Chris as I’m sure you know, parenthesis are used by ldap search filters to establish precedence of operations. You can look into encoding the value of the role name. I’m surprised it isn’t already as passing unencoded strings into ldap is considered a security vulnerability, and many of the values passed into ldap are encoded.
My view is role names probably shouldn’t have parenthesis in the names but I don’t have strong enough feelings to discourage its use by others. That is to say if you have good reasons for doing it, you should be able to encode that value prior to storing / searching for it. Shawn > On Feb 9, 2017, at 1:20 PM, Chris Pike <[email protected]> wrote: > > It's an LdapProtocolErrorException, the offending role name is something like > "Test Role (development)" and the error printed looks something like > > org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException: The > filter (&(objectClass=ftOperation)(|(ftUsers=userId)(ftRoles=Test Role > (development)))) is invalid > > > > > ----- Original Message ----- > From: "Emmanuel Lécharny" <[email protected]> > To: [email protected] > Sent: Thursday, February 9, 2017 5:11:33 AM > Subject: Re: Filter Escapes > > Le 09/02/2017 à 01:59, Shawn McKinney a écrit : >>> On Feb 8, 2017, at 8:01 AM, Chris Pike <[email protected]> wrote: >>> >>> Ran into an issue yesterday where a role name had parenthesis in the name, >>> and this messed up the fortress ldap filter when getting permissions for a >>> user through the access manager. It appears filter params aren't being >>> property escaped. Not sure if it is specific to this case or is present in >>> other places as well. Thoughts? >> Hi Chris, >> >> what is the error you receive? > > In any case, you have two ways to build a filter : > - use a String, and parse it > - use the LDAP API filter Node elements (like EqualityNode), and get the > resulting String > > In the first case, each Filter element's value has to be encoded so that > it's not going to interact with the filtre structure (ie, every '(' and > ')' have to be escaped, and a few more chars too). > > This can be done using FilterEncoder.encodeFilterValue( String value ) > static method, which returns an encoded value. > > For instance, if you want to create a filter for a equality on the 'cn' > AttributeType, with a value of "ACME(tm)", which resulting filter is > "(cn=ACME\\28tm\\29)", do that : > > String filterStr = String.format( "(%s=%s)", "cn", > FilterEncoder.encodeFilterValue( "ACME(tm)" ) ); > > or > > String filterStr = new EqualityNode<>( "cn", new StringValue( > "ACME(tm)" ) ).toString(); > > > Both resulting filterStr will be valid (ie the "(cn=ACME\\28tm\\29)" > String ) > > > -- > Emmanuel Lecharny > > Symas.com > directory.apache.org
