directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r959961 - in /directory/apacheds/trunk: core-integ/src/test/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/authz/
Date Fri, 02 Jul 2010 12:22:54 GMT
Author: elecharny
Date: Fri Jul  2 12:22:53 2010
New Revision: 959961

URL: http://svn.apache.org/viewvc?rev=959961&view=rev
Log:
o Minor refactoring in the ACI interceptor
o Formated the ACI in tests

Modified:
    directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
    directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java

Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java?rev=959961&r1=959960&r2=959961&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java Fri Jul  2 12:22:53 2010
@@ -196,10 +196,27 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm to all users in the Administrators group for entries
-        createAccessControlSubentry( "grantRenameByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantRenameByAdmin", 
+            "{ " + 
+            "  identificationTag \"addAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses " +
+            "    { " +
+            "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
+            "    }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " + 
+            "        grantsAndDenials { grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // see if we can now rename that test entry which we could not before
         // rename op should still fail since billyd is not in the admin group
@@ -228,11 +245,27 @@ public class MoveRenameAuthorizationIT e
 
         // Gives grantRename, grantImport, grantExport perm to all users in the Administrators
         // group for entries - browse is needed just to read navigate the tree at root
-        createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " + "identificationTag \"addAci\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems {entry}, "
-            + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantRenameMoveByAdmin", 
+            "{ " + 
+            "  identificationTag \"addAci\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses " +
+            "    { " +
+            "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
+            "    }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " +
+            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // see if we can move and rename the test entry which we could not before
         // op should still fail since billyd is not in the admin group
@@ -260,10 +293,27 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm to all users in the Administrators group for entries
-        createAccessControlSubentry( "grantMoveByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantMoveByAdmin", 
+            "{ " + 
+            "  identificationTag \"addAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses " +
+            "    { " +
+            "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
+            "    }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " + 
+            "        grantsAndDenials { grantExport, grantImport, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // see if we can now move that test entry which we could not before
         // op should still fail since billyd is not in the admin group
@@ -302,10 +352,24 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm specifically to the billyd user
-        createAccessControlSubentry( "grantRenameByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantRenameByName", 
+            "{ " + 
+            "  identificationTag \"addAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " + 
+            "        grantsAndDenials { grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // try a rename operation which should succeed with ACI
         assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -325,11 +389,24 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname", "ou=groups" ) );
 
         // Gives grantRename, grantImport, grantExport perm to billyd user on entries
-        createAccessControlSubentry( "grantRenameMoveByName", "{ " + "identificationTag \"addAci\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems {entry}, "
-            + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantRenameMoveByName", 
+            "{ " + 
+            "  identificationTag \"addAci\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " +
+            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // try move w/ rdn change which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -349,10 +426,24 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm to billyd user for entries
-        createAccessControlSubentry( "grantMoveByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantMoveByName", 
+            "{ " + 
+            "  identificationTag \"addAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " + 
+            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // try move operation which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -383,10 +474,27 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm for entries to those users selected by the subtree
-        createAccessControlSubentry( "grantRenameByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
-            + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantRenameByTree", 
+            "{ " + 
+            "  identificationTag \"addAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses " +
+            "    { " +
+            "      subtree { { base \"ou=users,ou=system\" } } " +
+            "    }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " + 
+            "        grantsAndDenials { grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // try a rename operation which should succeed with ACI
         assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -406,11 +514,26 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
 
         // Gives grantRename, grantImport, grantExport for entries to users selected by subtree
-        createAccessControlSubentry( "grantRenameMoveByTree", "{ " + "identificationTag \"addAci\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
-            + "protectedItems {entry}, "
-            + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantRenameMoveByTree", 
+            "{ " + 
+            "  identificationTag \"addAci\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: { " +
+            "    userClasses " +
+            "    { " +
+            "      subtree { { base \"ou=users,ou=system\" } } " +
+            "    }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " +
+            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // try move w/ rdn change which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -430,10 +553,27 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm for entries to subtree selected users
-        createAccessControlSubentry( "grantMoveByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
-            + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantMoveByTree", 
+            "{ " + 
+            "  identificationTag \"addAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses " +
+            "    { " +
+            "      subtree { { base \"ou=users,ou=system\" } } " +
+            "    }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " + 
+            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // try move operation which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -464,10 +604,24 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm for entries to any user
-        createAccessControlSubentry( "grantRenameByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
-            + "userPermissions { { " + "protectedItems {entry}, "
-            + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantRenameByAny", 
+            "{ " + 
+            "  identificationTag \"addAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " + 
+            "        protectedItems {entry}, " +
+            "        grantsAndDenials { grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // try a rename operation which should succeed with ACI
         assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -487,10 +641,24 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
 
