,7 +1020,7 @@
         addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
         // Evaluate the target context to see whether it
         // allows an entry named newName to be imported as a subordinate.
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
             null, IMPORT_PERMS, destTuples, subentryAttrs, null );
 
         next.move( moveContext );
@@ -1027,9 +1083,12 @@
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         PartitionNexusProxy proxy = invocation.getProxy();
-        Attributes entry = proxy.lookup( 
-        		new LookupOperationContext( name ), 
-        		PartitionNexusProxy.LOOKUP_BYPASS );
+        ServerEntry entry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( 
+        		new LookupOperationContext( registries, name ), 
+        		PartitionNexusProxy.LOOKUP_BYPASS ),
+        	name,
+        	registries );
 
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
         LdapDN principalDn = principal.getJndiName();
@@ -1039,15 +1098,15 @@
             return next.compare( opContext );
         }
 
-        Set<Name> userGroups = groupCache.getGroups( principalDn.toNormName() );
+        Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toNormName() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             READ_PERMS, tuples, entry, null );
-        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, oid, value,
+        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, oid, value,
             COMPARE_PERMS, tuples, entry, null );
 
         return next.compare( opContext );
@@ -1068,7 +1127,7 @@
         }
 
         // get the present matched name
-        Attributes entry;
+        ServerEntry entry;
         LdapDN matched = next.getMatchedName( opContext );
 
         // check if we have disclose on error permission for the entry at the matched dn
@@ -1076,14 +1135,18 @@
         // that but if permission is granted then short the process and return the dn
         while ( matched.size() > 0 )
         {
-            entry = proxy.lookup( new LookupOperationContext( matched ), PartitionNexusProxy.GETMATCHEDDN_BYPASS );
-            Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+            entry = ServerEntryUtils.toServerEntry( 
+                proxy.lookup( new LookupOperationContext( registries, matched ), PartitionNexusProxy.GETMATCHEDDN_BYPASS ),
+                matched,
+                registries );
+            
+            Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
             Collection<ACITuple> tuples = new HashSet<ACITuple>();
             addPerscriptiveAciTuples( proxy, tuples, matched, entry );
             addEntryAciTuples( tuples, entry );
             addSubentryAciTuples( proxy, tuples, matched, entry );
 
-            if ( engine.hasPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), matched, null,
+            if ( engine.hasPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), matched, null,
                 null, MATCHEDNAME_PERMS, tuples, entry, null ) )
             {
                 return matched;
@@ -1096,7 +1159,7 @@
     }
 
 
-    public void cacheNewGroup( LdapDN name, Attributes entry ) throws NamingException
+    public void cacheNewGroup( LdapDN name, ServerEntry entry ) throws NamingException
     {
         groupCache.groupAdded( name, entry );
     }
@@ -1104,22 +1167,40 @@
 
     private boolean filter( Invocation invocation, LdapDN normName, SearchResult result ) throws NamingException
     {
+        ServerEntry resultEntry = ServerEntryUtils.toServerEntry( result.getAttributes(), new LdapDN( result.getName() ) , registries );
+
         /*
          * First call hasPermission() for entry level "Browse" and "ReturnDN" perm
          * tests.  If we hasPermission() returns false we immediately short the
          * process and return false.
          */
-        Attributes entry = invocation.getProxy().lookup( new LookupOperationContext( normName ), PartitionNexusProxy.LOOKUP_BYPASS );
+        ServerEntry entry = ServerEntryUtils.toServerEntry( 
+            invocation.getProxy().lookup( 
+                new LookupOperationContext( registries, normName ), PartitionNexusProxy.LOOKUP_BYPASS ),
+            normName,
+            registries );
+        
         ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
         LdapDN userDn = ctx.getPrincipal().getJndiName();
-        Set<Name> userGroups = groupCache.getGroups( userDn.toNormName() );
+        Set<LdapDN> userGroups = groupCache.getGroups( userDn.toNormName() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
         addPerscriptiveAciTuples( invocation.getProxy(), tuples, normName, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( invocation.getProxy(), tuples, normName, entry );
 
