[
https://issues.apache.org/jira/browse/DIRSERVER-1002?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Emmanuel Lecharny updated DIRSERVER-1002:
-----------------------------------------
Affects Version/s: (was: 1.5.1)
1.5.0
Fix Version/s: 1.5.1
Changed the affected version (sadly, there is no 1.5.1-SNAPSHOT item ...), and
mark the fix o be delivered in 1.5.1
> stopping server without credentials results in NPE after server stops
> ---------------------------------------------------------------------
>
> Key: DIRSERVER-1002
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1002
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: core
> Affects Versions: 1.5.0
> Reporter: David Jencks
> Fix For: 1.5.1
>
>
> This code:
> Properties env = new Properties();
> env.putAll(new ShutdownConfiguration().toJndiEnvironment());
> env.put( Context.INITIAL_CONTEXT_FACTORY,
> ServerContextFactory.class.getName() );
> //Shut it down
> new InitialDirContext( env );
> results in, in AbstractContextFactory:
> line 115:
> service.shutdown();
> which successfully shuts down the server without checking anything about
> authentication/authorization
> line 146:
> Context context = service.getJndiContext( principalDn, principal,
> credential, authentication, providerUrl );
> which calls DefaultDirectoryService...
> public synchronized Context getJndiContext( LdapDN principalDn, String
> principal, byte[] credential,
> String authentication, String rootDN ) throws NamingException
> {
> checkSecuritySettings( principal, credential, authentication );
> if ( !started )
> {
> return new DeadContext();
> }
> checkSecuritySettings gets to line 438:
> if ( !startupConfiguration.isAllowAnonymousAccess() )
> which throws an NPE since the server is shut down, so startupConfiguration
> has been reset to null.
> So there are a lot of questions I don't know the answers to that I'd need to
> know which of the many ways to fix this would be most appropriate:
> - is this AbstractContextFactory accessed before or after all the server
> interceptors? Or is it only accessed when no interceptors will be called?
> - is it appropriate to check security credentials and authorization to be
> able to shut down the server from the same vm?
> - If so, what code should be checking this authentication and authorization,
> because checkSecuritySettings doesn't check these, ever.
> I'd suspect the first step towards a solution would be to remove the
> checkSecuritySettings method entirely, since AFAICT it currently serves only
> to pretend that some security checking is happening.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
