directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r662440 [2/8] - in /directory: apacheds/branches/bigbang/core-integ/src/main/java/org/apache/directory/server/core/integ/ apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authn/ apacheds/branches/bigbang/c...
Date Mon, 02 Jun 2008 14:00:26 GMT
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/DirectoryService.java Mon Jun  2 07:00:23 2008
@@ -34,9 +34,6 @@
 import org.apache.directory.shared.ldap.ldif.LdifEntry;
 import org.apache.directory.shared.ldap.name.LdapDN;
 
-import javax.naming.Context;
-import javax.naming.directory.Attributes;
-import javax.naming.ldap.LdapContext;
 import java.io.File;
 import java.util.List;
 import java.util.Set;
@@ -140,68 +137,38 @@
      */
     boolean isStarted();
 
-
-    /**
-     * Gets a JNDI {@link Context} to the RootDSE as an anonymous user.
-     * This bypasses authentication within the server.
-     *
-     * @return a JNDI context to the RootDSE
-     * @throws Exception if failed to create a context
-     */
-    LdapContext getJndiContext() throws Exception;
-
-
+    
     /**
-     * Gets a JNDI {@link Context} to a specific entry as an anonymous user.
-     * This bypasses authentication within the server.
+     * Gets a logical session to perform operations on this DirectoryService
+     * as the anonymous user.  This bypasses authentication without 
+     * propagating a bind operation into the core.
      *
-     * @param dn the distinguished name of the entry
-     * @return a JNDI context to the entry at the specified DN
-     * @throws Exception if failed to create a context
+     * @return a logical session as the anonymous user
      */
-    LdapContext getJndiContext( String dn ) throws Exception;
-
+    CoreSession getSession() throws Exception;
 
+    
     /**
-     * Gets a JNDI {@link Context} to the RootDSE as a specific LDAP user principal.
-     * This bypasses authentication within the server.
+     * Gets a logical session to perform operations on this DirectoryService
+     * as a specific user.  This bypasses authentication without propagating 
+     * a bind operation into the core.
      *
-     * @param principal the user to associate with the context
-     * @return a JNDI context to the RootDSE as a specific user
-     * @throws Exception if failed to create a context
+     * @return a logical session as a specific user
      */
-    LdapContext getJndiContext( LdapPrincipal principal ) throws Exception;
-
+    CoreSession getSession( LdapPrincipal principal ) throws Exception;
 
+    
     /**
-     * Gets a JNDI {@link Context} to a specific entry as a specific LDAP user principal.
-     * This bypasses authentication within the server.
+     * Gets a logical session to perform operations on this DirectoryService
+     * as a specific user with a separate authorization principal.  This 
+     * bypasses authentication without propagating a bind operation into the 
+     * core.
      *
-     * @param principal the user to associate with the context
-     * @param dn the distinguished name of the entry
-     * @return a JNDI context to the specified entry as a specific user
-     * @throws Exception if failed to create a context
+     * @return a logical session as a specific user
      */
-    LdapContext getJndiContext( LdapPrincipal principal, String dn ) throws Exception;
-
-
-    /**
-     * Returns a JNDI {@link Context} with the specified authentication information
-     * (<tt>principal</tt>, <tt>credential</tt>, and <tt>authentication</tt>) and
-     * <tt>baseName</tt>.
-     * 
-     * @param principalDn the distinguished name of the bind principal
-     * @param principal {@link Context#SECURITY_PRINCIPAL} value
-     * @param credential {@link Context#SECURITY_CREDENTIALS} value
-     * @param authentication {@link Context#SECURITY_AUTHENTICATION} value
-     * @param dn the distinguished name of the entry
-     * @return a JNDI context to the specified entry as a specific user
-     * @throws Exception if failed to create a context
-     */
-    LdapContext getJndiContext( LdapDN principalDn, String principal, byte[] credential,
-        String authentication, String dn ) throws Exception;
-
+    CoreSession getSession( LdapDN principalDn, byte[] credentials, String authentication ) throws Exception;
 
+    
     void setInstanceId( String instanceId );
 
 

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/OperationManager.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/OperationManager.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/OperationManager.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/OperationManager.java Mon Jun  2 07:00:23 2008
@@ -20,7 +20,6 @@
 package org.apache.directory.server.core;
 
 
-import java.util.Collection;
 import java.util.Iterator;
 
 import org.apache.directory.server.core.entry.ClonedServerEntry;
@@ -154,106 +153,4 @@
      * TODO document after determining if this method should be here.
      */
     void unbind( UnbindOperationContext opContext ) throws Exception;
-
-    
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    ClonedServerEntry getRootDSE( GetRootDSEOperationContext  opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    LdapDN getMatchedName( GetMatchedNameOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    LdapDN getSuffix ( GetSuffixOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    Iterator<String> listSuffixes( ListSuffixOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    boolean compare( CompareOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    void delete( DeleteOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    void add( AddOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    void modify( ModifyOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    EntryFilteringCursor list( ListOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    EntryFilteringCursor search( SearchOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    ClonedServerEntry lookup( LookupOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    boolean hasEntry( EntryOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    void rename( RenameOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    void move( MoveOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    void moveAndRename( MoveAndRenameOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-    
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    void bind( BindOperationContext opContext, Collection<String> bypass ) throws Exception;
-
-    
-    /**
-     * TODO document after determining if this method should be here.
-     */
-    void unbind( UnbindOperationContext opContext, Collection<String> bypass ) throws Exception;
 }

Added: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/ReferralHandlingMode.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/ReferralHandlingMode.java?rev=662440&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/ReferralHandlingMode.java (added)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/ReferralHandlingMode.java Mon Jun  2 07:00:23 2008
@@ -0,0 +1,47 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.server.core;
+
+
+/**
+ * Enumeration for referral handling modes.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public enum ReferralHandlingMode
+{
+    THROW( "throw" ), FOLLOW( "follow" ), IGNORE( "ignore" ), THROW_FINDING_BASE( "throw-finding-base" );
+    
+    
+    private final String jndiValue;
+    
+    
+    private ReferralHandlingMode( String jndiValue )
+    {
+        this.jndiValue = jndiValue;
+    }
+    
+    
+    public String getJndiValue()
+    {
+        return jndiValue;
+    }
+}

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AbstractAuthenticator.java Mon Jun  2 07:00:23 2008
@@ -21,11 +21,8 @@
 
 
 import org.apache.directory.server.core.DirectoryService;
-import org.apache.directory.server.core.jndi.ServerContext;
 import org.apache.directory.shared.ldap.name.LdapDN;
 
-import javax.naming.NamingException;
-
 
 /**
  * Base class for all Authenticators.
@@ -74,7 +71,7 @@
      * @param directoryService the directory core for this authenticator
      * @throws NamingException if there is a problem starting up the authenticator
      */
-    public final void init( DirectoryService directoryService ) throws NamingException
+    public final void init( DirectoryService directoryService ) throws Exception
     {
         this.directoryService = directoryService;
         doInit();
@@ -115,14 +112,10 @@
     }
 
 
-    public abstract LdapPrincipal authenticate( LdapDN bindDn, ServerContext ctx ) throws NamingException;
-
-    
     /**
      * Does nothing leaving it so subclasses can override.
      */
     public void invalidateCache( LdapDN bindDn )
     {
     }
-
 }

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java Mon Jun  2 07:00:23 2008
@@ -22,10 +22,9 @@
 
 import javax.naming.NamingException;
 
-import org.apache.directory.server.core.jndi.ServerContext;
+import org.apache.directory.server.core.interceptor.context.BindOperationContext;
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
-import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -49,7 +48,7 @@
      * If the context is not configured to allow anonymous connections,
      * this method throws a {@link javax.naming.NoPermissionException}.
      */
-    public LdapPrincipal authenticate( LdapDN bindDn, ServerContext ctx ) throws NamingException
+    public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
     {
         if ( getDirectoryService().isAllowAnonymousAccess() )
         {

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java Mon Jun  2 07:00:23 2008
@@ -29,6 +29,8 @@
 import java.util.Map;
 import java.util.Set;
 
