cvs commit: jakarta-tomcat-4.0/catalina/src/test/org/apache/catalina/realm JNDIRealmTestCase.java
funkman 2003/12/12 13:31:56
Modified:catalina/src/share/org/apache/catalina/realm JNDIRealm.java
catalina/src/test/org/apache/catalina/realm
JNDIRealmTestCase.java
Log:
BZ 23190 16541
Make JNDIRealm escape search filters
Patch by Jeff Tulley jtulley AT novell dot com
Revision ChangesPath
1.16 +51 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java
Index: JNDIRealm.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- JNDIRealm.java4 Sep 2003 19:59:47 - 1.15
+++ JNDIRealm.java12 Dec 2003 21:31:56 - 1.16
@@ -90,6 +90,7 @@
import org.apache.catalina.util.StringManager;
import org.apache.catalina.util.Base64;
+
/**
* Implementation of Realm that works with a directory
* server accessed via the Java Naming and Directory Interface (JNDI) APIs.
@@ -1340,6 +1341,7 @@
// Set up parameters for an appropriate search
String filter = roleFormat.format(new String[] { dn, username });
+filter = doRFC2254Encoding(filter);
SearchControls controls = new SearchControls();
if (roleSubtree)
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
@@ -1671,6 +1673,51 @@
return null;
}
+
+
+/**
+ * Given an LDAP search string, returns the string with certain characters
+ * escaped according to RFC 2254 guidelines.
+ * The character mapping is as follows:
+ * char -> Replacement
+ *---
+ * * -> \2a
+ * ( -> \28
+ * ) -> \29
+ * \ -> \5c
+ * \0 -> \00
+ * @param inString string to escape according to RFC 2254 guidelines
+ * @return
+ */
+protected String doRFC2254Encoding(String inString) {
+StringBuffer buf = new StringBuffer(inString.length());
+for (int i = 0; i < inString.length(); i++) {
+char c = inString.charAt(i);
+switch (c) {
+case '\\':
+buf.append("\\5c");
+break;
+case '*':
+buf.append("\\2a");
+break;
+case '(':
+buf.append("\\28");
+break;
+case ')':
+buf.append("\\29");
+break;
+case '\0':
+buf.append("\\00");
+break;
+default:
+buf.append(c);
+break;
+}
+}
+return buf.toString();
+}
+
+
}
// -- Private Classes
1.2 +69 -2
jakarta-tomcat-4.0/catalina/src/test/org/apache/catalina/realm/JNDIRealmTestCase.java
Index: JNDIRealmTestCase.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/test/org/apache/catalina/realm/JNDIRealmTestCase.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- JNDIRealmTestCase.java4 Sep 2003 19:59:47 - 1.1
+++ JNDIRealmTestCase.java12 Dec 2003 21:31:56 - 1.2
@@ -247,6 +247,73 @@
assertStringArraysEquals(expected, actual);
}
+
+public void testRFC2254EncodingEmptyString() {
+JNDIRealm realm = new JNDIRealm();
+String actual = realm.doRFC2254Encoding("");
+Assert.assertEquals("empty", "", actual);
+}
+
+public void testRFC2254EncodingNoChange() {
+JNDIRealm realm = new JNDIRealm();
+String actual = realm.doRFC2254Encoding("cn=aname,o=acontext");
+Assert.assertEquals("no change", "cn=aname,o=acontext", actual);
+}
+
+public void testRFC2254EncodingAsterisk() {
+JNDIRealm realm = new JNDIRealm();
+String actual = realm.doRFC2254Encoding("cn=some*name,o=somecontext");
+Assert.assertEquals("asterisk", "cn=some\\2aname,o=somecontext", actual);
+}
+
+public void testRFC2254EncodingAsteriskAtEnd() {
+JNDIRealm realm = new JNDIRealm();
+String actual = realm.doRFC2254Encoding("cn=somename,o=somecontext*");
+Assert.assertEquals("asterisk", "cn=somename,o=somecontext\\2a", actual);
+}
+
+public void testRFC2254EncodingAsteriskAtBeginning() {
+JNDIRealm realm = new JNDIRealm();
+String actual = realm.doRFC2254Encoding("cn=*somename,o=somecontext");
+Assert.assertEquals("aste
cvs commit: jakarta-tomcat-4.0/catalina/src/test/org/apache/catalina/realm JNDIRealmTestCase.java
funkman 2003/09/04 12:59:47
Modified:catalina build.xml
webapps/tomcat-docs realm-howto.xml
catalina/src/share/org/apache/catalina/realm JNDIRealm.java
Added: catalina/src/test/org/apache/catalina/realm
JNDIRealmTestCase.java
Log:
Per http://marc.theaimsgroup.com/?l=tomcat-dev&m=106254937722504&w=2
Allow Multiple user patterns in JNDIRealm and doc patch.