-        if ( !engine.hasPermission( invocation.getProxy(), userGroups, userDn, ctx.getPrincipal()
-            .getAuthenticationLevel(), normName, null, null, SEARCH_ENTRY_PERMS, tuples, entry, null ) )
+        if ( !engine.hasPermission( 
+                        registries, 
+                        invocation.getProxy(), 
+                        userGroups, 
+                        userDn, 
+                        ctx.getPrincipal().getAuthenticationLevel(), 
+                        normName, 
+                        null, 
+                        null, 
+                        SEARCH_ENTRY_PERMS, 
+                        tuples, 
+                        entry, 
+                        null ) )
         {
             return false;
         }
@@ -1131,43 +1212,74 @@
          * not allowed are removed from the attribute.  If the attribute has no more
          * values remaining then the entire attribute is removed.
          */
-        NamingEnumeration<String> idList = result.getAttributes().getIDs();
-
-        while ( idList.hasMore() )
+        //NamingEnumeration<String> idList = result.getAttributes().getIDs();
+        List<AttributeType> attributeToRemove = new ArrayList<AttributeType>();
+        
+        for ( AttributeType attributeType:resultEntry.getAttributeTypes() )
         {
             // if attribute type scope access is not allowed then remove the attribute and continue
-            String id = idList.next();
-            Attribute attr = result.getAttributes().get( id );
+            String id = attributeType.getName();
+            ServerAttribute attr = resultEntry.get( attributeType );
         
-            if ( !engine.hasPermission( invocation.getProxy(), userGroups, userDn, ctx.getPrincipal()
-                .getAuthenticationLevel(), normName, attr.getID(), null, SEARCH_ATTRVAL_PERMS, tuples, entry, null ) )
+            if ( !engine.hasPermission( 
+                        registries, 
+                        invocation.getProxy(), 
+                        userGroups, 
+                        userDn,
+                        ctx.getPrincipal().getAuthenticationLevel(), 
+                        normName, 
+                        id, 
+                        null, 
+                        SEARCH_ATTRVAL_PERMS, 
+                        tuples, 
+                        entry, 
+                        null ) )
             {
-                result.getAttributes().remove( attr.getID() );
-
-                if ( attr.size() == 0 )
-                {
-                    result.getAttributes().remove( attr.getID() );
-                }
+                attributeToRemove.add( attributeType );
+                
                 continue;
             }
 
+            List<ServerValue<?>> valueToRemove = new ArrayList<ServerValue<?>>();
+            
             // attribute type scope is ok now let's determine value level scope
-            for ( int ii = 0; ii < attr.size(); ii++ )
+            for ( ServerValue<?> value:attr )
             {
-                if ( !engine.hasPermission( invocation.getProxy(), userGroups, userDn, ctx.getPrincipal()
-                    .getAuthenticationLevel(), normName, attr.getID(), attr.get( ii ), SEARCH_ATTRVAL_PERMS, tuples,
-                    entry, null ) )
+                if ( !engine.hasPermission( 
+                        registries, 
+                        invocation.getProxy(), 
+                        userGroups, 
+                        userDn, 
+                        ctx.getPrincipal().getAuthenticationLevel(), 
+                        normName, 
+                        attr.getUpId(), 
+                        value.get(), 
+                        SEARCH_ATTRVAL_PERMS, 
+                        tuples,
+                        entry, 
+                        null ) )
                 {
-                    attr.remove( ii );
-
-                    if ( ii > 0 )
-                    {
-                        ii--;
-                    }
+                    valueToRemove.add( value );
                 }
             }
+            
+            for ( ServerValue<?> value:valueToRemove )
+            {
+                attr.remove( value );
+            }
+            
+            if ( attr.size() == 0 )
+            {
+                attributeToRemove.add( attributeType );
+            }
+        }
+        
+        for ( AttributeType attributeType:attributeToRemove )
+        {
+            resultEntry.remove( attributeType );
         }
 
+        result.setAttributes( ServerEntryUtils.toAttributesImpl( resultEntry ) );
         return true;
     }
 

Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java Sun Jan 20 08:59:10 2008
@@ -40,6 +40,7 @@
 import org.apache.directory.server.core.jndi.ServerContext;
 import org.apache.directory.server.core.partition.PartitionNexus;
 import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
+import org.apache.directory.server.schema.registries.Registries;
 import org.apache.directory.shared.ldap.constants.SchemaConstants;
 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
 import org.apache.directory.shared.ldap.message.ServerSearchResult;
@@ -140,15 +141,15 @@
         
         uniqueMemberAT = attrRegistry.lookup( SchemaConstants.UNIQUE_MEMBER_AT_OID );
         
-        loadAdministrators();
+        loadAdministrators( directoryService.getRegistries() );
     }
     
     
-    private void loadAdministrators() throws NamingException
+    private void loadAdministrators( Registries registries ) throws NamingException
     {
         // read in the administrators and cache their normalized names
         Set<String> newAdministrators = new HashSet<String>( 2 );
-        Attributes adminGroup = nexus.lookup( new LookupOperationContext( ADMIN_GROUP_DN ) );
+        Attributes adminGroup = nexus.lookup( new LookupOperationContext( registries, ADMIN_GROUP_DN ) );
         
         if ( adminGroup == null )
         {
@@ -271,7 +272,7 @@
             // update administrators if we change administrators group
             if ( dn.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
             {
-                loadAdministrators();
+                loadAdministrators( opContext.getRegistries() );
             }
         }
         else

Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java Sun Jan 20 08:59:10 2008
@@ -28,9 +28,14 @@
 
 import org.apache.directory.server.constants.ServerDNConstants;
 import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.entry.ServerAttribute;
+import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
+import org.apache.directory.server.core.entry.ServerValue;
 import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
 import org.apache.directory.server.core.partition.PartitionNexus;
 import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
+import org.apache.directory.server.schema.registries.Registries;
 import org.apache.directory.shared.ldap.constants.SchemaConstants;
 import org.apache.directory.shared.ldap.filter.BranchNode;
 import org.apache.directory.shared.ldap.filter.EqualityNode;
@@ -40,15 +45,11 @@
 import org.apache.directory.shared.ldap.name.LdapDN;
 import org.apache.directory.shared.ldap.schema.AttributeType;
 import org.apache.directory.shared.ldap.schema.OidNormalizer;
-import org.apache.directory.shared.ldap.util.AttributeUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.naming.Name;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
 import javax.naming.directory.DirContext;
 import javax.naming.directory.ModificationItem;
 import javax.naming.directory.SearchControls;
@@ -89,7 +90,7 @@
     /** the normalized dn of the administrators group */
     private LdapDN administratorsGroupDn;
     
-    private static final Set<Name> EMPTY_GROUPS = new HashSet<Name>();
+    private static final Set<LdapDN> EMPTY_GROUPS = new HashSet<LdapDN>();
     
     /**
      * Creates a static group cache.
@@ -109,7 +110,7 @@
         // stuff for dealing with the admin group
         administratorsGroupDn = parseNormalized( ServerDNConstants.ADMINISTRATORS_GROUP_DN );
 
-        initialize();
+        initialize( directoryService.getRegistries() );
     }
 
 
@@ -121,7 +122,7 @@
     }
 
 
-    private void initialize() throws NamingException
+    private void initialize( Registries registries ) throws NamingException
     {
         // search all naming contexts for static groups and generate
         // normalized sets of members to cache within the map
@@ -139,13 +140,14 @@
             SearchControls ctls = new SearchControls();
             ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
             NamingEnumeration<SearchResult> results = nexus.search(
-                    new SearchOperationContext( baseDn, AliasDerefMode.DEREF_ALWAYS, filter, ctls ) );
+                    new SearchOperationContext( registries, baseDn, AliasDerefMode.DEREF_ALWAYS, filter, ctls ) );
 
             while ( results.hasMore() )
             {
                 SearchResult result = results.next();
                 LdapDN groupDn = parseNormalized( result.getName() );
-                Attribute members = getMemberAttribute( result.getAttributes() );
+                ServerAttribute members = getMemberAttribute( 
+                    ServerEntryUtils.toServerEntry( result.getAttributes(), groupDn, registries ) );
 
                 if ( members != null )
                 {
@@ -176,20 +178,20 @@
      * @param entry the entry inspected for member attributes
      * @return the member attribute
      */
-    private Attribute getMemberAttribute( Attributes entry )
+    private ServerAttribute getMemberAttribute( ServerEntry entry ) throws NamingException
     {
-        Attribute oc = entry.get( SchemaConstants.OBJECT_CLASS_AT );
+        ServerAttribute oc = entry.get( SchemaConstants.OBJECT_CLASS_AT );
 
         if ( oc == null )
         {
-        	Attribute member = AttributeUtils.getAttribute( entry, memberAT );
+            ServerAttribute member = entry.get( memberAT );
         	
             if ( member != null )
             {
                 return member;
             }
 