         // Gives grantRename, grantImport, grantExport for entries to any user
-        createAccessControlSubentry( "grantRenameMoveByAny", "{ " + "identificationTag \"addAci\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { allUsers }, " + "userPermissions { { " + "protectedItems {entry}, "
-            + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantRenameMoveByAny", 
+            "{ " + 
+            "  identificationTag \"addAci\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " + 
+            "        protectedItems {entry}, " +
+            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // try move w/ rdn change which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -510,10 +678,24 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm for entries to any user
-        createAccessControlSubentry( "grantMoveByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
-            + "userPermissions { { " + "protectedItems {entry}, "
-            + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "grantMoveByAny", 
+            "{ " + 
+            "  identificationTag \"addAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " + 
+            "        protectedItems {entry}, " +
+            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // try move operation which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -550,33 +732,66 @@ public class MoveRenameAuthorizationIT e
         createAccessControlSubentry(
             "grantBrowseForTheWholeNamingContext",
             "{ }",
-            "{ " + "identificationTag \"browseACI\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems { entry }, "
-            + "grantsAndDenials { grantBrowse } } } } }" );
+            "{ " + 
+            "  identificationTag \"browseACI\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems { entry }, " +
+            "        grantsAndDenials { grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
         
         // Gives grantExport, grantRename perm to all users in the Administrators
         // group for entries
         createAccessControlSubentry(
             "grantExportFromASubtree",
-            "{ base \"ou=users\" }", // !!!!! =====>>>>> { base "ou=users" }
-            "{ " + "identificationTag \"exportACI\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems { entry }, "
-            + "grantsAndDenials { grantExport, grantRename } } } } }" );
+            "{ base \"ou=users\" }", 
+            "{ " + 
+            "  identificationTag \"exportACI\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems { entry }, " +
+            "        grantsAndDenials { grantExport, grantRename } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
         
         // Gives grantImport perm to all users in the Administrators
         // group for the target context
         createAccessControlSubentry(
             "grantImportToASubtree",
-            "{ base \"ou=groups\" }", // !!!!! =====>>>>> { base "ou=groups" }
-            "{ " + "identificationTag \"importACI\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems { entry }, "
-            + "grantsAndDenials { grantImport } } } } }" );
+            "{ base \"ou=groups\" }", 
+            "{ " + 
+            "  identificationTag \"importACI\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems { entry }, " +
+            "        grantsAndDenials { grantImport } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // see if we can move and rename the test entry which we could not before
         // op should still fail since billyd is not in the admin group

Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=959961&r1=959960&r2=959961&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Fri Jul  2 12:22:53 2010
@@ -103,24 +103,27 @@ public class SearchAuthorizationIT exten
      */
     private Entry[] getTestNodes( final int count )
     {
-        Entry[] attributes = new DefaultEntry[count];
-        for ( int ii = 0; ii < count; ii++ )
+        Entry[] entries = new DefaultEntry[count];
+        
+        for ( int i = 0; i < count; i++ )
         {
+            Entry entry = new DefaultEntry();
+            
             try
             {
-                attributes[ii] = new DefaultEntry();
-                attributes[ii].add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
-                attributes[ii].add( SchemaConstants.OU_AT, String.valueOf( ii ) );
-                attributes[ii].add( SchemaConstants.OU_AT, "testEntry" );
-                attributes[ii].add( "telephoneNumber", String.valueOf( count ) );
+                entry.add( "objectClass", "organizationalUnit" );
+                entry.add( "ou", "testEntry", String.valueOf( i ) );
+                entry.add( "telephoneNumber", String.valueOf( count ) );
             }
             catch ( Exception e )
             {
                 e.printStackTrace();
             }
+            
+            entries[i] = entry;
         }
 
