[Jboss-cvs] JBossAS SVN: r55349 - branches/JBoss_4_0_3_SP1_CP/security/src/main/org/jboss/security/auth/spi
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Sat Aug 5 14:27:45 EDT 2006
Author: ryan.campbell at jboss.com
Date: 2006-08-05 14:27:45 -0400 (Sat, 05 Aug 2006)
New Revision: 55349
Modified:
branches/JBoss_4_0_3_SP1_CP/security/src/main/org/jboss/security/auth/spi/LdapLoginModule.java
Log:
JBAS-2691LdapLoginModule role filter leads to extra role or NPE and failed authentication
n
Modified: branches/JBoss_4_0_3_SP1_CP/security/src/main/org/jboss/security/auth/spi/LdapLoginModule.java
===================================================================
--- branches/JBoss_4_0_3_SP1_CP/security/src/main/org/jboss/security/auth/spi/LdapLoginModule.java 2006-08-05 16:47:05 UTC (rev 55348)
+++ branches/JBoss_4_0_3_SP1_CP/security/src/main/org/jboss/security/auth/spi/LdapLoginModule.java 2006-08-05 18:27:45 UTC (rev 55349)
@@ -1,9 +1,24 @@
/*
- * JBoss, Home of Professional Open Source
- *
- * Distributable under LGPL license.
- * See terms of license at gnu.org.
- */
+* JBoss, Home of Professional Open Source
+* Copyright 2005, JBoss Inc., and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+*/
package org.jboss.security.auth.spi;
import java.security.acl.Group;
@@ -235,6 +250,7 @@
private void createLdapInitContext(String username, Object credential)
throws Exception
{
+ boolean trace = log.isTraceEnabled();
Properties env = new Properties();
// Map all option into the JNDI InitialLdapContext env
Iterator iter = options.entrySet().iterator();
@@ -281,13 +297,22 @@
env.setProperty(Context.PROVIDER_URL, providerURL);
env.setProperty(Context.SECURITY_PRINCIPAL, userDN);
env.put(Context.SECURITY_CREDENTIALS, credential);
- super.log.trace("Logging into LDAP server, env=" + env);
+ if( trace )
+ {
+ Properties tmp = new Properties();
+ tmp.putAll(env);
+ tmp.setProperty(Context.SECURITY_CREDENTIALS, "***");
+ log.trace("Logging into LDAP server, env=" + tmp.toString());
+ }
InitialLdapContext ctx = new InitialLdapContext(env, null);
- super.log.trace("Logged into LDAP server, " + ctx);
+ if( trace )
+ log.trace("Logged into LDAP server, " + ctx);
if( bindDN != null )
{
// Rebind the ctx to the bind dn/credentials for the roles searches
+ if( trace )
+ log.trace("Rebind SECURITY_PRINCIPAL to: "+bindDN);
env.setProperty(Context.SECURITY_PRINCIPAL, bindDN);
env.put(Context.SECURITY_CREDENTIALS, bindCredential);
ctx = new InitialLdapContext(env, null);
@@ -329,8 +354,7 @@
roleAttrName = "roles";
StringBuffer roleFilter = new StringBuffer("(");
roleFilter.append(uidAttrName);
- roleFilter.append("=*)");
- //BasicAttributes matchAttrs = new BasicAttributes(true);
+ roleFilter.append("={0})");
String userToMatch = username;
if (matchOnUserDN == true)
userToMatch = userDN;
@@ -375,11 +399,22 @@
controls.setReturningAttributes(roleAttr);
controls.setTimeLimit(searchTimeLimit);
Object[] filterArgs = {userToMatch};
+ if( trace )
+ {
+ log.trace("searching rolesCtxDN="+rolesCtxDN+", roleFilter="+roleFilter
+ +", filterArgs="+userToMatch+", roleAttr="+roleAttr
+ +", searchScope="+searchScope+", searchTimeLimit="+searchTimeLimit
+ );
+ }
NamingEnumeration answer = ctx.search(rolesCtxDN, roleFilter.toString(),
filterArgs, controls);
while (answer.hasMore())
{
SearchResult sr = (SearchResult) answer.next();
+ if( trace )
+ {
+ log.trace("Checking answer: "+sr.getName());
+ }
Attributes attrs = sr.getAttributes();
Attribute roles = attrs.get(roleAttrName);
for (int r = 0; r < roles.size(); r++)
@@ -391,7 +426,8 @@
// Query the roleDN location for the value of roleNameAttributeID
String roleDN = value.toString();
String[] returnAttribute = {roleNameAttributeID};
- super.log.trace("Using roleDN: " + roleDN);
+ if( trace )
+ log.trace("Following roleDN: " + roleDN);
try
{
Attributes result = ctx.getAttributes(roleDN, returnAttribute);
@@ -416,7 +452,8 @@
try
{
Principal p = super.createIdentity(roleName);
- log.trace("Assign user to role " + roleName);
+ if( trace )
+ log.trace("Assign user to role " + roleName);
userRoles.addMember(p);
}
catch (Exception e)
@@ -429,10 +466,12 @@
}
catch (NamingException e)
{
- log.trace("Failed to locate roles", e);
+ if( trace )
+ log.trace("Failed to locate roles", e);
}
}
// Close the context to release the connection
ctx.close();
}
}
+
More information about the jboss-cvs-commits
mailing list