-            Attribute uniqueMember = AttributeUtils.getAttribute(entry, uniqueMemberAT );
+            ServerAttribute uniqueMember = entry.get( uniqueMemberAT );
             
             if ( uniqueMember != null )
             {
@@ -199,16 +201,16 @@
             return null;
         }
 
-        if ( AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_NAMES_OC ) ||
-        		AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_NAMES_OC_OID )	)
+        if ( oc.contains( SchemaConstants.GROUP_OF_NAMES_OC ) ||
+             oc.contains( SchemaConstants.GROUP_OF_NAMES_OC_OID ) )
         {
-            return AttributeUtils.getAttribute( entry, memberAT );
+            return entry.get( memberAT );
         }
 
-        if ( AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC ) || 
-        		AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC_OID ))
+        if ( oc.contains( SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC ) || 
+             oc.contains( SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC_OID ))
         {
-            return AttributeUtils.getAttribute(entry, uniqueMemberAT );
+            return entry.get( uniqueMemberAT );
         }
 
         return null;
@@ -222,12 +224,13 @@
      * @param members the member attribute values being added
      * @throws NamingException if there are problems accessing the attr values
      */
-    private void addMembers( Set<String> memberSet, Attribute members ) throws NamingException
+    private void addMembers( Set<String> memberSet, ServerAttribute members ) throws NamingException
     {
-        for ( int ii = 0; ii < members.size(); ii++ )
+        for ( ServerValue<?> value:members )
         {
+
             // get and normalize the DN of the member
-            String memberDn = ( String ) members.get( ii );
+            String memberDn = (String)value.get();
 
             try
             {
@@ -250,12 +253,12 @@
      * @param members the set of member values
      * @throws NamingException if there are problems accessing the attr values
      */
-    private void removeMembers( Set<String> memberSet, Attribute members ) throws NamingException
+    private void removeMembers( Set<String> memberSet, ServerAttribute members ) throws NamingException
     {
-        for ( int ii = 0; ii < members.size(); ii++ )
+        for ( ServerValue<?> value:members )
         {
             // get and normalize the DN of the member
-            String memberDn = ( String ) members.get( ii );
+            String memberDn = (String)value.get();
 
             try
             {
@@ -279,9 +282,9 @@
      * @param entry the group entry's attributes
      * @throws NamingException if there are problems accessing the attr values
      */
-    public void groupAdded( LdapDN name, Attributes entry ) throws NamingException
+    public void groupAdded( LdapDN name, ServerEntry entry ) throws NamingException
     {
-        Attribute members = getMemberAttribute( entry );
+        ServerAttribute members = getMemberAttribute( entry );
 
         if ( members == null )
         {
@@ -306,9 +309,9 @@
      * @param name the normalized DN of the group entry
      * @param entry the attributes of entry being deleted
      */
-    public void groupDeleted( LdapDN name, Attributes entry )
+    public void groupDeleted( LdapDN name, ServerEntry entry ) throws NamingException
     {
-        Attribute members = getMemberAttribute( entry );
+        ServerAttribute members = getMemberAttribute( entry );
 
         if ( members == null )
         {
@@ -333,7 +336,7 @@
      * @param members the members being added, removed or replaced
      * @throws NamingException if there are problems accessing attribute values
      */
-    private void modify( Set<String> memberSet, int modOp, Attribute members ) throws NamingException
+    private void modify( Set<String> memberSet, int modOp, ServerAttribute members ) throws NamingException
     {
 
         switch ( modOp )
@@ -370,23 +373,23 @@
      * @param entry the group entry being modified
      * @throws NamingException if there are problems accessing attribute  values
      */
-    public void groupModified( LdapDN name, List<ModificationItemImpl> mods, Attributes entry ) throws NamingException
+    public void groupModified( LdapDN name, List<ModificationItemImpl> mods, ServerEntry entry, Registries registries ) throws NamingException
     {
-        Attribute members = null;
+        ServerAttribute members = null;
         String memberAttrId = null;
-        Attribute oc = entry.get( SchemaConstants.OBJECT_CLASS_AT );
+        ServerAttribute oc = entry.get( SchemaConstants.OBJECT_CLASS_AT );
 