-        return attributes;
+        return entries;
     }
 
 
@@ -353,7 +356,7 @@ public class SearchAuthorizationIT exten
 
         assertEquals( 10, counter );
         recursivelyDelete( base );
-        //noinspection EmptyCatchBlock
+
         SearchResultEntry entry = ( SearchResultEntry ) connection.lookup( base.getName() );
         assertNull( entry );
     }
@@ -374,25 +377,41 @@ public class SearchAuthorizationIT exten
         // create the non-admin user
         createUser( "billyd", "billyd" );
 
-        // try an add operation which should fail without any ACI
+        // try a search operation which should fail without any ACI
         assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
 
         // Gives search perms to all users in the Administrators group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "searchAdmin", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "searchAdmin", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses " +
+            "    { " +
+            "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
+            "    }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
-        // see if we can now add that test entry which we could not before
-        // add op should still fail since billd is not in the admin group
+        // see if we can now search that test entry which we could not before
+        // add or should still fail since billd is not in the admin group
         assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
 
         // now add billyd to the Administrator group and try again
         addUserToGroup( "billyd", "Administrators" );
 
-        // try an add operation which should succeed with ACI and group membership change
+        // try a search operation which should succeed with ACI and group membership change
         assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
     }
 
@@ -408,15 +427,31 @@ public class SearchAuthorizationIT exten
         // create the non-admin user
         createUser( "billyd", "billyd" );
 
-        // try an add operation which should fail without any ACI
+        // try a search operation which should fail without any ACI
         assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
 
-        // now add a subentry that enables user billyd to add an entry below ou=system
-        createAccessControlSubentry( "billydSearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        // now add a subentry that enables user billyd to search an entry below ou=system
+        createAccessControlSubentry( 
+            "billydSearch", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses " +
+            "    { " +
+            "      name { \"uid=billyd,ou=users,ou=system\" } " +
+            "    }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    }" +
+            "  } " +
+            "}" );
 
         // should work now that billyd is authorized by name
         assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
@@ -435,15 +470,31 @@ public class SearchAuthorizationIT exten
         // create the non-admin user
         createUser( "billyd", "billyd" );
 
-        // try an add operation which should fail without any ACI
+        // try a search operation which should fail without any ACI
         assertFalse( checkCanSearchAs( "BillyD", "billyd" ) );
 
-        // now add a subentry that enables user billyd to add an entry below ou=system
-        createAccessControlSubentry( "billydSearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        // now add a subentry that enables user billyd to search an entry below ou=system
+        createAccessControlSubentry( 
+            "billydSearch", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses " +
+            "    { " +
+            "      name { \"uid=billyd,ou=users,ou=system\" } " +
+            "    }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // should work now that billyd is authorized by name
         assertTrue( checkCanSearchAs( "BillyD", "billyd" ) );
@@ -461,15 +512,34 @@ public class SearchAuthorizationIT exten
         // create the non-admin user
         createUser( "billyd", "billyd" );
 
-        // try an add operation which should fail without any ACI
+        // try a search operation which should fail without any ACI
         assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
 
-        // now add a subentry that enables user billyd to add an entry below ou=system
-        createAccessControlSubentry( "billySearchBySubtree", "{ " + "identificationTag \"searchAci\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials {  grantRead, grantReturnDN, grantBrowse } } } } }" );
+        // now add a subentry that enables user billyd to search an entry below ou=system
+        createAccessControlSubentry( 
+            "billySearchBySubtree", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses " +
+            "    { " +
+            "      subtree " +
+            "      { " +
+            "        { base \"ou=users,ou=system\" } " +
+            "      } " +
+            "    }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials {  grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // should work now that billyd is authorized by the subtree userClass
         assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
@@ -487,14 +557,28 @@ public class SearchAuthorizationIT exten
         // create the non-admin user
         createUser( "billyd", "billyd" );
 
-        // try an search operation which should fail without any ACI
+        // try a search operation which should fail without any ACI
         assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
 
         // now add a subentry that enables anyone to search an entry below ou=system
-        createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
-            + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "anybodySearch", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " + 
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // see if we can now search that tree which we could not before
         // should work now with billyd now that all users are authorized
@@ -518,18 +602,32 @@ public class SearchAuthorizationIT exten
         // create the non-admin user
         createUser( "billyd", "billyd" );
 
-        // try an add operation which should fail without any ACI
+        // try a search operation which should fail without any ACI
         assertFalse( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
 
