directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r683825 - in /directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap: LdapServer.java handlers/LdapRequestHandler.java handlers/ssl/LdapsInitializer.java
Date Fri, 08 Aug 2008 03:31:52 GMT
Author: akarasulu
Date: Thu Aug  7 20:31:51 2008
New Revision: 683825

URL: http://svn.apache.org/viewvc?rev=683825&view=rev
Log:
DIRSERVER-1194: added confidentiality requirement flag and made sure LDAPS works like StartTLS

Modified:
    directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/LdapServer.java
    directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/LdapRequestHandler.java
    directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/ssl/LdapsInitializer.java

Modified: directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/LdapServer.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/LdapServer.java?rev=683825&r1=683824&r2=683825&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/LdapServer.java
(original)
+++ directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/LdapServer.java
Thu Aug  7 20:31:51 2008
@@ -197,6 +197,12 @@
     /** tracks start state of the server */
     private boolean started;
 
+    /** 
+     * Whether or not confidentiality (TLS secured connection) is required: 
+     * disabled by default. 
+     */
+    private boolean confidentialityRequired;
+
 
     /**
      * Creates an LDAP protocol provider.
@@ -529,6 +535,31 @@
 
 
     /**
+     * Sets the mode for this LdapServer to accept requests with or without a
+     * TLS secured connection via either StartTLS extended operations or using
+     * LDAPS.
+     * 
+     * @param confidentialityRequired true to require confidentiality
+     */
+    public void setConfidentialityRequired( boolean confidentialityRequired )
+    {
+        this.confidentialityRequired = confidentialityRequired;
+    }
+
+
+    /**
+     * Gets whether or not TLS secured connections are required to perform 
+     * operations on this LdapServer.
+     * 
+     * @return true if TLS secured connections are required, false otherwise
+     */
+    public boolean isConfidentialityRequired()
+    {
+        return confidentialityRequired;
+    }
+
+    
+    /**
      * Returns <tt>true</tt> if LDAPS is enabled.
      *
      * @return True if LDAPS is enabled.

Modified: directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/LdapRequestHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/LdapRequestHandler.java?rev=683825&r1=683824&r2=683825&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/LdapRequestHandler.java
(original)
+++ directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/LdapRequestHandler.java
Thu Aug  7 20:31:51 2008
@@ -23,9 +23,16 @@
 import org.apache.directory.server.core.CoreSession;
 import org.apache.directory.server.newldap.LdapServer;
 import org.apache.directory.server.newldap.LdapSession;
+import org.apache.directory.server.newldap.handlers.extended.StartTlsHandler;
 import org.apache.directory.shared.ldap.message.AbandonRequest;
 import org.apache.directory.shared.ldap.message.BindRequest;
+import org.apache.directory.shared.ldap.message.ExtendedRequest;
+import org.apache.directory.shared.ldap.message.LdapResult;
 import org.apache.directory.shared.ldap.message.Request;
+import org.apache.directory.shared.ldap.message.ResultCodeEnum;
+import org.apache.directory.shared.ldap.message.ResultResponse;
+import org.apache.directory.shared.ldap.message.ResultResponseRequest;
+import org.apache.mina.common.IoFilterChain;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.demux.MessageHandler;
 
@@ -59,6 +66,43 @@
     {
         this.ldapServer = ldapServer;
     }
+    
+    
+    /**
+     * Checks to see if confidentiality requirements are met.  If the 
+     * LdapServer requires confidentiality and the SSLFilter is engaged
+     * this will return true.  If confidentiality is not required this 
+     * will return true.  If confidentially is required and the SSLFilter
+     * is not engaged in the IoFilterChain this will return false.
+     * 
+     * This method is used by handlers to determine whether to send back
+     * {@link ResultCodeEnum#CONFIDENTIALITY_REQUIRED} error responses back
+     * to clients.
+     * 
+     * @param session the MINA IoSession to check for TLS security
+     * @return true if confidentiality requirement is met, false otherwise
+     */
+    public final boolean isConfidentialityRequirementSatisfied( IoSession session )
+    {
+       
+       if ( ! ldapServer.isConfidentialityRequired() )
+       {
+           return true;
+       }
+       
+        IoFilterChain chain = session.getFilterChain();
+        return chain.contains( "sslFilter" );
+    }
+
+    
+    public void rejectWithoutConfidentiality( IoSession session, ResultResponse resp ) 
+    {
+        LdapResult result = resp.getLdapResult();
+        result.setResultCode( ResultCodeEnum.CONFIDENTIALITY_REQUIRED );
+        result.setErrorMessage( "Confidentiality (TLS secured connection) is required." );
+        session.write( resp );
+        return;
+    }
 
 
     /**
@@ -74,6 +118,33 @@
     {
         LdapSession ldapSession = ldapServer.getLdapSession( session );
         ldapSession.setLdapServer( ldapServer );
+        
+        // protect against insecure conns when confidentiality is required 
+        if ( ! isConfidentialityRequirementSatisfied( session ) )
+        {
+            if ( message instanceof ExtendedRequest )
+            {
+                // Reject all extended operations except StartTls  
+                ExtendedRequest req = ( ExtendedRequest ) message;
+                if ( ! req.getID().equals( StartTlsHandler.EXTENSION_OID ) )
+                {
+                    rejectWithoutConfidentiality( session, req.getResultResponse() );
+                    return;
+                }
+                
+                // Allow StartTls extended operations to go through
+            }
+            else if ( message instanceof ResultResponseRequest )
+            {
+                // Reject all other operations that have a result response  
+                rejectWithoutConfidentiality( session, ( ( ResultResponseRequest ) message
).getResultResponse() );
+                return;
+            }
+            else // Just return from unbind, and abandon immediately
+            {
+                return;
+            }
+        }
 
         // We should check that the server allows anonymous requests
         // only if it's not a BindRequest

Modified: directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/ssl/LdapsInitializer.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/ssl/LdapsInitializer.java?rev=683825&r1=683824&r2=683825&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/ssl/LdapsInitializer.java
(original)
+++ directory/apacheds/branches/bigbang/protocol-newldap/src/main/java/org/apache/directory/server/newldap/handlers/ssl/LdapsInitializer.java
Thu Aug  7 20:31:51 2008
@@ -69,7 +69,7 @@
         }
 
         DefaultIoFilterChainBuilder chain = new DefaultIoFilterChainBuilder();
-        chain.addLast( "SSL", new SSLFilter( sslCtx ) );
+        chain.addLast( "sslFilter", new SSLFilter( sslCtx ) );
         return chain;
     }
 }



Mime
View raw message