-        if ( AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_NAMES_OC ) ||
-        		AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_NAMES_OC_OID ))
+        if ( oc.contains( SchemaConstants.GROUP_OF_NAMES_OC ) ||
+             oc.contains( SchemaConstants.GROUP_OF_NAMES_OC_OID ))
         {
-            members = AttributeUtils.getAttribute( entry, memberAT );
+            members = entry.get( memberAT );
             memberAttrId = SchemaConstants.MEMBER_AT;
         }
 
-        if ( AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC ) ||
-        		AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC_OID ) )
+        if ( oc.contains( SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC ) ||
+             oc.contains( SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC_OID ) )
         {
-            members = AttributeUtils.getAttribute(entry, uniqueMemberAT );
+            members = entry.get( uniqueMemberAT );
             memberAttrId = SchemaConstants.UNIQUE_MEMBER_AT;
         }
 
@@ -403,7 +406,12 @@
                 
                 if ( memberSet != null )
                 {
-                    modify( memberSet, modification.getModificationOp(), modification.getAttribute() );
+                    modify( 
+                        memberSet, 
+                        modification.getModificationOp(), 
+                        ServerEntryUtils.toServerAttribute( 
+                            modification.getAttribute(),
+                            registries.getAttributeTypeRegistry().lookup( modification.getAttribute().getID() ) ) );
                 }
                 
                 break;
@@ -426,9 +434,9 @@
      * @param mods the modifications being performed
      * @throws NamingException if there are problems accessing attribute  values
      */
-    public void groupModified( LdapDN name, int modOp, Attributes mods ) throws NamingException
+    public void groupModified( LdapDN name, int modOp, ServerEntry mods ) throws NamingException
     {
-        Attribute members = getMemberAttribute( mods );
+        ServerAttribute members = getMemberAttribute( mods );
 
         if ( members == null )
         {
@@ -483,7 +491,7 @@
      * @return a Set of Name objects representing the groups
      * @throws NamingException if there are problems accessing attribute  values
      */
-    public Set<Name> getGroups( String member ) throws NamingException
+    public Set<LdapDN> getGroups( String member ) throws NamingException
     {
     	LdapDN normMember;
     	
@@ -497,7 +505,7 @@
             return EMPTY_GROUPS;
         }
 
-        Set<Name> memberGroups = null;
+        Set<LdapDN> memberGroups = null;
 
         for ( String group:groups.keySet() )
         {
@@ -512,7 +520,7 @@
             {
                 if ( memberGroups == null )
                 {
-                    memberGroups = new HashSet<Name>();
+                    memberGroups = new HashSet<LdapDN>();
                 }
 
                 memberGroups.add( parseNormalized( group ) );

Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java Sun Jan 20 08:59:10 2008
@@ -20,11 +20,16 @@
 package org.apache.directory.server.core.authz;
 
 import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.entry.ServerAttribute;
+import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
+import org.apache.directory.server.core.entry.ServerValue;
 import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
 import org.apache.directory.server.core.partition.PartitionNexus;
 import org.apache.directory.server.schema.ConcreteNameComponentNormalizer;
 import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
 import org.apache.directory.server.schema.registries.OidRegistry;
+import org.apache.directory.server.schema.registries.Registries;
 import org.apache.directory.shared.ldap.aci.ACIItem;
 import org.apache.directory.shared.ldap.aci.ACIItemParser;
 import org.apache.directory.shared.ldap.aci.ACITuple;
@@ -39,15 +44,12 @@
 import org.apache.directory.shared.ldap.name.NameComponentNormalizer;
 import org.apache.directory.shared.ldap.schema.AttributeType;
 import org.apache.directory.shared.ldap.schema.OidNormalizer;
-import org.apache.directory.shared.ldap.util.AttributeUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.naming.Name;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import java.text.ParseException;
@@ -104,7 +106,7 @@
         NameComponentNormalizer ncn = new ConcreteNameComponentNormalizer( attributeTypeRegistry, oidRegistry );
         aciParser = new ACIItemParser( ncn, normalizerMap );
         prescriptiveAciAT = attributeTypeRegistry.lookup( SchemaConstants.PRESCRIPTIVE_ACI_AT );
-        initialize();
+        initialize( directoryService.getRegistries() );
     }
 