-        // now add a subentry that enables anyone to add an entry below ou=system
+        // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3
-        createAccessControlSubentry( "anybodySearch", "{ maximum 2 }", "{ " + "identificationTag \"searchAci\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { allUsers }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "anybodySearch", 
+            "{ maximum 2 }", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
-        // see if we can now add that test entry which we could not before
+        // see if we can now search that test entry which we could not before
         // should work now with billyd now that all users are authorized
         assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
     }
@@ -547,19 +645,33 @@ public class SearchAuthorizationIT exten
         // create the non-admin user
         createUser( "billyd", "billyd" );
 
-        // try an add operation which should fail without any ACI
+        // try a search operation which should fail without any ACI
         assertFalse( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
 
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3.  It only grants access to
         // the ou and objectClass attributes however.
-        createAccessControlSubentry( "excluseTelephoneNumber", "{ maximum 2 }", "{ "
-            + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
-            + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
-            + "protectedItems {entry, allAttributeValues { ou, objectClass } }, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "excludeTelephoneNumber", 
+            "{ maximum 2 }", 
+            "{ " +
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allAttributeValues { ou, objectClass } }, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
-        // see if we can now add that search and find 4 entries
+        // see if we can now search and find 4 entries
         assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
 
         // check to make sure the telephoneNumber attribute is not present in results
@@ -569,16 +681,30 @@ public class SearchAuthorizationIT exten
         }
 
         // delete the subentry to test more general rule's inclusion of telephoneNumber
-        deleteAccessControlSubentry( "excluseTelephoneNumber" );
+        deleteAccessControlSubentry( "excludeTelephoneNumber" );
 
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3.  This time we should be able
         // to see the telephoneNumber attribute
-        createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }", "{ "
-            + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
-            + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues }, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "includeAllAttributeTypesAndValues", 
+            "{ maximum 2 }", 
+            "{ " +
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues }, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    }" +
+            "  } " +
+            "}" );
 
         // again we should find four entries
         assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
@@ -604,26 +730,39 @@ public class SearchAuthorizationIT exten
         // create the non-admin user
         createUser( "billyd", "billyd" );
 
-        // try an add operation which should fail without any ACI
+        // try a search operation which should fail without any ACI
         assertFalse( checkCanSearchAs( "billyd", "billyd", 3 ) );
 
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3.  It only grants access to
         // the ou and objectClass attributes however.
         createAccessControlSubentry(
-            "excluseOUValue",
+            "excludeOUValue",
             "{ maximum 2 }",
-            "{ "
-                + "identificationTag \"searchAci\", "
-                + "precedence 14, "
-                + "authenticationLevel none, "
-                + "itemOrUserFirst userFirst: { "
-                + "userClasses { allUsers }, "
-                + "userPermissions { { "
-                + "protectedItems {entry, attributeType { ou }, allAttributeValues { objectClass }, attributeValue { ou=0, ou=1, ou=2 } }, "
-                + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+            "{ " +
+            "  identificationTag \"searchAci\", " +
+            "  precedence 14, " +
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { allUsers }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems " +
+            "        {" +
+            "          entry, " +
+            "          attributeType { ou }, " +
+            "          allAttributeValues { objectClass }, " +
+            "          attributeValue { ou=0, ou=1, ou=2 } " +
+            "        }, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
-        // see if we can now add that search and find 4 entries
+        // see if we can now search and find 4 entries
         assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
 
         // check to make sure the ou attribute value "testEntry" is not present in results
@@ -633,16 +772,30 @@ public class SearchAuthorizationIT exten
         }
 
         // delete the subentry to test more general rule's inclusion of all values
-        deleteAccessControlSubentry( "excluseOUValue" );
+        deleteAccessControlSubentry( "excludeOUValue" );
 
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3.  This time we should be able
         // to see the telephoneNumber attribute
-        createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }", "{ "
-            + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
-            + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues }, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "includeAllAttributeTypesAndValues", 
+            "{ maximum 2 }", 
+            "{ " +
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues }, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  }" +
+            "}" );
 
         // again we should find four entries
         assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
@@ -669,10 +822,23 @@ public class SearchAuthorizationIT exten
         createUser( "billyd", "billyd" );
 