+import org.apache.directory.server.core.CoreSession;
+import org.apache.directory.server.core.DefaultCoreSession;
 import org.apache.directory.server.core.DirectoryService;
 import org.apache.directory.server.core.entry.ClonedServerEntry;
 import org.apache.directory.server.core.filtering.EntryFilteringCursor;
@@ -51,17 +53,13 @@
 import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
 import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
-import org.apache.directory.server.core.invocation.InvocationStack;
-import org.apache.directory.server.core.jndi.LdapJndiProperties;
-import org.apache.directory.server.core.jndi.ServerContext;
+import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.exception.LdapAuthenticationException;
 import org.apache.directory.shared.ldap.name.LdapDN;
 import org.apache.directory.shared.ldap.util.StringTools;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.naming.Context;
-
 
 /**
  * An {@link Interceptor} that authenticates users.
@@ -80,8 +78,12 @@
     private static final boolean IS_DEBUG = LOG.isDebugEnabled();
 
     private Set<Authenticator> authenticators;
-    private final Map<String, Collection<Authenticator>> authenticatorsMapByType = new HashMap<String, Collection<Authenticator>>();
+    private final Map<String, Collection<Authenticator>> authenticatorsMapByType = 
+        new HashMap<String, Collection<Authenticator>>();
 
+    private DirectoryService directoryService;
+    
+    
     /**
      * Creates an authentication service interceptor.
      */
@@ -89,12 +91,14 @@
     {
     }
 
+    
     /**
      * Registers and initializes all {@link Authenticator}s to this service.
      */
     public void init( DirectoryService directoryService ) throws Exception
     {
-
+        this.directoryService = directoryService;
+        
         if ( authenticators == null )
         {
             setDefaultAuthenticators();
@@ -106,6 +110,7 @@
         }
     }
 
+    
     private void setDefaultAuthenticators()
     {
         Set<Authenticator> set = new HashSet<Authenticator>();
@@ -122,6 +127,7 @@
         return authenticators;
     }
 
+    
     /**
      * @param authenticators authenticators to be used by this AuthenticationInterceptor
      * @org.apache.xbean.Property nestedType="org.apache.directory.server.core.authn.Authenticator"
@@ -131,6 +137,7 @@
         this.authenticators = authenticators;
     }
 
+    
     /**
      * Deinitializes and deregisters all {@link Authenticator}s from this service.
      */
@@ -145,6 +152,7 @@
         }
     }
 
+    
     /**
      * Initializes the specified {@link Authenticator} and registers it to
      * this service.
@@ -308,6 +316,7 @@
         return next.lookup( opContext );
     }
 
+    
     private void invalidateAuthenticatorCaches( LdapDN principalDn )
     {
         for ( String authMech : authenticatorsMapByType.keySet() )
@@ -403,65 +412,27 @@
      */
     private void checkAuthenticated( OperationContext operation ) throws Exception
     {
-        try
-        {
-            checkAuthenticated();
-        }
-        catch ( IllegalStateException ise )
+        if ( operation.getSession() == null || operation.getSession().getEffectivePrincipal() == null )
         {
             LOG.error( "Attempted operation {} by unauthenticated caller.", operation.getName() );
-
             throw new IllegalStateException( "Attempted operation by unauthenticated caller." );
         }
     }
 
-    private void checkAuthenticated() throws Exception
-    {
-        ServerContext ctx = ( ServerContext ) InvocationStack.getInstance().peek().getCaller();
-
-        if ( ctx.getPrincipal() != null )
-        {
-            if ( ctx.getEnvironment().containsKey( Context.SECURITY_CREDENTIALS ) )
-            {
-                ctx.removeFromEnvironment( Context.SECURITY_CREDENTIALS );
-            }
-
-            return;
-        }
-
-        throw new IllegalStateException( "Attempted operation by unauthenticated caller." );
-    }
 
     public void bind( NextInterceptor next, BindOperationContext opContext ) throws Exception
     {
-        // The DN is always normalized here
-        LdapDN normBindDn = opContext.getDn();
-        String bindUpDn = normBindDn.getUpName();
-
         if ( IS_DEBUG )
         {
-            LOG.debug( "Bind operation. bindDn: " + bindUpDn );
+            LOG.debug( "bind: principal: " + opContext.getPrincipalDn() );
         }
 
-        // check if we are already authenticated and if so we return making
-        // sure first that the credentials are not exposed within context
-        ServerContext ctx = ( ServerContext ) InvocationStack.getInstance().peek().getCaller();
-
-        if ( IS_DEBUG )
+        if ( opContext.getSession() != null && opContext.getSession().getEffectivePrincipal() != null )
         {
-            LOG.debug( "bind: principal: " + ctx.getPrincipal() );
+            // null out the credentials
+            opContext.setCredentials( null );
         }
-
-        if ( ctx.getPrincipal() != null )
-        {
-            if ( ctx.getEnvironment().containsKey( Context.SECURITY_CREDENTIALS ) )
-            {
-                ctx.removeFromEnvironment( Context.SECURITY_CREDENTIALS );
-            }
-
-            return;
-        }
-
+        
         // pick the first matching authenticator type
         Collection<Authenticator> authenticators = null;
 
@@ -484,12 +455,14 @@
 
             LOG.debug( "Nexus succeeded on bind operation." );
 
-            // bind succeeded if we got this far 
-            ctx.setPrincipal( new TrustedPrincipalWrapper( new LdapPrincipal( normBindDn, LdapJndiProperties
-                    .getAuthenticationLevel( ctx.getEnvironment() ) ) ) );
+            // bind succeeded if we got this far
+            // TODO - authentication level not being set
+            LdapPrincipal principal = new LdapPrincipal( opContext.getPrincipalDn(), AuthenticationLevel.SIMPLE );
+            CoreSession session = new DefaultCoreSession( principal, directoryService );
+            opContext.setSession( session );
 
             // remove creds so there is no security risk
-            ctx.removeFromEnvironment( Context.SECURITY_CREDENTIALS );
+            opContext.setCredentials( null );
             return;
         }
 
@@ -500,13 +473,14 @@
             try
             {
                 // perform the authentication
-                LdapPrincipal authorizationId = authenticator.authenticate( normBindDn, ctx );
+                LdapPrincipal principal = authenticator.authenticate( opContext );
 
                 // authentication was successful
-                ctx.setPrincipal( new TrustedPrincipalWrapper( authorizationId ) );
+                CoreSession session = new DefaultCoreSession( principal, directoryService );
+                opContext.setSession( session );
 
                 // remove creds so there is no security risk
-                ctx.removeFromEnvironment( Context.SECURITY_CREDENTIALS );
+                opContext.setCredentials( null );
 
                 return;
             }
@@ -515,7 +489,7 @@
                 // authentication failed, try the next authenticator
                 if ( LOG.isInfoEnabled() )
                 {
-                    LOG.info( "Authenticator " + authenticator.getClass() + " failed to authenticate " + bindUpDn );
+                    LOG.info( "Authenticator {} failed to authenticate: {}", authenticator, opContext );
                 }
             }
             catch ( Exception e )
@@ -523,7 +497,7 @@
                 // Log other exceptions than LdapAuthenticationException
                 if ( LOG.isWarnEnabled() )
                 {
-                    LOG.warn( "Unexpected exception from " + authenticator.getClass() + " for principal " + bindUpDn, e );
+                    LOG.info( "Unexpected failure for Authenticator {} : {}", authenticator, opContext );
                 }
             }
         }
@@ -535,47 +509,4 @@
 
         throw new LdapAuthenticationException();
     }
-
-    /**
-     * FIXME This doesn't secure anything actually.
-     * <p/>
-     * Created this wrapper to pass to ctx.setPrincipal() which is public for added
-     * security.  This adds more security because an instance of this class is not
-     * easily accessible whereas LdapPrincipals can be accessed easily from a context
-     * althought they cannot be instantiated outside of the authn package.  Malicious
-     * code may not be able to set the principal to what they would like but they
-     * could switch existing principals using the now public ServerContext.setPrincipal()
-     * method.  To avoid this we make sure that this metho takes a TrustedPrincipalWrapper
-     * as opposed to the LdapPrincipal.  Only this service can create and call setPrincipal
-     * with a TrustedPrincipalWrapper.
-     */
-    public final class TrustedPrincipalWrapper
-    {
-        /**
-         * the wrapped ldap principal
-         */
-        private final LdapPrincipal principal;
-
-
-        /**
-         * Creates a TrustedPrincipalWrapper around an LdapPrincipal.
-         *
-         * @param principal the LdapPrincipal to wrap
-         */
-        private TrustedPrincipalWrapper( LdapPrincipal principal )
-        {
-            this.principal = principal;
-        }
-
-
-        /**
-         * Gets the LdapPrincipal this TrustedPrincipalWrapper wraps.
-         *
-         * @return the wrapped LdapPrincipal
-         */
-        public LdapPrincipal getPrincipal()
-        {
-            return principal;
-        }
-    }
 }