Patch provided by Jeff Tulley (jtulley at novell.com)
Revision ChangesPath
1.133 +11 -1 jakarta-tomcat-4.0/catalina/build.xml
Index: build.xml
===
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/build.xml,v
retrieving revision 1.132
retrieving revision 1.133
diff -u -r1.132 -r1.133
--- build.xml 12 Mar 2003 21:38:05 - 1.132
+++ build.xml 4 Sep 2003 19:59:46 - 1.133
@@ -979,7 +979,7 @@
+ depends="build-tests,test-dir-context,test-realm,test-util">
@@ -1004,6 +1004,16 @@
+
+
+
+
+
+
+
+
+
1.13 +56 -14jakarta-tomcat-4.0/webapps/tomcat-docs/realm-howto.xml
Index: realm-howto.xml
===
RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/tomcat-docs/realm-howto.xml,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- realm-howto.xml 7 May 2003 15:56:00 - 1.12
+++ realm-howto.xml 4 Sep 2003 19:59:47 - 1.13
@@ -362,7 +362,7 @@
Password to be recognized by Tomcat when the user logs in.
This value may in cleartext or digested - see below for more
information.
-
+
There must be a table, referenced below as the user roles table,
that contains one row for every valid role that is assigned to a
particular user. It is legal for a user to have zero, one, or more than
@@ -373,13 +373,13 @@
Username to be recognized by Tomcat (same value as is specified
in the users table).
Role name of a valid role associated with this user.
-
+
Quick Start
-
+
To set up Tomcat to use DataSourceRealm, you will need to follow these steps:
-
+
If you have not yet done so, create tables and columns in your database
that conform to the requirements described above.
Configure a database username and password for use by Tomcat, that has
@@ -418,7 +418,7 @@
generate more detailed output. If not specified, the default
debugging detail level is zero (0).
-
+
The digest algorithm used to store passwords in non-plaintext formats.
Valid values are those accepted for the algorithm name by the
@@ -426,18 +426,18 @@
Digested Passwords for more
information. If not specified, passwords are stored in clear text.
-
+
The name of the column, in the user roles table, that
contains the name of a role assigned to this user.
-
+
The name of the column, in the users table, that contains
the password for this user (either in clear text, or digested if the
digest attribute is set).
-
+
The name of the column, in the users and user roles
tables, that contains the username of this user.
@@ -559,11 +559,19 @@
attribute containing the username that is presented for
authentication.
-Often the distinguished name of the user's entry contains the
-username presented for authentication but is otherwise the same for
-all users. In this case the userPattern attribute may
-be used to specify the DN, with "{0}" marking where
-the username should be substituted.
+There are multiple options for specifying where to look for users.
+One is through the use of userPattern. This is set
+to the distinguished name of the user entry, but with "{0}" marking
+where the username should be substituted. If you want Tomcat to
+search for the username in multiple places, you can supply multiple
+locations in the userPattern. This is done by
+surrounding each separate location with parentheses. For example,
+"(cn={0},ou=users1,o=myorg)(cn={0},ou=users2,o=myorg)" will result in
+Tomcat looking in ou=users1,o=myorg, and then ou=users2,o=myorg for the
+username passed in from the authentication process. You can also use
+the standard LDAP "OR" search format, for instance
+"(|(cn={0},o=myorg)({0}))". Note that, as in this example, you can
+do both context-less and fully-typed logins using this technique.
Otherwise the realm must search the directory to find a unique entry
containing the username. The following attributes configure this
@@ -831,7 +839,8 @@
directory