     
@@ -116,7 +118,7 @@
     }
 
 
-    private void initialize() throws NamingException
+    private void initialize( Registries registries ) throws NamingException
     {
         // search all naming contexts for access control subentenries
         // generate ACITuple Arrays for each subentry
@@ -131,14 +133,16 @@
                     SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC );
             SearchControls ctls = new SearchControls();
             ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
-            NamingEnumeration<SearchResult> results = nexus.search( new SearchOperationContext( baseDn,
+            NamingEnumeration<SearchResult> results = nexus.search( 
+                new SearchOperationContext( registries, baseDn,
                     AliasDerefMode.NEVER_DEREF_ALIASES, filter, ctls ) );
             
             while ( results.hasMore() )
             {
                 SearchResult result = results.next();
-                String subentryDn = result.getName();
-                Attribute aci = AttributeUtils.getAttribute( result.getAttributes(), prescriptiveAciAT );
+                LdapDN subentryDn = new LdapDN( result.getName() ).normalize( normalizerMap );
+                ServerEntry serverEntry = ServerEntryUtils.toServerEntry( result.getAttributes(), subentryDn, registries );
+                ServerAttribute aci = serverEntry.get( prescriptiveAciAT );
                 
                 if ( aci == null )
                 {
@@ -147,8 +151,7 @@
                     continue;
                 }
 
-                LdapDN normName = parseNormalized( subentryDn );
-                subentryAdded( normName, result.getAttributes() );
+                subentryAdded( subentryDn, serverEntry );
             }
             
             results.close();
@@ -156,15 +159,15 @@
     }
 
 
-    private boolean hasPrescriptiveACI( Attributes entry ) throws NamingException
+    private boolean hasPrescriptiveACI( ServerEntry entry ) throws NamingException
     {
         // only do something if the entry contains prescriptiveACI
-        Attribute aci = AttributeUtils.getAttribute( entry, prescriptiveAciAT );
+        ServerAttribute aci = entry.get( prescriptiveAciAT );
 
         if ( aci == null )
         {
-            if ( AttributeUtils.containsValueCaseIgnore( entry.get( SchemaConstants.OBJECT_CLASS_AT ), SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC ) ||
-                 AttributeUtils.containsValueCaseIgnore( entry.get( SchemaConstants.OBJECT_CLASS_AT ), SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC_OID ))
+            if ( entry.contains( SchemaConstants.OBJECT_CLASS_AT, SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC ) ||
+                 entry.contains( SchemaConstants.OBJECT_CLASS_AT, SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC_OID ) )
             {
                 // should not be necessary because of schema interceptor but schema checking
                 // can be turned off and in this case we must protect against being able to
@@ -181,10 +184,10 @@
     }
 
 
-    public void subentryAdded( LdapDN normName, Attributes entry ) throws NamingException
+    public void subentryAdded( LdapDN normName, ServerEntry entry ) throws NamingException
     {
         // only do something if the entry contains prescriptiveACI
-        Attribute aci = AttributeUtils.getAttribute( entry, prescriptiveAciAT );
+        ServerAttribute aciAttr = entry.get( prescriptiveAciAT );
         
         if ( !hasPrescriptiveACI( entry ) )
         {
@@ -193,14 +196,14 @@
 
         List<ACITuple> entryTuples = new ArrayList<ACITuple>();
         
-        for ( int ii = 0; ii < aci.size(); ii++ )
+        for ( ServerValue<?> value:aciAttr )
         {
+            String aci = (String)value.get();
             ACIItem item = null;
-            String aciStr = ( String ) aci.get( ii ); 
 
             try
             {
-                item = aciParser.parse( aciStr );
+                item = aciParser.parse( aci );
                 entryTuples.addAll( item.toTuples() );
             }
             catch ( ParseException e )
@@ -220,9 +223,9 @@
     }
 