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/Authenticator.java Mon Jun  2 07:00:23 2008
@@ -21,13 +21,11 @@
 
 
 import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.interceptor.context.BindOperationContext;
 import org.apache.directory.server.core.jndi.ServerContext;
 import org.apache.directory.server.core.partition.PartitionNexus;
 import org.apache.directory.shared.ldap.name.LdapDN;
 
-import javax.naming.Context;
-import javax.naming.NamingException;
-
 
 /**
  * Authenticates users who access {@link PartitionNexus}.
@@ -58,7 +56,7 @@
      * Called by {@link AuthenticationInterceptor} to indicate that this
      * authenticator is being placed into service.
      */
-    public void init( DirectoryService directoryService ) throws NamingException;
+    public void init( DirectoryService directoryService ) throws Exception;
 
 
     /**
@@ -67,6 +65,7 @@
      */
     public void destroy();
 
+    
     /**
      * Callback used to respond to password changes by invalidating a password
      * cache if implemented.  This is an additional feature of an authenticator
@@ -77,8 +76,9 @@
      */
     public void invalidateCache( LdapDN bindDn );
 
+    
     /**
      * Performs authentication and returns the principal if succeeded.
      */
-    public LdapPrincipal authenticate( LdapDN bindDn, ServerContext ctx ) throws NamingException;
+    public LdapPrincipal authenticate( BindOperationContext opContext ) throws Exception;
 }

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java Mon Jun  2 07:00:23 2008
@@ -34,11 +34,7 @@
 import javax.naming.NamingException;
 
 import org.apache.commons.collections.map.LRUMap;
-import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
-import org.apache.directory.server.core.invocation.Invocation;
-import org.apache.directory.server.core.invocation.InvocationStack;
-import org.apache.directory.server.core.jndi.ServerContext;
-import org.apache.directory.server.core.partition.PartitionNexusProxy;
+import org.apache.directory.server.core.interceptor.context.BindOperationContext;
 import org.apache.directory.server.core.normalization.NormalizationInterceptor;
 import org.apache.directory.server.core.referral.ReferralInterceptor;
 import org.apache.directory.server.core.authz.AciAuthorizationInterceptor;
@@ -52,7 +48,6 @@
 import org.apache.directory.server.core.entry.ServerStringValue;
 import org.apache.directory.server.core.event.EventInterceptor;
 import org.apache.directory.server.core.trigger.TriggerInterceptor;
-import org.apache.directory.server.schema.registries.Registries;
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.constants.LdapSecurityConstants;
 import org.apache.directory.shared.ldap.constants.SchemaConstants;
@@ -188,14 +183,13 @@
      * @return A byte array which can be empty if the password was not found
      * @throws NamingException If we have a problem during the lookup operation
      */
-    private LdapPrincipal getStoredPassword( Registries registries, LdapDN principalDN ) throws NamingException
+    private LdapPrincipal getStoredPassword( BindOperationContext opContext ) throws Exception
     {
-        LdapPrincipal principal;
-        String principalNorm = principalDN.getNormName();
+        LdapPrincipal principal = null;
         
         synchronized( credentialCache )
         {
-            principal = (LdapPrincipal)credentialCache.get( principalNorm );
+            principal = ( LdapPrincipal ) credentialCache.get( opContext.getPrincipalDn().getNormName() );
         }
         
         byte[] storedPassword;
@@ -204,7 +198,7 @@
         {
             // Not found in the cache
             // Get the user password from the backend
-            storedPassword = lookupUserPassword( registries, principalDN );
+            storedPassword = lookupUserPassword( opContext );
             
             
             // Deal with the special case where the user didn't enter a password
@@ -217,55 +211,18 @@
             }
 
             // Create the new principal before storing it in the cache
-            principal = new LdapPrincipal( principalDN, AuthenticationLevel.SIMPLE, storedPassword );
+            principal = new LdapPrincipal( opContext.getPrincipalDn(), AuthenticationLevel.SIMPLE, storedPassword );
             
             // Now, update the local cache.
             synchronized( credentialCache )
             {
-                credentialCache.put( principalDN.getNormName(), principal );
+                credentialCache.put( opContext.getPrincipalDn().getNormName(), principal );
             }
         }
         
         return principal;
     }
 
-    /**
-     * Get the user credentials from the environment. It is stored into the
-     * ServcerContext.
-     *
-     * @param ctx the naming context to get the credentials from
-     * @return the credentials
-     * @throws LdapAuthenticationException if the there are probelms with security
-     * credentials provided
-     */
-    private byte[] getCredentials( ServerContext ctx ) throws LdapAuthenticationException
-    {
-        Object creds = ctx.getEnvironment().get( Context.SECURITY_CREDENTIALS );
-        byte[] credentials;
-
-        if ( creds == null )
-        {
-            credentials = ArrayUtils.EMPTY_BYTE_ARRAY;
-        }
-        else if ( creds instanceof String )
-        {
-            credentials = StringTools.getBytesUtf8( ( String ) creds );
-        }
-        else if ( creds instanceof byte[] )
-        {
-            // This is the general case. When dealing with a BindRequest operation,
-            // received by the server, the credentials are always stored into a byte array
-            credentials = (byte[])creds;
-        }
-        else
-        {
-            LOG.info( "Incorrect credentials stored in {}", Context.SECURITY_CREDENTIALS );
-            throw new LdapAuthenticationException();
-        }
-        
-        return credentials;
-    }
-
 
     /**
      * Looks up <tt>userPassword</tt> attribute of the entry whose name is the
@@ -297,17 +254,17 @@
      *  
      *  The stored password is always using the unsalted form, and is stored as a bytes array.
      */
-    public LdapPrincipal authenticate( LdapDN principalDn, ServerContext ctx ) throws NamingException
+    public LdapPrincipal authenticate( BindOperationContext opContext ) throws Exception
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Authenticating {}", principalDn );
+            LOG.debug( "Authenticating {}", opContext.getPrincipalDn() );
         }
         
         // ---- extract password from JNDI environment
-        byte[] credentials = getCredentials( ctx );
+        byte[] credentials = opContext.getCredentials();
         
-        LdapPrincipal principal = getStoredPassword( getDirectoryService().getRegistries(), principalDn );
+        LdapPrincipal principal = getStoredPassword( opContext );
         
         // Get the stored password, either from cache or from backend
         byte[] storedPassword = principal.getUserPassword();
@@ -318,7 +275,7 @@
         {
             if ( IS_DEBUG )
             {
-                LOG.debug( "{} Authenticated", principalDn );
+                LOG.debug( "{} Authenticated", opContext.getPrincipalDn() );
             }
             
         	return principal;
@@ -347,7 +304,7 @@
             {
                 if ( IS_DEBUG )
                 {
-                    LOG.debug( "{} Authenticated", principalDn );
+                    LOG.debug( "{} Authenticated", opContext.getPrincipalDn() );
                 }
 
                 return principal;
@@ -355,7 +312,7 @@
             else
             {
                 // Bad password ...
-                String message = "Password not correct for user '" + principalDn.getUpName() + "'";
+                String message = "Password not correct for user '" + opContext.getPrincipalDn().getUpName() + "'";
                 LOG.info( message );
                 throw new LdapAuthenticationException(message);
             }
@@ -363,7 +320,7 @@
         else
         {
             // Bad password ...
-            String message = "Password not correct for user '" + principalDn.getUpName() + "'";
+            String message = "Password not correct for user '" + opContext.getPrincipalDn().getUpName() + "'";
             LOG.info( message );
             throw new LdapAuthenticationException(message);
         }
@@ -576,23 +533,19 @@
      * @return the credentials from the backend
      * @throws NamingException if there are problems accessing backend
      */
-    private byte[] lookupUserPassword( Registries registries, LdapDN principalDn ) throws NamingException
+    private byte[] lookupUserPassword( BindOperationContext opContext ) throws Exception
     {
         // ---- lookup the principal entry's userPassword attribute
-        Invocation invocation = InvocationStack.getInstance().peek();
-        PartitionNexusProxy proxy = invocation.getProxy();
         ServerEntry userEntry;
 
