tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Bug in JNDIRealm, Login fails if slash character in distinguished name, Fix [Auf Viren geprüft]
Date Fri, 12 Nov 2004 16:06:13 GMT
JNDIRealm fails with javax.naming.InvalidNameException: Invalid name:
or any other DN with a slash character.

Background and cause:
A slash character is a perfectly valid character in LDAP object names or
class LdapName.
It even doesn't have to be escaped, in contrast to '+' or '\' for example.
The problem is caused only in Java and Tomcat because of JNDI.
In JNDI directory names are of class CompositeName with seperator '/' and
Ldap directory names are of class LdapName with seperator ','.
The JNDIRealm uses only InitialDirContext instead of InitialLdapContext
and it uses only Name instead of LdapName. But ctx.getNameParser("")
returns an LdapNameParser and parser.parse() returns LdapNames.
So LdapNames and CompositeNames become mangled.

Original Code from JNDIRealm in getUserBySearch():

        // Get the entry's distinguished name
        NameParser parser = context.getNameParser("");
        Name contextName = parser.parse(context.getNameInNamespace());
        Name baseName = parser.parse(userBase);
        Name entryName = parser.parse(result.getName()); // BUG:
InvalidNameException throw if slash is parsed
        Name name = contextName.addAll(baseName);
        name = name.addAll(entryName);
        String dn = name.toString();

 My quick (and ugly) fix:

                  //Get the entry's distinguished name
                   NameParser parser = ctx.getNameParser("");
                   Name contextName = parser.parse(ctx.getNameInNamespace
                   Name baseName = parser.parse(searchbase);
                   String rdn = sr.getName();
                   // delete surrunding double quotes if any
                   int rdnEnd = rdn.length()-1;
                   if (rdnEnd>0) {
                        if (rdn.charAt(0) == '"' && rdn.charAt(rdnEnd) ==
'"') {
                              rdn = rdn.substring(1,rdnEnd);
                   Name entryName = parser.parse(rdn);
                   Name name = contextName.addAll(baseName);
                   name = name.addAll(entryName);
                   String dn = name.toString();

If there is one or more slash characters in the getName() string, then the
whole string is embedded in
double quotes. I simply delete them and everything works. If I use

If I use

  rdn = (string) LdapName.unescapeAttributeValue(rdn);

instead, it doesn't work, because the escape character '\' in front of
',' or '+' is deleted too which causes other exceptions.

I didn't dare to introduce any of the javax.naming.ldap.*; Classes which
might provide
for more elegant solutions but tried to solve it with the*; classes.

With Java 5 it definitly gets more elegant because then we don't have only
and String but also RDNs which are relative distinguished names. They are
the equivalent to
components of CompsiteNames and don't fiddle with slashes.

Frerk Meyer

EDEKA Aktiengesellschaft
GB Datenverarbeitung
Frerk Meyer
CC Web Technologien
New-York-Ring 6
22297 Hamburg
Tel: 040/6377 - 3272
Fax: 040/6377 - 41268

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message