[jira] Created: (DIRSERVER-1002) stopping server without credentials results in NPE after server stops

Sat, 21 Jul 2007 17:49:27 -0700 

stopping server without credentials results in NPE after server stops
---------------------------------------------------------------------

                 Key: DIRSERVER-1002
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1002
             Project: Directory ApacheDS
          Issue Type: Bug
          Components: core
    Affects Versions: 1.5.1
            Reporter: David Jencks


This code:

        Properties env = new Properties();
        env.putAll(new ShutdownConfiguration().toJndiEnvironment());
        env.put( Context.INITIAL_CONTEXT_FACTORY, 
ServerContextFactory.class.getName() );

        //Shut it down
        new InitialDirContext( env );

results in, in AbstractContextFactory:

line 115:
            service.shutdown();
which successfully shuts down the server without checking anything about 
authentication/authorization

line 146:
        Context context = service.getJndiContext( principalDn, principal, 
credential, authentication, providerUrl );

which calls DefaultDirectoryService...
    public synchronized Context getJndiContext( LdapDN principalDn, String 
principal, byte[] credential, 
        String authentication, String rootDN ) throws NamingException
    {
        checkSecuritySettings( principal, credential, authentication );

        if ( !started )
        {
            return new DeadContext();
        }



checkSecuritySettings gets to line 438:
            if ( !startupConfiguration.isAllowAnonymousAccess() )

which throws an NPE since the server is shut down, so startupConfiguration has 
been reset to null.

So there are a lot of questions I don't know the answers to that I'd need to 
know which of the many ways to fix this would be most appropriate:

- is this AbstractContextFactory accessed before or after all the server 
interceptors? Or is it only accessed when no interceptors will be called?
- is it appropriate to check security credentials and authorization to be able 
to shut down the server from the same vm?
- If so, what code should be checking this authentication and authorization, 
because checkSecuritySettings doesn't check these, ever.

I'd suspect the first step towards a solution would be to remove the 
checkSecuritySettings method entirely, since AFAICT it currently serves only to 
pretend that some security checking is happening.



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to