         try
         {
-            LookupOperationContext lookupContex  = new LookupOperationContext( registries, new String[] { SchemaConstants.USER_PASSWORD_AT_OID } );
-            lookupContex.setDn( principalDn );
-            
-            userEntry = proxy.lookup( lookupContex, USERLOOKUP_BYPASS ); 
+            userEntry = opContext.lookup( opContext.getPrincipalDn(), USERLOOKUP_BYPASS );
 
             if ( userEntry == null )
             {
-                throw new LdapAuthenticationException( "Failed to lookup user for authentication: " + principalDn );
+                throw new LdapAuthenticationException( "Failed to lookup user for authentication: " 
+                    + opContext.getPrincipalDn() );
             }
         }
         catch ( Exception cause )

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authn/StrongAuthenticator.java Mon Jun  2 07:00:23 2008
@@ -22,9 +22,8 @@
 
 import javax.naming.NamingException;
 
-import org.apache.directory.server.core.jndi.ServerContext;
+import org.apache.directory.server.core.interceptor.context.BindOperationContext;
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
-import org.apache.directory.shared.ldap.name.LdapDN;
 
 
 /**
@@ -51,9 +50,9 @@
      * User has already been authenticated during SASL negotiation.  Set the authentication level
      * to strong and return an {@link LdapPrincipal}.
      */
-    public LdapPrincipal authenticate( LdapDN principalDn, ServerContext ctx ) throws NamingException
+    public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
     {
         // Possibly check if user account is disabled, other account checks.
-        return new LdapPrincipal( principalDn, AuthenticationLevel.STRONG );
+        return new LdapPrincipal( opContext.getPrincipalDn(), AuthenticationLevel.STRONG );
     }
 }

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Mon Jun  2 07:00:23 2008
@@ -21,6 +21,8 @@
 
 
 import org.apache.directory.server.constants.ServerDNConstants;
+import org.apache.directory.server.core.CoreSession;
+import org.apache.directory.server.core.DefaultCoreSession;
 import org.apache.directory.server.core.DirectoryService;
 import org.apache.directory.server.core.authn.LdapPrincipal;
 import org.apache.directory.server.core.authz.support.ACDFEngine;
@@ -43,14 +45,11 @@
 import org.apache.directory.server.core.interceptor.context.ModifyOperationContext;
 import org.apache.directory.server.core.interceptor.context.MoveAndRenameOperationContext;
 import org.apache.directory.server.core.interceptor.context.MoveOperationContext;
+import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
 import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
 import org.apache.directory.server.core.interceptor.context.SearchingOperationContext;
-import org.apache.directory.server.core.invocation.Invocation;
-import org.apache.directory.server.core.invocation.InvocationStack;
-import org.apache.directory.server.core.jndi.ServerContext;
-import org.apache.directory.server.core.jndi.ServerLdapContext;
-import org.apache.directory.server.core.partition.PartitionNexusProxy;
+import org.apache.directory.server.core.partition.ByPassConstants;
 import org.apache.directory.server.core.subtree.SubentryInterceptor;
 import org.apache.directory.server.schema.ConcreteNameComponentNormalizer;
 import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
@@ -60,6 +59,7 @@
 import org.apache.directory.shared.ldap.aci.ACIItemParser;
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.constants.SchemaConstants;
 import org.apache.directory.shared.ldap.entry.EntryAttribute;
 import org.apache.directory.shared.ldap.entry.Modification;
@@ -202,8 +202,13 @@
     {
         super.init( directoryService );
 
-        tupleCache = new TupleCache( directoryService );
-        groupCache = new GroupCache( directoryService );
+        LdapDN adminDn = new LdapDN( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
+        adminDn.normalize( directoryService.getRegistries().getAttributeTypeRegistry().getNormalizerMapping() );
+        CoreSession adminSession = new DefaultCoreSession( 
+            new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), directoryService );
+
+        tupleCache = new TupleCache( adminSession );
+        groupCache = new GroupCache( adminSession );
         registries = directoryService.getRegistries();
         atRegistry = registries.getAttributeTypeRegistry();
         OidRegistry oidRegistry = registries.getOidRegistry();
@@ -269,7 +274,7 @@
      * @throws Exception if there are problems accessing attribute values
      * @param proxy the partition nexus proxy object
      */
-    private void addPerscriptiveAciTuples( PartitionNexusProxy proxy, Collection<ACITuple> tuples, LdapDN dn,
+    private void addPerscriptiveAciTuples( OperationContext opContext, Collection<ACITuple> tuples, LdapDN dn,
         ServerEntry entry ) throws Exception
     {
         EntryAttribute oc = entry.get( objectClassType );
@@ -287,7 +292,7 @@
         {
             LdapDN parentDn = ( LdapDN ) dn.clone();
             parentDn.remove( dn.size() - 1 );
-            entry = proxy.lookup( new LookupOperationContext( registries, parentDn), PartitionNexusProxy.LOOKUP_BYPASS );
+            entry = opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS );
         }
 
         EntryAttribute subentries = entry.get( acSubentryType );
@@ -353,7 +358,7 @@
      * @throws Exception if there are problems accessing attribute values
      * @param proxy the partition nexus proxy object
      */
-    private void addSubentryAciTuples( PartitionNexusProxy proxy, Collection<ACITuple> tuples, LdapDN dn, ServerEntry entry )
+    private void addSubentryAciTuples( OperationContext opContext, Collection<ACITuple> tuples, LdapDN dn, ServerEntry entry )
         throws Exception
     {
         // only perform this for subentries
@@ -366,14 +371,8 @@
         // will contain the subentryACI attributes that effect subentries
         LdapDN parentDn = ( LdapDN ) dn.clone();
         parentDn.remove( dn.size() - 1 );
-        ServerEntry administrativeEntry =  
-            proxy.lookup( 
-        		new LookupOperationContext( 
-        		    registries, 
-        		    parentDn, 
-        		    new String[]
-        		               { SchemaConstants.SUBENTRY_ACI_AT }) , 
-        		PartitionNexusProxy.LOOKUP_BYPASS ).getOriginalEntry();
+        ServerEntry administrativeEntry = opContext.lookup( parentDn, 
+            Collections.singletonList( SchemaConstants.SUBENTRY_ACI_AT ) ).getOriginalEntry();
         
         EntryAttribute subentryAci = administrativeEntry.get( subentryAciType );
 
@@ -427,8 +426,7 @@
     public void add( NextInterceptor next, AddOperationContext addContext ) throws Exception
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
-        Invocation invocation = InvocationStack.getInstance().peek();
-        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = addContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = principal.getJndiName();
         
         ServerEntry serverEntry = addContext.getEntry(); 
@@ -467,12 +465,11 @@
 
         // Build the total collection of tuples to be considered for add rights
         // NOTE: entryACI are NOT considered in adds (it would be a security breech)
-        addPerscriptiveAciTuples( invocation.getProxy(), tuples, name, subentryAttrs );
-        addSubentryAciTuples( invocation.getProxy(), tuples, name, subentryAttrs );
+        addPerscriptiveAciTuples( addContext, tuples, name, subentryAttrs );
+        addSubentryAciTuples( addContext, tuples, name, subentryAttrs );
 
         // check if entry scope permission is granted
-        PartitionNexusProxy proxy = invocation.getProxy();
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, addContext, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             ADD_PERMS, tuples, subentryAttrs, null );
 
         // now we must check if attribute type and value scope permission is granted
@@ -480,8 +477,9 @@
         {
             for ( Value<?> value:attribute )
             {
-                engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, attribute
-                    .getUpId(), value, ADD_PERMS, tuples, serverEntry, null );
+                engine.checkPermission( registries, addContext, userGroups, principalDn, 
+                    principal.getAuthenticationLevel(), name, attribute.getUpId(), value, 
+                    ADD_PERMS, tuples, serverEntry, null );
             }
         }
 
