Working on patch (need feedback)
While using Tomcat and Active Directory, I found a small bug. Normally in LDAP, you escape certain special characters, one of which being the comma. This is done by DN=CN=Doe\, Jane, OU=unit, OU=People However, when I instructed Tomcat to search for roles by inserting the distinguished name, no results were found. This is because I found in Active Directory in an object filter you must put member=CN=Doe\\, Jane, OU=unit, OU=People or member=CN="Doe, Jane", OU=unit, OU=People I have written a patch that at the moment can implement either of those two fixes by encoding the filter. I have tried to find the answer at the LDAP specifications at http://rfc.sunsite.dk/rfc/rfc2253.html. Is this just Active Directory messing up? Does my fix seem reasonable? What is the best method to fix my problems and stay within LDAP specifications? Any feedback or suggestions are welcomed. Thanks, Jessica - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Working on patch (need feedback)
In LDAP, different attributes are separated by a comma, so you must distinguish when you use a comma in the middle of the attribute. This means a comma in the middle of the attribute must be escaped. Sorry for the confusion. Hope this clears it up. Jessica -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 1:44 PM To: Tomcat Developers List Subject: RE: Working on patch (need feedback) Howdy, What about the other commas? I'm not that familiar with LDAP specs, so this may be a stupid question, but why are you escaping only the first comma? Yoav Shapira Millennium ChemInformatics >-Original Message- >From: Gross, Jessica [mailto:[EMAIL PROTECTED] >Sent: Tuesday, June 24, 2003 12:08 PM >To: [EMAIL PROTECTED] >Subject: Working on patch (need feedback) > >While using Tomcat and Active Directory, I found a small bug. Normally in >LDAP, you escape certain special characters, one of which being the comma. >This is done by > >DN=CN=Doe\, Jane, OU=unit, OU=People > >However, when I instructed Tomcat to search for roles by inserting the >distinguished name, no results were found. This is because I found in >Active Directory in an object filter you must put > >member=CN=Doe\\, Jane, OU=unit, OU=People or member=CN="Doe, Jane", >OU=unit, OU=People > >I have written a patch that at the moment can implement either of those two >fixes by encoding the filter. I have tried to find the answer at the LDAP >specifications at http://rfc.sunsite.dk/rfc/rfc2253.html. Is this just >Active Directory messing up? Does my fix seem reasonable? What is the >best method to fix my problems and stay within LDAP specifications? > >Any feedback or suggestions are welcomed. > >Thanks, >Jessica > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Working on patch (need feedback)
I found the bug to which I am referring to is already posted at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16541 It doesn't seem like it has generated any interest. I think it is rare for someone to encounter this bug do to the rarity of putting a comma within a attribute, but the fix to Tomcat seems easy. How close is the working JNDIRealm solution to being added? Jessica -Original Message- From: Mario Ivankovits [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 1:48 PM To: Tomcat Developers List Subject: Re: Working on patch (need feedback) Hello ! Look at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831, there you will find a JNDIRealmCertAD -- Windows Active Directory and JNDIRealmCertOpenExchange -- (Maybe) Standard LDAP Maybe JNDIRealmCertAD already do the job for you. Maybe not, but then we do have a good starting point to build a all working JNDIRealm solution. Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Implementing my own realm
I could really use some help. So I have created my own realm that extends the JNDIRealm, you can see that class further down. I also created the LDAPMessageFormat class. So I put these classes into a jar, which I put into server/lib folder in tomcat. In my server.xml instead of using the className for the org.apacheJNDIRealm, I put in the name of my realm. When I startup tomcat, I get this error, ServerLifecycleLister: Can't create mbean for realm [EMAIL PROTECTED] Does anyone know how to fix this problem? I would greatly appreciate any help. In case you are wondering, all the realm should do in addition to the JNDIRealm is to fix the bug, http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16541. Many thanks in advance! Jessica public class StrykerJNDIRealm extends JNDIRealm { /** * Set the message format pattern for selecting users in this Realm. * * @param userSearch The new user search pattern */ public void setUserSearch(String userSearch) { System.out.println("in StrykerJNDI realm"); this.userSearch = userSearch; if (userSearch == null) userSearchFormat = null; else userSearchFormat = new LDAPMessageFormat(userSearch); } } public class LDAPMessageFormat extends MessageFormat { /** * @param pattern */ public LDAPMessageFormat(String pattern) { super(pattern); } public String format(String[] pattern) { String format = format((Object)pattern); return filterEncode(format); } /** * Put the filter into the proper form. LDAP servers require a ',' within an attribute * to be encoded by a '\'. It further requires a '\' to encode a '\' when using a search filter. * * @param String filter The filter to be encoded */ public String filterEncode(String filter) { int backslash = filter.indexOf('\\'); int nextSlash = 1; int equal = 0; int comma = 0; boolean firstTime = true; String charAfterBack = filter.substring(backslash + 