directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: pwdHistory not validating properly (in custom server)
Date Tue, 30 Apr 2013 17:10:00 GMT
I have committed a change in trunk :

http://svn.apache.org/r1477725

That should solve your issue.

Can you tell me if it does ? Thanks !


Le 4/30/13 6:32 PM, Emmanuel Lécharny a écrit :
> Le 4/30/13 6:04 PM, Emmanuel Lécharny a écrit :
>> Le 4/30/13 6:03 PM, Emmanuel Lécharny a écrit :
>>> Le 4/30/13 6:02 PM, Emmanuel Lécharny a écrit :
>>>> Le 4/30/13 5:37 PM, Patricio Demitrio a écrit :
>>>>> Please try something if you have a couple of minutes.
>>>>>
>>>>> Grab the code from AuthenticationInterceptor.java, create a new class,
for
>>>>> example, AuthenticationInterceptor2.java, and copy it.
>>>>>
>>>>> Changes needed in order to compile:
>>>>> import AuthenticationInterceptor
>>>>> change "extends Base..." for "extends AuthenticatorInterceptor"
>>>>> fix the super call in the constructor.
>>>>>
>>>>> If I'm not wrong, that should compile for you. Now, instead of including
>>>>> AuthenticationInterceptor in your DirectoryService, please include
>>>>> AuthenticationInterceptor2.
>>>>>
>>>>> That should start your server normally. And that should give you the
error.
>>>> Doing that atm...
>>>>
>>>> I will run the pwdPolicyTests to see what's going on;
>>>>
>>>>
>>> Hmmm, seems to blow pretty well :-)
>> S/blow/blow out/
>>
>>
> Ok, I know what's going on.
>
> The way the server initialization works, the result ou get is plain
> normal. Let me explain what's going on.
>
> When a request is received, we will pass it through the interceptor
> chain. Let's say it's an ADD operation.
>
> So we will process this operation through each interceptor add() method,
> assuming the interceptor implements the add() method.
>
> How do we know that the interceptor implements the add() operation ?
> Easy : we use reflection. We do that for each interceptor.
>
> For performance reason, we pre-parse all the interceptors at startup to
> know which intecreptor to activate when the server is up and running,
> instead of cimputing this for every single request.
>
> For the ADD operation, we generate this list :
>
> {ADD=[normalizationInterceptor, **authenticationInterceptor**,
> **authenticationInterceptor**, referralInterceptor,
> aciAuthorizationInterceptor, administrativePointInterceptor,
> exceptionInterceptor, schemaInterceptor,
> operationalAttributeInterceptor, collectiveAttributeInterceptor,
> subentryInterceptor, eventInterceptor, triggerInterceptor,
> changeLogInterceptor, journalInterceptor]}
>
> As you can see, the authenticationInterceptor is present *twice* in this
> list. Why ? Just because we will find the add() method in the
> AuthenticatonIntecreptor2 class, *and* in its parent, so both classes
> will be added, using the name of the parent.
>
> The result is that you will pass twice in the interceptor, and of
> course, the second time, the password will already be present in the
> pwdHistory variable...
>
> The code that does this is in DefaultDirectoryService :
>
>     private void gatherInterceptors( Interceptor interceptor, Class<?>
> interceptorClz, OperationEnum operation,
>         List<String> selectedInterceptorList )
>     {
>             ...
>             if ( hasCorrestSig && method.getName().equals(
> operation.getMethodName() ) )
>             {
>                 selectedInterceptorList.add( interceptor.getName() );
>
>                 break;
>             }
>         }
>
>         gatherInterceptors( interceptor, interceptorClz.getSuperclass(),
> operation, selectedInterceptorList ); <<<<---------------- Here...
>     }
>
> If I modify this method to have this instead :
>
>     private void gatherInterceptors( Interceptor interceptor, Class<?>
> interceptorClz, OperationEnum operation,
>         List<String> selectedInterceptorList )
>     {
>             ...
>             if ( hasCorrestSig && method.getName().equals(
> operation.getMethodName() ) )
>             {
>                 if ( !selectedInterceptorList.contains(
> interceptor.getName() ) )
>                 {
>                     selectedInterceptorList.add( interceptor.getName() );
>                 }
>         }
>
>         gatherInterceptors( interceptor, interceptorClz.getSuperclass(),
> operation, selectedInterceptorList ); <<<<---------------- Here...
>     }
>
> magically, the test works.
>
>
> Now, the question is why would you extend the AuthenticatorIntecreptor,
> instead of writing your own ? Is it mandatory ?
>
> In any case, I think I can change the code so that the interceptors does
> not appears twice in the list. I'm currently running integration tests
> to see if it has any impact on the code (I don't think so).
>
> I'd like you to create a JIRA where you expose the pb, so that we can
> track it.
>
> This was an interesting issue :) Thanks a lot for your patience !
>


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message