@@ -505,11 +503,7 @@
     {
     	LdapDN name = deleteContext.getDn();
     	
-        // Access the principal requesting the operation, and bypass checks if it is the admin
-        Invocation invocation = InvocationStack.getInstance().peek();
-        PartitionNexusProxy proxy = invocation.getProxy();
-
-        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = deleteContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = principal.getJndiName();
 
         // bypass authz code if we are disabled
@@ -519,7 +513,7 @@
             return;
         }
 
-        ServerEntry entry = proxy.lookup( new LookupOperationContext( registries, name ) , PartitionNexusProxy.LOOKUP_BYPASS );
+        ClonedServerEntry entry = deleteContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
 
         protectCriticalEntries( name );
 
@@ -534,12 +528,12 @@
 
         Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
-        addPerscriptiveAciTuples( proxy, tuples, name, entry );
+        addPerscriptiveAciTuples( deleteContext, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
-        addSubentryAciTuples( proxy, tuples, name, entry );
+        addSubentryAciTuples( deleteContext, tuples, name, entry );
 
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
-            REMOVE_PERMS, tuples, entry, null );
+        engine.checkPermission( registries, deleteContext, userGroups, principalDn, 
+            principal.getAuthenticationLevel(), name, null, null, REMOVE_PERMS, tuples, entry, null );
 
         next.delete( deleteContext );
         tupleCache.subentryDeleted( name, entry );
@@ -549,15 +543,12 @@
 
     public void modify( NextInterceptor next, ModifyOperationContext opContext ) throws Exception
     {
-        // Access the principal requesting the operation, and bypass checks if it is the admin
-        Invocation invocation = InvocationStack.getInstance().peek();
-        PartitionNexusProxy proxy = invocation.getProxy();
         LdapDN name = opContext.getDn();
 
         // Access the principal requesting the operation, and bypass checks if it is the admin
-        ServerEntry entry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+        ClonedServerEntry entry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
         
-        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = principal.getJndiName();
 
         // bypass authz code if we are disabled
@@ -576,7 +567,7 @@
             /**
              * @TODO: A virtual entry can be created here for not hitting the backend again.
              */
-            ServerEntry modifiedEntry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+            ServerEntry modifiedEntry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
             tupleCache.subentryModified( name, mods, modifiedEntry );
             groupCache.groupModified( name, mods, entry, registries );
             return;
@@ -584,11 +575,12 @@
 
         Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
-        addPerscriptiveAciTuples( proxy, tuples, name, entry );
+        addPerscriptiveAciTuples( opContext, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
-        addSubentryAciTuples( proxy, tuples, name, entry );
+        addSubentryAciTuples( opContext, tuples, name, entry );
 
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, opContext, userGroups, principalDn, 
+            principal.getAuthenticationLevel(), name, null, null, 
             Collections.singleton( MicroOperation.MODIFY ), tuples, entry, null );
 
         Collection<MicroOperation> perms = null;
@@ -607,7 +599,7 @@
                     if ( entry.get( attr.getId() ) == null )
                     {
                         // ... we also need to check if adding the attribute is permitted
-                        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
+                        engine.checkPermission( registries, opContext, userGroups, principalDn, principal.getAuthenticationLevel(), name,
                                 attr.getId(), null, perms, tuples, entry, null );
                     }
                     
@@ -623,8 +615,9 @@
                         if ( entryAttr.size() == 1 )
                         {
                             // ... we also need to check if removing the attribute at all is permitted
-                            engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
-                                    attr.getId(), null, perms, tuples, entry, null );
+                            engine.checkPermission( registries, opContext, userGroups, principalDn, 
+                                principal.getAuthenticationLevel(), name, attr.getId(), 
+                                null, perms, tuples, entry, null );
                         }
                     }
                     
@@ -652,8 +645,9 @@
             
             for ( Value<?> value:attr )
             {                
-                engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
-                        attr.getId(), value, perms, tuples, entry, entryView );
+                engine.checkPermission( registries, opContext, userGroups, principalDn, 
+                    principal.getAuthenticationLevel(), name, attr.getId(), value, 
+                    perms, tuples, entry, entryView );
             }
         }
 
@@ -663,21 +657,20 @@
         /**
          * @TODO: A virtual entry can be created here for not hitting the backend again.
          */
-        ServerEntry modifiedEntry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+        ServerEntry modifiedEntry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
         tupleCache.subentryModified( name, mods, modifiedEntry );
         groupCache.groupModified( name, mods, entry, registries );
     }
 
+    
     public boolean hasEntry( NextInterceptor next, EntryOperationContext entryContext ) throws Exception
     {
         LdapDN name = entryContext.getDn();
-        Invocation invocation = InvocationStack.getInstance().peek();
-        PartitionNexusProxy proxy = invocation.getProxy();
         
-        ClonedServerEntry entry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+        ClonedServerEntry entry = entryContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
             
         
-        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = entryContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = principal.getJndiName();
 
         if ( isPrincipalAnAdministrator( principalDn ) || !enabled || ( name.size() == 0 ) ) // no checks on the rootdse
@@ -688,12 +681,13 @@
 
         Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toNormName() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
-        addPerscriptiveAciTuples( proxy, tuples, name, entry.getOriginalEntry() );
+        addPerscriptiveAciTuples( entryContext, tuples, name, entry.getOriginalEntry() );
         addEntryAciTuples( tuples, entry.getOriginalEntry() );
-        addSubentryAciTuples( proxy, tuples, name, entry.getOriginalEntry() );
+        addSubentryAciTuples( entryContext, tuples, name, entry.getOriginalEntry() );
 
         // check that we have browse access to the entry
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, entryContext, userGroups, principalDn, 
+            principal.getAuthenticationLevel(), name, null, null,
             BROWSE_PERMS, tuples, entry.getOriginalEntry(), null );
 
         return next.hasEntry( entryContext );
@@ -715,24 +709,25 @@
      * @param entry the raw entry pulled from the nexus
      * @throws Exception if undlying access to the DIT fails
      */
-    private void checkLookupAccess( LdapPrincipal principal, LdapDN dn, ServerEntry entry ) throws Exception
+    private void checkLookupAccess( LookupOperationContext lookupContext, ServerEntry entry ) throws Exception
     {
         // no permissions checks on the RootDSE
-        if ( dn.toString().trim().equals( "" ) )
+        if ( lookupContext.getDn().toString().trim().equals( "" ) )
         {
             return;
         }
 
-        PartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
+        LdapPrincipal principal = lookupContext.getSession().getEffectivePrincipal();
         LdapDN userName = principal.getJndiName();
         Set<LdapDN> userGroups = groupCache.getGroups( userName.toNormName() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
-        addPerscriptiveAciTuples( proxy, tuples, dn, entry );
+        addPerscriptiveAciTuples( lookupContext, tuples, lookupContext.getDn(), entry );
         addEntryAciTuples( tuples, entry );
-        addSubentryAciTuples( proxy, tuples, dn, entry );
+        addSubentryAciTuples( lookupContext, tuples, lookupContext.getDn(), entry );
 
         // check that we have read access to the entry
-        engine.checkPermission( registries, proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, null, null,
+        engine.checkPermission( registries, lookupContext, userGroups, userName, principal.getAuthenticationLevel(), 
+            lookupContext.getDn(), null, null,
             LOOKUP_PERMS, tuples, entry, null );
 
         // check that we have read access to every attribute type and value
@@ -743,11 +738,11 @@
             {
                 engine.checkPermission( 
                     registries, 
-                    proxy, 
+                    lookupContext, 
                     userGroups, 
                     userName, 
                     principal.getAuthenticationLevel(), 
-                    dn, 
+                    lookupContext.getDn(), 
                     attribute.getUpId(), 
                     value, 
                     READ_PERMS, 
@@ -761,8 +756,7 @@
 
     public ClonedServerEntry lookup( NextInterceptor next, LookupOperationContext lookupContext ) throws Exception
     {
-        Invocation invocation = InvocationStack.getInstance().peek();
-        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = lookupContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = principal.getJndiName();
         
         if ( !principalDn.isNormalized() )
@@ -775,24 +769,22 @@
             return next.lookup( lookupContext );
         }
 