 
-    public void subentryDeleted( Name normName, Attributes entry ) throws NamingException
+    public void subentryDeleted( LdapDN normName, ServerEntry entry ) throws NamingException
     {
-        if ( !hasPrescriptiveACI( entry ) )
+        if ( !hasPrescriptiveACI(entry ) )
         {
             return;
         }
@@ -231,7 +234,7 @@
     }
 
 
-    public void subentryModified( LdapDN normName, List<ModificationItemImpl> mods, Attributes entry ) throws NamingException
+    public void subentryModified( LdapDN normName, List<ModificationItemImpl> mods, ServerEntry entry ) throws NamingException
     {
         if ( !hasPrescriptiveACI( entry ) )
         {
@@ -241,6 +244,7 @@
         for ( ModificationItemImpl mod : mods )
         {
             String attrID = mod.getAttribute().getID();
+            
             if ( attrID.equalsIgnoreCase( SchemaConstants.PRESCRIPTIVE_ACI_AT ) ||
                     attrID.equalsIgnoreCase( SchemaConstants.PRESCRIPTIVE_ACI_AT_OID ) )
             {
@@ -251,14 +255,14 @@
     }
 
 
-    public void subentryModified( LdapDN normName, Attributes mods, Attributes entry ) throws NamingException
+    public void subentryModified( LdapDN normName, ServerEntry mods, ServerEntry entry ) throws NamingException
     {
         if ( !hasPrescriptiveACI( entry ) )
         {
             return;
         }
 
-        if ( AttributeUtils.getAttribute( mods, prescriptiveAciAT ) != null )
+        if ( mods.get( prescriptiveAciAT ) != null )
         {
             subentryDeleted( normName, entry );
             subentryAdded( normName, entry );

Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java Sun Jan 20 08:59:10 2008
@@ -25,13 +25,13 @@
 import java.util.Collections;
 import java.util.HashSet;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
-import javax.naming.directory.Attributes;
 
 import org.apache.directory.server.core.authn.AuthenticationInterceptor;
 import org.apache.directory.server.core.authz.AciAuthorizationInterceptor;
 import org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor;
+import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
 import org.apache.directory.server.core.event.Evaluator;
 import org.apache.directory.server.core.event.EventInterceptor;
 import org.apache.directory.server.core.event.ExpressionEvaluator;
@@ -47,6 +47,7 @@
 import org.apache.directory.server.core.trigger.TriggerInterceptor;
 import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
 import org.apache.directory.server.schema.registries.OidRegistry;
+import org.apache.directory.server.schema.registries.Registries;
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
@@ -127,11 +128,21 @@
      * @param entryView in case of a Modify operation, view of the entry being modified as if the modification permitted and completed
      * @throws NamingException if failed to evaluate ACI items
      */
-    public void checkPermission( PartitionNexusProxy proxy, Collection<Name> userGroupNames, LdapDN username,
-                                 AuthenticationLevel authenticationLevel, LdapDN entryName, String attrId, Object attrValue,
-                                 Collection<MicroOperation> microOperations, Collection<ACITuple> aciTuples, Attributes entry, Attributes entryView ) throws NamingException
+    public void checkPermission( 
+        Registries registries, 
+        PartitionNexusProxy proxy, 
+        Collection<LdapDN> userGroupNames, 
+        LdapDN username,
+        AuthenticationLevel authenticationLevel, 
+        LdapDN entryName, 
+        String attrId, 
+        Object attrValue, 
+        Collection<MicroOperation> microOperations, 
+        Collection<ACITuple> aciTuples, 
+        ServerEntry entry, 
+        ServerEntry entryView ) throws NamingException
     {
-        if ( !hasPermission( proxy, userGroupNames, username, authenticationLevel, entryName, attrId, attrValue,
+        if ( !hasPermission( registries, proxy, userGroupNames, username, authenticationLevel, entryName, attrId, attrValue,
             microOperations, aciTuples, entry, entryView ) )
         {
             throw new LdapNoPermissionException();
@@ -175,16 +186,29 @@
      * @param aciTuples {@link org.apache.directory.shared.ldap.aci.ACITuple}s translated from {@link org.apache.directory.shared.ldap.aci.ACIItem}s in the subtree entries
      * @param entryView in case of a Modify operation, view of the entry being modified as if the modification permitted and completed
      */
-    public boolean hasPermission( PartitionNexusProxy proxy, Collection<Name> userGroupNames, LdapDN userName,
-                                  AuthenticationLevel authenticationLevel, LdapDN entryName, String attrId, Object attrValue,
-                                  Collection<MicroOperation> microOperations, Collection<ACITuple> aciTuples, Attributes entry, Attributes entryView ) throws NamingException
+    public boolean hasPermission( 
+        Registries registries, 
+        PartitionNexusProxy proxy, 
+        Collection<LdapDN> userGroupNames, 
+        LdapDN userName,
+        AuthenticationLevel authenticationLevel, 
+        LdapDN entryName, 
+        String attrId, 
+        Object attrValue, 
+        Collection<MicroOperation> microOperations, 
+        Collection<ACITuple> aciTuples, 
+        ServerEntry entry, 
+        ServerEntry entryView ) throws NamingException
     {
         if ( entryName == null )
         {
             throw new NullPointerException( "entryName" );
         }
 