         // now add an entryACI denies browse, read and returnDN to a specific entry
-        String aci = "{ " + "identificationTag \"denyAci\", " + "precedence 14, " + "authenticationLevel none, "
-            + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
+        String aci = 
+            "{ " + 
+            "  identificationTag \"denyAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}";
 
         // try a search operation which should fail without any prescriptive ACI
         DN testsDn = new DN( "ou=system" );
@@ -680,10 +846,24 @@ public class SearchAuthorizationIT exten
         assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
 
         // now add a subentry that enables anyone to search below ou=system
-        createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
-            + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "anybodySearch", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " + 
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // see if we can now search the tree which we could not before
         // should work with billyd now that all users are authorized
@@ -691,7 +871,7 @@ public class SearchAuthorizationIT exten
         assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
         assertNull( results.get( "ou=tests,ou=system" ) );
 
-        // try without the entry ACI .. just perscriptive and see ou=tests,ou=system
+        // try without the entry ACI, just perscriptive and see ou=tests,ou=system
         assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 10 ) );
         assertNotNull( results.get( "ou=tests,ou=system" ) );
     }
@@ -711,11 +891,24 @@ public class SearchAuthorizationIT exten
         // create the non-admin user
         createUser( "billyd", "billyd" );
 
-        // now add an entryACI denies browse, read and returnDN to a specific entry
-        String aci = "{ " + "identificationTag \"denyAci\", " + "precedence 14, " + "authenticationLevel none, "
-            + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
+        // now add an entryACI denying browse, read and returnDN to a specific entry
+        String aci = 
+            "{ " + 
+            "  identificationTag \"denyAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}";
 
         // try a search operation which should fail without any prescriptive ACI
         DN testsDn = new DN( "ou=system" );
@@ -723,10 +916,24 @@ public class SearchAuthorizationIT exten
         assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
 
         // now add a subentry that enables anyone to search below ou=system
-        createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 15, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
-            + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "anybodySearch", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 15, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { allUsers }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // see if we can now search the tree which we could not before
         // should work with billyd now that all users are authorized
@@ -738,10 +945,23 @@ public class SearchAuthorizationIT exten
 
         // now add an entryACI denies browse, read and returnDN to a specific entry
         // but this time the precedence will be higher than that of the grant
-        aci = "{ " + "identificationTag \"denyAci\", " + "precedence 16, " + "authenticationLevel none, "
-            + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
+        aci = 
+            "{ " + 
+            "  identificationTag \"denyAci\", " + 
+            "  precedence 16, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}";
 
         // see if we can now search the tree which we could not before
         // should work with billyd now that all users are authorized
@@ -787,19 +1007,46 @@ public class SearchAuthorizationIT exten
         createUser( "billyd", "billyd" );
 
         // now add a subentry that enables anyone to search below ou=system
-        createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
-            + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "anybodySearch", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " + 
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // check and see if we can access the subentry now
         assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system" ) ) );
 
         // now add a denial to prevent all users except the admin from accessing the subentry
-        addSubentryACI( "{ " + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
-            + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" );
+        addSubentryACI( 
+            "{ " + 
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // now we should not be able to access the subentry with a search
         assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system" ) ) );
@@ -814,11 +1061,33 @@ public class SearchAuthorizationIT exten
 
         // now add a subentry that enables anyone to search/lookup and disclose on error
         // below ou=system, with the exclusion of ou=groups and everything below it
-        createAccessControlSubentry( "selectiveDiscloseOnError", "{ specificExclusions { chopBefore:\"ou=groups\" } }",
-            "{ " + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
-                + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
-                + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-                + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse, grantDiscloseOnError } } } } }" );
+        createAccessControlSubentry( 
+            "selectiveDiscloseOnError", 
+            "{ specificExclusions " +
+            "  { chopBefore:\"ou=groups\" } " +
+            "}",
+            "{ " + 
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst:" +
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials " +
+            "        { " +
+            "          grantRead, " +
+            "          grantReturnDN, " +
+            "          grantBrowse, " +
+            "          grantDiscloseOnError " +
+            "        } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // get a context as the user and try a lookup of a non-existant entry under ou=groups,ou=system
         LdapConnection userCtx = getConnectionAs( "uid=billyd,ou=users,ou=system", "billyd" );
@@ -829,11 +1098,30 @@ public class SearchAuthorizationIT exten
 