-        PartitionNexusProxy proxy = invocation.getProxy();
-        ServerEntry entry = proxy.lookup( lookupContext, PartitionNexusProxy.LOOKUP_BYPASS );
+        lookupContext.setByPassed( ByPassConstants.LOOKUP_BYPASS );
+        ServerEntry entry = lookupContext.getSession().getDirectoryService()
+            .getOperationManager().lookup( lookupContext );
 
-        checkLookupAccess( principal, lookupContext.getDn(), entry );
+        checkLookupAccess( lookupContext, entry );
         return next.lookup( lookupContext );
     }
 
+    
     public void rename( NextInterceptor next, RenameOperationContext renameContext ) throws Exception
     {
         LdapDN name = renameContext.getDn();
 
-        // Access the principal requesting the operation, and bypass checks if it is the admin
-        Invocation invocation = InvocationStack.getInstance().peek();
-        PartitionNexusProxy proxy = invocation.getProxy();
+        ServerEntry entry = renameContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
         
-        ServerEntry entry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
-        
-        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = renameContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = principal.getJndiName();
         LdapDN newName = ( LdapDN ) name.clone();
         newName.remove( name.size() - 1 );
@@ -822,11 +814,12 @@
 
         Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
-        addPerscriptiveAciTuples( proxy, tuples, name, entry );
+        addPerscriptiveAciTuples( renameContext, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
-        addSubentryAciTuples( proxy, tuples, name, entry );
+        addSubentryAciTuples( renameContext, tuples, name, entry );
 
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, renameContext, userGroups, principalDn, 
+            principal.getAuthenticationLevel(), name, null, null,
             RENAME_PERMS, tuples, entry, null );
 
         next.rename( renameContext );
@@ -841,13 +834,9 @@
         LdapDN oriChildName = moveAndRenameContext.getDn();
         LdapDN newParentName = moveAndRenameContext.getParent();
 
-        // Access the principal requesting the operation, and bypass checks if it is the admin
-        Invocation invocation = InvocationStack.getInstance().peek();
-        PartitionNexusProxy proxy = invocation.getProxy();
+        ServerEntry entry = moveAndRenameContext.lookup( oriChildName, ByPassConstants.LOOKUP_BYPASS );
         
-        ServerEntry entry = proxy.lookup( new LookupOperationContext( registries, oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS );
-        
-            LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = moveAndRenameContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = principal.getJndiName();
         LdapDN newName = ( LdapDN ) newParentName.clone();
         newName.add( moveAndRenameContext.getNewRdn().getUpName() );
@@ -872,11 +861,12 @@
 
         Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
-        addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
+        addPerscriptiveAciTuples( moveAndRenameContext, tuples, oriChildName, entry );
         addEntryAciTuples( tuples, entry );
-        addSubentryAciTuples( proxy, tuples, oriChildName, entry );
+        addSubentryAciTuples( moveAndRenameContext, tuples, oriChildName, entry );
 
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
+        engine.checkPermission( registries, moveAndRenameContext, userGroups, 
+            principalDn, principal.getAuthenticationLevel(), oriChildName, null,
             null, MOVERENAME_PERMS, tuples, entry, null );
 
         // Get the entry again without operational attributes
@@ -884,10 +874,9 @@
         // will not be valid at the new location.
         // This will certainly be fixed by the SubentryInterceptor,
         // but after this service.
-        ServerEntry importedEntry = proxy.lookup( 
-            new LookupOperationContext( registries, oriChildName ), 
-                PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
-            
+        
+        ClonedServerEntry importedEntry = moveAndRenameContext.lookup( oriChildName, 
+            ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
         
         // As the target entry does not exist yet and so
         // its subentry operational attributes are not there,
@@ -904,10 +893,11 @@
         
         Collection<ACITuple> destTuples = new HashSet<ACITuple>();
         // Import permission is only valid for prescriptive ACIs
-        addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
+        addPerscriptiveAciTuples( moveAndRenameContext, destTuples, newName, subentryAttrs );
         // Evaluate the target context to see whether it
         // allows an entry named newName to be imported as a subordinate.
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
+        engine.checkPermission( registries, moveAndRenameContext, userGroups, principalDn, 
+            principal.getAuthenticationLevel(), newName, null,
             null, IMPORT_PERMS, destTuples, subentryAttrs, null );
 
 
@@ -923,13 +913,11 @@
         LdapDN newParentName = moveContext.getParent();
         
         // Access the principal requesting the operation, and bypass checks if it is the admin
-        Invocation invocation = InvocationStack.getInstance().peek();
-        PartitionNexusProxy proxy = invocation.getProxy();
-        ServerEntry entry = proxy.lookup( new LookupOperationContext( registries, oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS );
+        ServerEntry entry = moveContext.lookup( oriChildName, ByPassConstants.LOOKUP_BYPASS );
        
         LdapDN newName = ( LdapDN ) newParentName.clone();
         newName.add( oriChildName.get( oriChildName.size() - 1 ) );
-        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = moveContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = principal.getJndiName();
 
         // bypass authz code if we are disabled
@@ -952,11 +940,12 @@
 
         Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
-        addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
+        addPerscriptiveAciTuples( moveContext, tuples, oriChildName, entry );
         addEntryAciTuples( tuples, entry );
-        addSubentryAciTuples( proxy, tuples, oriChildName, entry );
+        addSubentryAciTuples( moveContext, tuples, oriChildName, entry );
 
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
+        engine.checkPermission( registries, moveContext, userGroups, principalDn, 
+            principal.getAuthenticationLevel(), oriChildName, null,
             null, EXPORT_PERMS, tuples, entry, null );
         
         // Get the entry again without operational attributes
@@ -964,16 +953,16 @@
         // will not be valid at the new location.
         // This will certainly be fixed by the SubentryInterceptor,
         // but after this service.
-        ServerEntry importedEntry = proxy.lookup( 
-            new LookupOperationContext( registries, oriChildName ), 
-                PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
+        ServerEntry importedEntry = moveContext.lookup( oriChildName, 
+            ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
             
         // As the target entry does not exist yet and so
         // its subentry operational attributes are not there,
         // we need to construct an entry to represent it
         // at least with minimal requirements which are object class
         // and access control subentry operational attributes.
-        SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() );
+        SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) 
+            chain.get( SubentryInterceptor.class.getName() );
         ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
         
         for ( EntryAttribute attribute:importedEntry )
@@ -983,10 +972,11 @@
         
         Collection<ACITuple> destTuples = new HashSet<ACITuple>();
         // Import permission is only valid for prescriptive ACIs
-        addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
+        addPerscriptiveAciTuples( moveContext, destTuples, newName, subentryAttrs );
         // Evaluate the target context to see whether it
         // allows an entry named newName to be imported as a subordinate.
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
+        engine.checkPermission( registries, moveContext, userGroups, principalDn, 
+            principal.getAuthenticationLevel(), newName, null,
             null, IMPORT_PERMS, destTuples, subentryAttrs, null );
 
         next.move( moveContext );
@@ -997,9 +987,7 @@
     
     public EntryFilteringCursor list( NextInterceptor next, ListOperationContext opContext ) throws Exception
     {
-        Invocation invocation = InvocationStack.getInstance().peek();
-        ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
-        LdapPrincipal user = ctx.getPrincipal();
+        LdapPrincipal user = opContext.getSession().getEffectivePrincipal();
         EntryFilteringCursor cursor = next.list( opContext );
         
         if ( isPrincipalAnAdministrator( user.getJndiName() ) || !enabled )
@@ -1015,9 +1003,7 @@
 
     public EntryFilteringCursor search( NextInterceptor next, SearchOperationContext opContext ) throws Exception
     {
-        Invocation invocation = InvocationStack.getInstance().peek();
-        ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
-        LdapPrincipal user = ctx.getPrincipal();
+        LdapPrincipal user = opContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = user.getJndiName();
         EntryFilteringCursor cursor = next.search( opContext );
 