-        Attributes userEntry = proxy.lookup( new LookupOperationContext( userName ), USER_LOOKUP_BYPASS );
+        ServerEntry userEntry = ServerEntryUtils.toServerEntry( 
+            proxy.lookup( new LookupOperationContext( registries, userName ), USER_LOOKUP_BYPASS ),
+            userName, 
+            registries );
 
         // Determine the scope of the requested operation.
         OperationScope scope;
@@ -208,8 +232,21 @@
         // Filter unrelated and invalid tuples
         for ( ACITupleFilter filter : filters )
         {
-            aciTuples = filter.filter( aciTuples, scope, proxy, userGroupNames, userName, userEntry,
-                authenticationLevel, entryName, attrId, attrValue, entry, microOperations, entryView );
+            aciTuples = filter.filter( 
+                registries, 
+                aciTuples, 
+                scope, 
+                proxy, 
+                userGroupNames, 
+                userName, 
+                ServerEntryUtils.toAttributesImpl( userEntry ),
+                authenticationLevel, 
+                entryName, 
+                attrId, 
+                attrValue, 
+                ServerEntryUtils.toAttributesImpl( entry ), 
+                microOperations, 
+                ServerEntryUtils.toAttributesImpl( entryView ) );
         }
 
         // Deny access if no tuples left.

Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java Sun Jan 20 08:59:10 2008
@@ -22,11 +22,11 @@
 
 import java.util.Collection;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
 
 import org.apache.directory.server.core.partition.PartitionNexusProxy;
+import org.apache.directory.server.schema.registries.Registries;
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
@@ -64,10 +64,11 @@
      * @throws NamingException if failed to filter the specific tuples
      */
     Collection<ACITuple> filter( 
+            Registries registries, 
             Collection<ACITuple> tuples, 
             OperationScope scope, 
             PartitionNexusProxy proxy,
-            Collection<Name> userGroupNames, 
+            Collection<LdapDN> userGroupNames, 
             LdapDN userName, 
             Attributes userEntry,
             AuthenticationLevel authenticationLevel, 

Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java Sun Jan 20 08:59:10 2008
@@ -23,11 +23,11 @@
 import java.util.Collection;
 import java.util.Iterator;
 
-import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.directory.Attributes;
 
 import org.apache.directory.server.core.partition.PartitionNexusProxy;
+import org.apache.directory.server.schema.registries.Registries;
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
@@ -44,10 +44,11 @@
 public class HighestPrecedenceFilter implements ACITupleFilter
 {
     public Collection<ACITuple> filter( 
+            Registries registries, 
     		Collection<ACITuple> tuples, 
     		OperationScope scope, 
     		PartitionNexusProxy proxy,
-            Collection<Name> userGroupNames, 
+            Collection<LdapDN> userGroupNames, 
             LdapDN userName, 
             Attributes userEntry, 
             AuthenticationLevel authenticationLevel,



Mime
View raw message