         // now delete and replace subentry with one that does not excluse ou=groups,ou=system
         deleteAccessControlSubentry( "selectiveDiscloseOnError" );
-        createAccessControlSubentry( "selectiveDiscloseOnError", "{ " + "identificationTag \"searchAci\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { allUsers }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse, grantDiscloseOnError } } } } }" );
+        createAccessControlSubentry( 
+            "selectiveDiscloseOnError", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials " +
+            "        { " +
+            "          grantRead, " +
+            "          grantReturnDN, " +
+            "          grantBrowse, " +
+            "          grantDiscloseOnError " +
+            "        } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // now try a lookup of a non-existant entry under ou=groups,ou=system again
         entry = ( SearchResultEntry ) userCtx.lookup( "cn=blah,ou=groups" );
@@ -855,22 +1143,48 @@ public class SearchAuthorizationIT exten
         getAdminConnection().add( phoneBook );
 
         // now add a subentry that enables anyone to search below their own entries
-        createAccessControlSubentry( "anybodySearchTheirSubordinates", "{ " + "identificationTag \"searchAci\", "
-            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { allUsers }, " + "userPermissions { { "
-            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+        createAccessControlSubentry( 
+            "anybodySearchTheirSubordinates", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // check and see if we can access the subentry now
         assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN(
             "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
 
         // now add a denial to prevent all users except the admin from accessing the subentry
-        addPrescriptiveACI( "anybodySearchTheirSubordinates", "{ "
-            + "identificationTag \"anybodyDontSearchTheirSubordinates\", " + "precedence 14, "
-            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { parentOfEntry }, "
-            + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" );
+        addPrescriptiveACI( 
+            "anybodySearchTheirSubordinates", 
+            "{ " +
+            "  identificationTag \"anybodyDontSearchTheirSubordinates\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { parentOfEntry }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " + 
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
 
         // now we should not be able to access the subentry with a search
         assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=959961&r1=959960&r2=959961&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Fri Jul  2 12:22:53 2010
@@ -160,14 +160,17 @@ public class AciAuthorizationInterceptor
     /** the system wide subschemaSubentryDn */
     private String subschemaSubentryDn;
 
-    private AttributeType objectClassType;
-    private AttributeType acSubentryType;
+    /** The ObjectClass AttributeType */
+    private static AttributeType OBJECT_CLASS_AT;
+
+    /** The AccessControlSubentry AttributeType */
+    private static AttributeType ACCESS_CONTROL_SUBENTRY_AT;
 
     /** A storage for the entryACI attributeType */
-    private AttributeType entryAciType;
+    private static AttributeType ENTRY_ACI_AT;
 
     /** the subentry ACI attribute type */
-    private AttributeType subentryAciType;
+    private static AttributeType SUBENTRY_ACI_AT;
 
     public static final SearchControls DEFAULT_SEARCH_CONTROLS = new SearchControls();
 
@@ -187,20 +190,22 @@ public class AciAuthorizationInterceptor
         adminDn.normalize( directoryService.getSchemaManager().getNormalizerMapping() );
         CoreSession adminSession = new DefaultCoreSession( new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ),
             directoryService );
+        schemaManager = directoryService.getSchemaManager();
+        chain = directoryService.getInterceptorChain();
 
+        // Create the caches
         tupleCache = new TupleCache( adminSession );
         groupCache = new GroupCache( adminSession );
-        schemaManager = directoryService.getSchemaManager();
 
         // look up some constant information
-        objectClassType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.OBJECT_CLASS_AT );
-        acSubentryType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT );
-        entryAciType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ENTRY_ACI_AT_OID );
-        subentryAciType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.SUBENTRY_ACI_AT_OID );
+        OBJECT_CLASS_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.OBJECT_CLASS_AT );
+        ACCESS_CONTROL_SUBENTRY_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT );
+        ENTRY_ACI_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ENTRY_ACI_AT_OID );
+        SUBENTRY_ACI_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.SUBENTRY_ACI_AT_OID );
 
+        // Iitialize the ACI PARSER and ACDF engine
         aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( schemaManager ), schemaManager );
         engine = new ACDFEngine( schemaManager );
-        chain = directoryService.getInterceptorChain();
 