@@ -1046,15 +1032,10 @@
     	LdapDN name = opContext.getDn();
     	String oid = opContext.getOid();
     	Value<?> value = (Value<?>)opContext.getValue();
-    	
-        // Access the principal requesting the operation, and bypass checks if it is the admin
-        Invocation invocation = InvocationStack.getInstance().peek();
-        PartitionNexusProxy proxy = invocation.getProxy();
-        ServerEntry entry = proxy.lookup( 
-        		new LookupOperationContext( registries, name ), 
-        		PartitionNexusProxy.LOOKUP_BYPASS );
 
-        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        ClonedServerEntry entry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
+
+        LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = principal.getJndiName();
 
         if ( isPrincipalAnAdministrator( principalDn ) || !enabled )
@@ -1064,13 +1045,15 @@
 
         Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toNormName() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
-        addPerscriptiveAciTuples( proxy, tuples, name, entry );
+        addPerscriptiveAciTuples( opContext, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
-        addSubentryAciTuples( proxy, tuples, name, entry );
+        addSubentryAciTuples( opContext, tuples, name, entry );
 
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( registries, opContext, userGroups, principalDn, 
+            principal.getAuthenticationLevel(), name, null, null,
             READ_PERMS, tuples, entry, null );
-        engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, oid, value,
+        engine.checkPermission( registries, opContext, userGroups, principalDn, 
+            principal.getAuthenticationLevel(), name, oid, value,
             COMPARE_PERMS, tuples, entry, null );
 
         return next.compare( opContext );
@@ -1080,9 +1063,7 @@
     public LdapDN getMatchedName ( NextInterceptor next, GetMatchedNameOperationContext opContext ) throws Exception
     {
         // Access the principal requesting the operation, and bypass checks if it is the admin
-        Invocation invocation = InvocationStack.getInstance().peek();
-        PartitionNexusProxy proxy = invocation.getProxy();
-        LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+        LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
         LdapDN principalDn = principal.getJndiName();
         
         if ( isPrincipalAnAdministrator( principalDn ) || !enabled )
@@ -1099,15 +1080,16 @@
         // that but if permission is granted then short the process and return the dn
         while ( matched.size() > 0 )
         {
-            entry = proxy.lookup( new LookupOperationContext( registries, matched ), PartitionNexusProxy.GETMATCHEDDN_BYPASS );
+            entry = opContext.lookup( matched, ByPassConstants.GETMATCHEDDN_BYPASS );
             
             Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
             Collection<ACITuple> tuples = new HashSet<ACITuple>();
-            addPerscriptiveAciTuples( proxy, tuples, matched, entry );
+            addPerscriptiveAciTuples( opContext, tuples, matched, entry );
             addEntryAciTuples( tuples, entry );
-            addSubentryAciTuples( proxy, tuples, matched, entry );
+            addSubentryAciTuples( opContext, tuples, matched, entry );
 
-            if ( engine.hasPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), matched, null,
+            if ( engine.hasPermission( registries, opContext, userGroups, principalDn, 
+                principal.getAuthenticationLevel(), matched, null,
                 null, MATCHEDNAME_PERMS, tuples, entry, null ) )
             {
                 return matched;
@@ -1126,7 +1108,8 @@
     }
 
 
-    private boolean filter( Invocation invocation, LdapDN normName, ClonedServerEntry clonedEntry ) throws Exception
+    private boolean filter( OperationContext opContext, LdapDN normName, ClonedServerEntry clonedEntry ) 
+        throws Exception
     {
         /*
          * First call hasPermission() for entry level "Browse" and "ReturnDN" perm
@@ -1134,20 +1117,20 @@
          * process and return false.
          */
         
-        ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
-        LdapDN userDn = ctx.getPrincipal().getJndiName();
+        LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
+        LdapDN userDn = principal.getJndiName();
         Set<LdapDN> userGroups = groupCache.getGroups( userDn.toNormName() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
-        addPerscriptiveAciTuples( invocation.getProxy(), tuples, normName, clonedEntry.getOriginalEntry() );
+        addPerscriptiveAciTuples( opContext, tuples, normName, clonedEntry.getOriginalEntry() );
         addEntryAciTuples( tuples, clonedEntry.getOriginalEntry() );
-        addSubentryAciTuples( invocation.getProxy(), tuples, normName, clonedEntry.getOriginalEntry() );
+        addSubentryAciTuples( opContext, tuples, normName, clonedEntry.getOriginalEntry() );
 
         if ( !engine.hasPermission( 
                         registries, 
-                        invocation.getProxy(), 
+                        opContext, 
                         userGroups, 
                         userDn, 
-                        ctx.getPrincipal().getAuthenticationLevel(), 
+                        principal.getAuthenticationLevel(), 
                         normName, 
                         null, 
                         null, 
@@ -1176,10 +1159,10 @@
         
             if ( !engine.hasPermission( 
                         registries, 
-                        invocation.getProxy(), 
+                        opContext, 
                         userGroups, 
                         userDn,
-                        ctx.getPrincipal().getAuthenticationLevel(), 
+                        principal.getAuthenticationLevel(), 
                         normName, 
                         id, 
                         null, 
@@ -1200,10 +1183,10 @@
             {
                 if ( !engine.hasPermission( 
                         registries, 
-                        invocation.getProxy(), 
+                        opContext, 
                         userGroups, 
                         userDn, 
-                        ctx.getPrincipal().getAuthenticationLevel(), 
+                        principal.getAuthenticationLevel(), 
                         normName, 
                         attr.getUpId(), 
                         value, 
@@ -1245,7 +1228,7 @@
             throws Exception
         {
             LdapDN normName = entry.getDn().normalize( atRegistry.getNormalizerMapping() );
-            return filter( operationContext.getInvocation(), normName, entry );
+            return filter( operationContext, normName, entry );
         }
     }
 }

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java Mon Jun  2 07:00:23 2008
@@ -21,7 +21,10 @@
 
 
 import org.apache.directory.server.constants.ServerDNConstants;
+import org.apache.directory.server.core.CoreSession;
+import org.apache.directory.server.core.DefaultCoreSession;
 import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.authn.LdapPrincipal;
 import org.apache.directory.server.core.entry.ClonedServerEntry;
 import org.apache.directory.server.core.entry.ServerEntry;
 import org.apache.directory.server.core.filtering.EntryFilter;
@@ -35,15 +38,13 @@
 import org.apache.directory.server.core.interceptor.context.ModifyOperationContext;
 import org.apache.directory.server.core.interceptor.context.MoveAndRenameOperationContext;
 import org.apache.directory.server.core.interceptor.context.MoveOperationContext;
+import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.server.core.interceptor.context.RenameOperationContext;
 import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
 import org.apache.directory.server.core.interceptor.context.SearchingOperationContext;
-import org.apache.directory.server.core.invocation.Invocation;
-import org.apache.directory.server.core.invocation.InvocationStack;
-import org.apache.directory.server.core.jndi.ServerContext;
 import org.apache.directory.server.core.partition.PartitionNexus;
 import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
-import org.apache.directory.server.schema.registries.Registries;
+import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.constants.SchemaConstants;
 import org.apache.directory.shared.ldap.entry.EntryAttribute;
 import org.apache.directory.shared.ldap.entry.Value;
@@ -55,7 +56,6 @@
 import org.slf4j.LoggerFactory;
 
 import javax.naming.NoPermissionException;
-import javax.naming.ldap.LdapContext;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@@ -137,15 +137,20 @@
         
         uniqueMemberAT = attrRegistry.lookup( SchemaConstants.UNIQUE_MEMBER_AT_OID );
         
-        loadAdministrators( directoryService.getRegistries() );
+        loadAdministrators( directoryService );
     }
     
     
-    private void loadAdministrators( Registries registries ) throws Exception
+    private void loadAdministrators( DirectoryService directoryService ) throws Exception
     {
         // read in the administrators and cache their normalized names
         Set<String> newAdministrators = new HashSet<String>( 2 );
-        ServerEntry adminGroup = nexus.lookup( new LookupOperationContext( registries, ADMIN_GROUP_DN ) );
+        LdapDN adminDn = new LdapDN( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
+        adminDn.normalize( directoryService.getRegistries().getAttributeTypeRegistry().getNormalizerMapping() );
+        CoreSession adminSession = new DefaultCoreSession( 
+            new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), directoryService );
+
+        ServerEntry adminGroup = nexus.lookup( new LookupOperationContext( adminSession, ADMIN_GROUP_DN ) );
         
         if ( adminGroup == null )
         {
@@ -268,7 +273,7 @@
             // update administrators if we change administrators group
             if ( dn.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
             {
-                loadAdministrators( opContext.getRegistries() );
+                loadAdministrators( opContext.getSession().getDirectoryService() );
             }
         }
         else
@@ -432,16 +437,13 @@
             return serverEntry;
         }
 
