Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8995010149 for ; Tue, 30 Apr 2013 16:32:52 +0000 (UTC) Received: (qmail 60289 invoked by uid 500); 30 Apr 2013 16:32:52 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 60219 invoked by uid 500); 30 Apr 2013 16:32:52 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 60208 invoked by uid 99); 30 Apr 2013 16:32:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Apr 2013 16:32:52 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of elecharny@gmail.com designates 74.125.83.50 as permitted sender) Received: from [74.125.83.50] (HELO mail-ee0-f50.google.com) (74.125.83.50) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Apr 2013 16:32:47 +0000 Received: by mail-ee0-f50.google.com with SMTP id b15so366106eek.23 for ; Tue, 30 Apr 2013 09:32:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=2Ph9FY0CdI0fDmteH+A0iXzf/VTPhFRHw1PKascbmlY=; b=dWsnf+dRf00vfpV86Yx6Y50sEe9JxvkYl5Jwlt8r/i38xglVjdHNmmk4OhtmccmoQl P6jQWKGH3rjUbzJtZwcQOo6eSd6fNbVrK7u+sUXPC+QvmgvYAU9iDfKdvf+0fawNB3va Cu04xK3+5LTFG8Udq4m0ceTtlddkvjbnVDWFrsrL5UQwpNHb78QOAaU75EfZjiqxOb6U KdU/o5NThXrWFIlGlFfd3DsLgOlvMgdfVM9HIhMD5IKdwBEu3xN9rHk/LoGYCxLzotAf 3vTYx+WkvoZwHmJaggwk9NtlMz49dnabs9ydlDQQ4d+EusV7T5XRKFbsLm+qI09QBWMP Ke8A== X-Received: by 10.15.35.71 with SMTP id f47mr80933449eev.15.1367339545907; Tue, 30 Apr 2013 09:32:25 -0700 (PDT) Received: from Emmanuels-MacBook-Pro.local (lon92-10-78-226-4-211.fbx.proxad.net. [78.226.4.211]) by mx.google.com with ESMTPSA id e50sm23118866eev.13.2013.04.30.09.32.24 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 30 Apr 2013 09:32:24 -0700 (PDT) Message-ID: <517FF217.5000900@gmail.com> Date: Tue, 30 Apr 2013 18:32:23 +0200 From: =?UTF-8?B?RW1tYW51ZWwgTMOpY2hhcm55?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: users@directory.apache.org Subject: Re: pwdHistory not validating properly (in custom server) References: <517FB87B.80704@gmail.com> <517FC5B9.7060908@gmail.com> <517FEB1D.1010606@gmail.com> <517FEB45.6080507@gmail.com> <517FEB8B.7020705@gmail.com> In-Reply-To: <517FEB8B.7020705@gmail.com> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Le 4/30/13 6:04 PM, Emmanuel Lécharny a écrit : > Le 4/30/13 6:03 PM, Emmanuel Lécharny a écrit : >> Le 4/30/13 6:02 PM, Emmanuel Lécharny a écrit : >>> Le 4/30/13 5:37 PM, Patricio Demitrio a écrit : >>>> Please try something if you have a couple of minutes. >>>> >>>> Grab the code from AuthenticationInterceptor.java, create a new class, for >>>> example, AuthenticationInterceptor2.java, and copy it. >>>> >>>> Changes needed in order to compile: >>>> import AuthenticationInterceptor >>>> change "extends Base..." for "extends AuthenticatorInterceptor" >>>> fix the super call in the constructor. >>>> >>>> If I'm not wrong, that should compile for you. Now, instead of including >>>> AuthenticationInterceptor in your DirectoryService, please include >>>> AuthenticationInterceptor2. >>>> >>>> That should start your server normally. And that should give you the error. >>> Doing that atm... >>> >>> I will run the pwdPolicyTests to see what's going on; >>> >>> >> Hmmm, seems to blow pretty well :-) > S/blow/blow out/ > > Ok, I know what's going on. The way the server initialization works, the result ou get is plain normal. Let me explain what's going on. When a request is received, we will pass it through the interceptor chain. Let's say it's an ADD operation. So we will process this operation through each interceptor add() method, assuming the interceptor implements the add() method. How do we know that the interceptor implements the add() operation ? Easy : we use reflection. We do that for each interceptor. For performance reason, we pre-parse all the interceptors at startup to know which intecreptor to activate when the server is up and running, instead of cimputing this for every single request. For the ADD operation, we generate this list : {ADD=[normalizationInterceptor, **authenticationInterceptor**, **authenticationInterceptor**, referralInterceptor, aciAuthorizationInterceptor, administrativePointInterceptor, exceptionInterceptor, schemaInterceptor, operationalAttributeInterceptor, collectiveAttributeInterceptor, subentryInterceptor, eventInterceptor, triggerInterceptor, changeLogInterceptor, journalInterceptor]} As you can see, the authenticationInterceptor is present *twice* in this list. Why ? Just because we will find the add() method in the AuthenticatonIntecreptor2 class, *and* in its parent, so both classes will be added, using the name of the parent. The result is that you will pass twice in the interceptor, and of course, the second time, the password will already be present in the pwdHistory variable... The code that does this is in DefaultDirectoryService : private void gatherInterceptors( Interceptor interceptor, Class interceptorClz, OperationEnum operation, List selectedInterceptorList ) { ... if ( hasCorrestSig && method.getName().equals( operation.getMethodName() ) ) { selectedInterceptorList.add( interceptor.getName() ); break; } } gatherInterceptors( interceptor, interceptorClz.getSuperclass(), operation, selectedInterceptorList ); <<<<---------------- Here... } If I modify this method to have this instead : private void gatherInterceptors( Interceptor interceptor, Class interceptorClz, OperationEnum operation, List selectedInterceptorList ) { ... if ( hasCorrestSig && method.getName().equals( operation.getMethodName() ) ) { if ( !selectedInterceptorList.contains( interceptor.getName() ) ) { selectedInterceptorList.add( interceptor.getName() ); } } gatherInterceptors( interceptor, interceptorClz.getSuperclass(), operation, selectedInterceptorList ); <<<<---------------- Here... } magically, the test works. Now, the question is why would you extend the AuthenticatorIntecreptor, instead of writing your own ? Is it mandatory ? In any case, I think I can change the code so that the interceptors does not appears twice in the list. I'm currently running integration tests to see if it has any impact on the code (I don't think so). I'd like you to create a JIRA where you expose the pb, so that we can track it. This was an interesting issue :) Thanks a lot for your patience ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com