directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: pwdHistory not validating properly (in custom server)
Date Tue, 30 Apr 2013 16:32:23 GMT
Le 4/30/13 6:04 PM, Emmanuel Lécharny a écrit :
> Le 4/30/13 6:03 PM, Emmanuel Lécharny a écrit :
>> Le 4/30/13 6:02 PM, Emmanuel Lécharny a écrit :
>>> Le 4/30/13 5:37 PM, Patricio Demitrio a écrit :
>>>> Please try something if you have a couple of minutes.
>>>>
>>>> Grab the code from AuthenticationInterceptor.java, create a new class, for
>>>> example, AuthenticationInterceptor2.java, and copy it.
>>>>
>>>> Changes needed in order to compile:
>>>> import AuthenticationInterceptor
>>>> change "extends Base..." for "extends AuthenticatorInterceptor"
>>>> fix the super call in the constructor.
>>>>
>>>> If I'm not wrong, that should compile for you. Now, instead of including
>>>> AuthenticationInterceptor in your DirectoryService, please include
>>>> AuthenticationInterceptor2.
>>>>
>>>> That should start your server normally. And that should give you the error.
>>> Doing that atm...
>>>
>>> I will run the pwdPolicyTests to see what's going on;
>>>
>>>
>> Hmmm, seems to blow pretty well :-)
> S/blow/blow out/
>
>
Ok, I know what's going on.

The way the server initialization works, the result ou get is plain
normal. Let me explain what's going on.

When a request is received, we will pass it through the interceptor
chain. Let's say it's an ADD operation.

So we will process this operation through each interceptor add() method,
assuming the interceptor implements the add() method.

How do we know that the interceptor implements the add() operation ?
Easy : we use reflection. We do that for each interceptor.

For performance reason, we pre-parse all the interceptors at startup to
know which intecreptor to activate when the server is up and running,
instead of cimputing this for every single request.

For the ADD operation, we generate this list :

{ADD=[normalizationInterceptor, **authenticationInterceptor**,
**authenticationInterceptor**, referralInterceptor,
aciAuthorizationInterceptor, administrativePointInterceptor,
exceptionInterceptor, schemaInterceptor,
operationalAttributeInterceptor, collectiveAttributeInterceptor,
subentryInterceptor, eventInterceptor, triggerInterceptor,
changeLogInterceptor, journalInterceptor]}

As you can see, the authenticationInterceptor is present *twice* in this
list. Why ? Just because we will find the add() method in the
AuthenticatonIntecreptor2 class, *and* in its parent, so both classes
will be added, using the name of the parent.

The result is that you will pass twice in the interceptor, and of
course, the second time, the password will already be present in the
pwdHistory variable...

The code that does this is in DefaultDirectoryService :

    private void gatherInterceptors( Interceptor interceptor, Class<?>
interceptorClz, OperationEnum operation,
        List<String> selectedInterceptorList )
    {
            ...
            if ( hasCorrestSig && method.getName().equals(
operation.getMethodName() ) )
            {
                selectedInterceptorList.add( interceptor.getName() );

                break;
            }
        }

        gatherInterceptors( interceptor, interceptorClz.getSuperclass(),
operation, selectedInterceptorList ); <<<<---------------- Here...
    }

If I modify this method to have this instead :

    private void gatherInterceptors( Interceptor interceptor, Class<?>
interceptorClz, OperationEnum operation,
        List<String> selectedInterceptorList )
    {
            ...
            if ( hasCorrestSig && method.getName().equals(
operation.getMethodName() ) )
            {
                if ( !selectedInterceptorList.contains(
interceptor.getName() ) )
                {
                    selectedInterceptorList.add( interceptor.getName() );
                }
        }

        gatherInterceptors( interceptor, interceptorClz.getSuperclass(),
operation, selectedInterceptorList ); <<<<---------------- Here...
    }

magically, the test works.


Now, the question is why would you extend the AuthenticatorIntecreptor,
instead of writing your own ? Is it mandatory ?

In any case, I think I can change the code so that the interceptors does
not appears twice in the list. I'm currently running integration tests
to see if it has any impact on the code (I don't think so).

I'd like you to create a JIRA where you expose the pb, so that we can
track it.

This was an interesting issue :) Thanks a lot for your patience !

-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message