         // stuff for dealing with subentries (garbage for now)
         Value<?> subschemaSubentry = directoryService.getPartitionNexus().getRootDSE( null ).get(
@@ -252,11 +257,11 @@ public class AciAuthorizationInterceptor
 
         if ( entry instanceof ClonedServerEntry )
         {
-            oc = ( ( ClonedServerEntry ) entry ).getOriginalEntry().get( objectClassType );
+            oc = ( ( ClonedServerEntry ) entry ).getOriginalEntry().get( OBJECT_CLASS_AT );
         }
         else
         {
-            oc = entry.get( objectClassType );
+            oc = entry.get( OBJECT_CLASS_AT );
         }
 
         /*
@@ -275,7 +280,7 @@ public class AciAuthorizationInterceptor
             entry = opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS );
         }
 
-        EntryAttribute subentries = entry.get( acSubentryType );
+        EntryAttribute subentries = entry.get( ACCESS_CONTROL_SUBENTRY_AT );
 
         if ( subentries == null )
         {
@@ -300,7 +305,7 @@ public class AciAuthorizationInterceptor
      */
     private void addEntryAciTuples( Collection<ACITuple> tuples, Entry entry ) throws LdapException
     {
-        EntryAttribute entryAci = entry.get( entryAciType );
+        EntryAttribute entryAci = entry.get( ENTRY_ACI_AT );
 
         if ( entryAci == null )
         {
@@ -354,7 +359,7 @@ public class AciAuthorizationInterceptor
         Entry administrativeEntry = ( ( ClonedServerEntry ) opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS ) )
             .getOriginalEntry();
 
-        EntryAttribute subentryAci = administrativeEntry.get( subentryAciType );
+        EntryAttribute subentryAci = administrativeEntry.get( SUBENTRY_ACI_AT );
 
         if ( subentryAci == null )
         {
@@ -705,8 +710,10 @@ public class AciAuthorizationInterceptor
      */
     private void checkLookupAccess( LookupOperationContext lookupContext, Entry entry ) throws LdapException
     {
+        DN dn = lookupContext.getDn();
+        
         // no permissions checks on the RootDSE
-        if ( lookupContext.getDn().getNormName().trim().equals( "" ) )
+        if ( dn.isRootDSE() )
         {
             return;
         }
@@ -715,13 +722,13 @@ public class AciAuthorizationInterceptor
         DN userName = principal.getDN();
         Set<DN> userGroups = groupCache.getGroups( userName.getNormName() );
         Collection<ACITuple> tuples = new HashSet<ACITuple>();
-        addPerscriptiveAciTuples( lookupContext, tuples, lookupContext.getDn(), entry );
+        addPerscriptiveAciTuples( lookupContext, tuples, dn, entry );
         addEntryAciTuples( tuples, entry );
-        addSubentryAciTuples( lookupContext, tuples, lookupContext.getDn(), entry );
+        addSubentryAciTuples( lookupContext, tuples, dn, entry );
 
         // check that we have read access to the entry
         engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal.getAuthenticationLevel(),
-            lookupContext.getDn(), null, null, LOOKUP_PERMS, tuples, entry, null );
+            dn, null, null, LOOKUP_PERMS, tuples, entry, null );
 
         // check that we have read access to every attribute type and value
         for ( EntryAttribute attribute : entry )
@@ -730,13 +737,16 @@ public class AciAuthorizationInterceptor
             for ( Value<?> value : attribute )
             {
                 engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal
-                    .getAuthenticationLevel(), lookupContext.getDn(), attribute.getAttributeType(), value, READ_PERMS, tuples,
+                    .getAuthenticationLevel(), dn, attribute.getAttributeType(), value, READ_PERMS, tuples,
                     entry, null );
             }
         }
     }
 
 
+    /**
+     * {@inheritDoc}
+     */
     public Entry lookup( NextInterceptor next, LookupOperationContext lookupContext ) throws LdapException
     {
         CoreSession session = lookupContext.getSession();
@@ -750,6 +760,7 @@ public class AciAuthorizationInterceptor
             principalDn.normalize( schemaManager.getNormalizerMapping() );
         }
 
+        // Bypass this interceptor if we disabled the AC subsystem or if the principal is the admin
         if ( isPrincipalAnAdministrator( principalDn ) || !directoryService.isAccessControlEnabled() )
         {
             return next.lookup( lookupContext );



Mime
View raw message