-        protectLookUp( opContext.getDn() );
+        protectLookUp( opContext.getSession().getEffectivePrincipal().getJndiName(), opContext.getDn() );
         return serverEntry;
     }
 
 
-    private void protectLookUp( LdapDN normalizedDn ) throws Exception
+    private void protectLookUp( LdapDN principalDn, LdapDN normalizedDn ) throws Exception
     {
-        LdapContext ctx = ( LdapContext ) InvocationStack.getInstance().peek().getCaller();
-        LdapDN principalDn = ( ( ServerContext ) ctx ).getPrincipal().getJndiName();
-        
         if ( !isAnAdministrator( principalDn ) )
         {
             if ( normalizedDn.size() > 2 )
@@ -507,7 +509,7 @@
         cursor.addEntryFilter( new EntryFilter() {
             public boolean accept( SearchingOperationContext operation, ClonedServerEntry result ) throws Exception
             {
-                return DefaultAuthorizationInterceptor.this.isSearchable( operation.getInvocation(), result );
+                return DefaultAuthorizationInterceptor.this.isSearchable( operation, result );
             }
         } );
         return cursor;
@@ -527,16 +529,16 @@
         {
             public boolean accept( SearchingOperationContext operation, ClonedServerEntry entry ) throws Exception
             {
-                return DefaultAuthorizationInterceptor.this.isSearchable( operation.getInvocation(), entry );
+                return DefaultAuthorizationInterceptor.this.isSearchable( operation, entry );
             }
         } );
         return cursor;
     }
 
 
-    private boolean isSearchable( Invocation invocation, ClonedServerEntry result ) throws Exception
+    private boolean isSearchable( OperationContext opContext, ClonedServerEntry result ) throws Exception
     {
-        LdapDN principalDn = ( ( ServerContext ) invocation.getCaller() ).getPrincipal().getJndiName();
+        LdapDN principalDn = opContext.getSession().getEffectivePrincipal().getJndiName();
         LdapDN dn = result.getDn();
         
         if ( !dn.isNormalized() )

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java Mon Jun  2 07:00:23 2008
@@ -28,7 +28,7 @@
 import java.util.Set;
 
 import org.apache.directory.server.constants.ServerDNConstants;
-import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.CoreSession;
 import org.apache.directory.server.core.entry.ServerAttribute;
 import org.apache.directory.server.core.entry.ServerEntry;
 import org.apache.directory.server.core.filtering.EntryFilteringCursor;
@@ -99,11 +99,12 @@
      * @param directoryService the directory service core
      * @throws NamingException if there are failures on initialization 
      */
-    public GroupCache( DirectoryService directoryService ) throws Exception
+    public GroupCache( CoreSession session ) throws Exception
     {
-        normalizerMap = directoryService.getRegistries().getAttributeTypeRegistry().getNormalizerMapping();
-        nexus = directoryService.getPartitionNexus();
-        AttributeTypeRegistry attributeTypeRegistry = directoryService.getRegistries().getAttributeTypeRegistry();
+        normalizerMap = session.getDirectoryService().getRegistries().getAttributeTypeRegistry().getNormalizerMapping();
+        nexus = session.getDirectoryService().getPartitionNexus();
+        AttributeTypeRegistry attributeTypeRegistry = session.getDirectoryService()
+            .getRegistries().getAttributeTypeRegistry();
 
         memberAT = attributeTypeRegistry.lookup( SchemaConstants.MEMBER_AT_OID );
         uniqueMemberAT = attributeTypeRegistry.lookup( SchemaConstants.UNIQUE_MEMBER_AT_OID );
@@ -111,7 +112,7 @@
         // stuff for dealing with the admin group
         administratorsGroupDn = parseNormalized( ServerDNConstants.ADMINISTRATORS_GROUP_DN );
 
-        initialize( directoryService.getRegistries() );
+        initialize( session );
     }
 
 
@@ -123,7 +124,7 @@
     }
 
 
-    private void initialize( Registries registries ) throws Exception
+    private void initialize( CoreSession session ) throws Exception
     {
         // search all naming contexts for static groups and generate
         // normalized sets of members to cache within the map
@@ -142,7 +143,9 @@
             LdapDN baseDn = new LdapDN( suffix );
             SearchControls ctls = new SearchControls();
             ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
-            EntryFilteringCursor results = nexus.search( new SearchOperationContext( registries,
+            
+            
+            EntryFilteringCursor results = nexus.search( new SearchOperationContext( session,
                 baseDn, AliasDerefMode.DEREF_ALWAYS, filter, ctls ) );
 
             while ( results.next() )

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java?rev=662440&r1=662439&r2=662440&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java Mon Jun  2 07:00:23 2008
@@ -20,7 +20,7 @@
 package org.apache.directory.server.core.authz;
 
 
-import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.CoreSession;
 import org.apache.directory.server.core.entry.ServerAttribute;
 import org.apache.directory.server.core.entry.ServerEntry;
 import org.apache.directory.server.core.filtering.EntryFilteringCursor;
@@ -29,7 +29,6 @@
 import org.apache.directory.server.schema.ConcreteNameComponentNormalizer;
 import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
 import org.apache.directory.server.schema.registries.OidRegistry;
-import org.apache.directory.server.schema.registries.Registries;
 import org.apache.directory.shared.ldap.aci.ACIItem;
 import org.apache.directory.shared.ldap.aci.ACIItemParser;
 import org.apache.directory.shared.ldap.aci.ACITuple;
@@ -98,16 +97,18 @@
      * @param directoryService the context factory configuration for the server
      * @throws NamingException if initialization fails
      */
-    public TupleCache( DirectoryService directoryService ) throws Exception
+    public TupleCache( CoreSession session ) throws Exception
     {
-        normalizerMap = directoryService.getRegistries().getAttributeTypeRegistry().getNormalizerMapping();
-        this.nexus = directoryService.getPartitionNexus();
-        AttributeTypeRegistry attributeTypeRegistry = directoryService.getRegistries().getAttributeTypeRegistry();
-        OidRegistry oidRegistry = directoryService.getRegistries().getOidRegistry();
+        normalizerMap = session.getDirectoryService().getRegistries()
+            .getAttributeTypeRegistry().getNormalizerMapping();
+        this.nexus = session.getDirectoryService().getPartitionNexus();
+        AttributeTypeRegistry attributeTypeRegistry = session.getDirectoryService()
+            .getRegistries().getAttributeTypeRegistry();
+        OidRegistry oidRegistry = session.getDirectoryService().getRegistries().getOidRegistry();
         NameComponentNormalizer ncn = new ConcreteNameComponentNormalizer( attributeTypeRegistry, oidRegistry );
         aciParser = new ACIItemParser( ncn, normalizerMap );
         prescriptiveAciAT = attributeTypeRegistry.lookup( SchemaConstants.PRESCRIPTIVE_ACI_AT );
-        initialize( directoryService.getRegistries() );
+        initialize( session );
     }
 
 
@@ -119,7 +120,7 @@
     }
 
 
-    private void initialize( Registries registries ) throws Exception
+    private void initialize( CoreSession session ) throws Exception
     {
         // search all naming contexts for access control subentenries
         // generate ACITuple Arrays for each subentry
@@ -134,7 +135,7 @@
                 new ClientStringValue( SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC ) );
             SearchControls ctls = new SearchControls();
             ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
-            EntryFilteringCursor results = nexus.search( new SearchOperationContext( registries,
+            EntryFilteringCursor results = nexus.search( new SearchOperationContext( session,
                 baseDn, AliasDerefMode.NEVER_DEREF_ALIASES, filter, ctls ) );
 
             while ( results.next() )



Mime
View raw message