1, backslash + 2); while (nextSlash > 0 && backslash > 0) { // Section 4 of http://rfc.sunsite.dk/rfc/rfc2253.html states // // "Implementations MUST allow a value to be surrounded by quote ('"' // ASCII 34) characters, which are not part of the value. Inside the // quoted value, the following characters can occur without any // escaping: // ',', '=', '+', '<', '>', '#' and ';' " // // So if none of these characters are currently being escaped return original filter if ((charAfterBack.compareTo(",")) != 0 && (charAfterBack.compareTo("=")) != 0 && (charAfterBack.compareTo("+")) != 0 && (charAfterBack.compareTo("<")) != 0 && (charAfterBack.compareTo(">")) != 0 && (charAfterBack.compareTo("#")) != 0 && (charAfterBack.compareTo("+")) != 0 && (charAfterBack.compareTo(";")) != 0) return filter; /*String before = filter.substring(0, backslash + 1); String after = filter.substring(backslash + 1); nextSlash = after.indexOf('\\'); backslash = backslash + nextSlash + 1; filter = before + "\\" + after;*/ // remove the backslash that is escaping String before = filter.substring(0, backslash); String after = filter.substring(backslash + 1); nextSlash = after.indexOf('\\'); backslash = backslash + nextSlash + 1; //find where to put the quotes around //beginning of quotes after the objectname = attribute = ..., attribute=..., if (firstTime) { equal = before.indexOf('='); equal = (before.substring(equal + 1)).indexOf('=') + equal + 1; firstTime = false; } else equal = before.indexOf('='); //end of quotes before comma separating attributes //making sure not to grab the comma that is being escaped comma = (after.substring(1)).indexOf(','); if (comma > 0 && equal > 0) filter = before.substring(0, equal + 1) + "\"" + before.substring(equal + 1) + after.substring(0, comma + 1) + "\"" + after.substring(comma + 1); } return filter; } } - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Implementing my own realm
I've edited the mbeans-descriptors.xml and solve that problem at least. -Original Message- From: Gross, Jessica Sent: Wednesday, July 30, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Implementing my own realm I could really use some help. So I have created my own realm that extends the JNDIRealm, you can see that class further down. I also created the LDAPMessageFormat class. So I put these classes into a jar, which I put into server/lib folder in tomcat. In my server.xml instead of using the className for the org.apacheJNDIRealm, I put in the name of my realm. When I startup tomcat, I get this error, ServerLifecycleLister: Can't create mbean for realm [EMAIL PROTECTED] Does anyone know how to fix this problem? I would greatly appreciate any help. In case you are wondering, all the realm should do in addition to the JNDIRealm is to fix the bug, http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16541. Many thanks in advance! Jessica public class StrykerJNDIRealm extends JNDIRealm { /** * Set the message format pattern for selecting users in this Realm. * * @param userSearch The new user search pattern */ public void setUserSearch(String userSearch) { System.out.println("in StrykerJNDI realm"); this.userSearch = userSearch; if (userSearch == null) userSearchFormat = null; else userSearchFormat = new LDAPMessageFormat(userSearch); } } public class LDAPMessageFormat extends MessageFormat { /** * @param pattern */ public LDAPMessageFormat(String pattern) { super(pattern); } public String format(String[] pattern) { String format = format((Object)pattern); return filterEncode(format); } /** * Put the filter into the proper form. LDAP servers require a ',' within an attribute * to be encoded by a '\'. It further requires a '\' to encode a '\' when using a search filter. * * @param String filter The filter to be encoded */ public String filterEncode(String filter) { int backslash = filter.indexOf('\\'); int nextSlash = 1; int equal = 0; int comma = 0; boolean firstTime = true; String charAfterBack = filter.substring(backslash + 1, backslash + 2); while (nextSlash > 0 && backslash > 0) { // Section 4 of http://rfc.sunsite.dk/rfc/rfc2253.html states // // "Implementations MUST allow a value to be surrounded by quote ('"' // ASCII 34) characters, which are not part of the value. Inside the // quoted value, the following characters can occur without any // escaping: // ',', '=', '+', '<', '>', '#' and ';' " // // So if none of these characters are currently being escaped return original filter if ((charAfterBack.compareTo(",")) != 0 && (charAfterBack.compareTo("=")) != 0 && (charAfterBack.compareTo("+")) != 0 && (charAfterBack.compareTo("<")) != 0 && (charAfterBack.compareTo(">")) != 0 && (charAfterBack.compareTo("#")) != 0 && (charAfterBack.compareTo("+")) != 0 && (charAfterBack.compareTo(";")) != 0) return filter; /*String before = filter.substring(0, backslash + 1); String after = filter.substring(backslash + 1); nextSlash = after.indexOf('\\'); backslash = backslash + nextSlash + 1; filter = before + "\\" + after;*/ // remove the backslash that is escaping String before = filter.substring(0, backslash); String after = filter.substring(backslash + 1); nextSlash = after.indexOf('\\'); backslash = backslash + nextSlash + 1; //find where to put the quotes around //beginning of quotes after the objectname = attribute = ..., attribute=..., if (firstTime) { equal = before.indexOf('='); equal = (before.substring(equal + 1)).indexOf('=') + equal + 1; firstTime = false; } else equal = before.indexOf('='); //end of quotes before comma separating attributes //making sure not to grab the comma that is being escaped comma = (after.substring(1)).