Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1661: Use a DistinguishedName to wrap the search base to avoid the need for JNDI escaping.

This commit is contained in:
Luke Taylor 2011-01-26 17:13:11 +00:00
parent 866615ceaa
commit 077af5e187
7 changed files with 78 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
ldap/openldaptest.ldif
View File

@ -8,6 +8,21 @@ objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=\"quoted people\",dc=springsource,dc=com
objectclass: top
objectclass: organizationalUnit
ou: "quoted people"
dn: cn=quoteguy,ou=\"quoted people\",dc=springsource,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: quoteguy
sn: Quote
uid: quoteguy
userPassword: quoteguyspassword
dn: uid=luke,ou=users,dc=springsource,dc=com
objectClass: person
objectClass: organizationalPerson

4
ldap/run_slapd.sh
View File

@ -1,7 +1,7 @@
#! /bin/sh
rm -Rf target/openldap
mkdir -p target/openldap
rm -Rf build/openldap
mkdir -p build/openldap
/opt/local/libexec/slapd -h ldap://localhost:22389 -d -1 -f slapd.conf &
sleep 2
ldapadd -h localhost -p 22389 -D cn=admin,dc=springsource,dc=com -w password -x -f openldaptest.ldif

10
ldap/slapd.conf
View File

@ -4,8 +4,8 @@ include /opt/local/etc/openldap/schema/inetorgperson.schema
include /opt/local/etc/openldap/schema/ppolicy.schema
pidfile ./target/slapd.pid
argsfile ./target/slapd.args
pidfile ./build/slapd.pid
argsfile ./build/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
@ -14,7 +14,7 @@ modulepath /usr/lib/openldap/modules
# moduleload back_monitor.la
# moduleload back_perl.la
disallow bind_anon
#disallow bind_anon
require authc
access to dn.base=""
@ -28,7 +28,7 @@ rootdn "cn=admin,dc=springsource,dc=com"
rootpw password
directory ./target/openldap
directory ./build/openldap
index uid eq
index cn eq
@ -49,5 +49,3 @@ ppolicy_default "cn=default,ou=policies,dc=springsource,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext

12
ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java
View File

@ -194,11 +194,13 @@ public class SpringSecurityLdapTemplate extends LdapTemplate {
return (DirContextOperations) executeReadOnly(new ContextExecutor() {
public Object executeWithContext(DirContext ctx) throws NamingException {
DistinguishedName ctxBaseDn = new DistinguishedName(ctx.getNameInNamespace());
NamingEnumeration<SearchResult> resultsEnum = ctx.search(base, filter, params, searchControls);
final DistinguishedName ctxBaseDn = new DistinguishedName(ctx.getNameInNamespace());
final DistinguishedName searchBaseDn = new DistinguishedName(base);
final NamingEnumeration<SearchResult> resultsEnum = ctx.search(searchBaseDn, filter, params, searchControls);
if (logger.isDebugEnabled()) {
logger.debug("Searching for entry in under DN '" + ctxBaseDn
+ "', base = '" + base + "', filter = '" + filter + "'");
logger.debug("Searching for entry under DN '" + ctxBaseDn
+ "', base = '" + searchBaseDn + "', filter = '" + filter + "'");
}
Set<DirContextOperations> results = new HashSet<DirContextOperations>();
@ -209,7 +211,7 @@ public class SpringSecurityLdapTemplate extends LdapTemplate {
DistinguishedName dn = new DistinguishedName(searchResult.getName());
if (base.length() > 0) {
dn.prepend(new DistinguishedName(base));
dn.prepend(searchBaseDn);
}
if (logger.isDebugEnabled()) {

10
ldap/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java
View File

@ -40,7 +40,7 @@ import org.springframework.security.ldap.server.ApacheDSContainer;
public abstract class AbstractLdapIntegrationTests {
// private static InMemoryXmlApplicationContext appContext;
private static ApacheDSContainer server;
private static BaseLdapPathContextSource contextSource;
private static DefaultSpringSecurityContextSource contextSource;
protected AbstractLdapIntegrationTests() {
}
@ -48,7 +48,11 @@ public abstract class AbstractLdapIntegrationTests {
@BeforeClass
public static void startServer() throws Exception {
contextSource = new DefaultSpringSecurityContextSource("ldap://127.0.0.1:53389/dc=springframework,dc=org");
((DefaultSpringSecurityContextSource)contextSource).afterPropertiesSet();
// OpenLDAP option
// contextSource = new DefaultSpringSecurityContextSource("ldap://127.0.0.1:22389/dc=springsource,dc=com");
// contextSource.setUserDn("cn=admin,dc=springsource,dc=com");
// contextSource.setPassword("password");
contextSource.afterPropertiesSet();
server = new ApacheDSContainer("dc=springframework,dc=org", "classpath:test-server.ldif");
server.afterPropertiesSet();
}
@ -98,7 +102,7 @@ public abstract class AbstractLdapIntegrationTests {
try {
enumeration = ctx.listBindings(name);
while (enumeration.hasMore()) {
Binding element = (Binding) enumeration.next();
Binding element = enumeration.next();
DistinguishedName childName = new DistinguishedName(element.getName());
childName.prepend((DistinguishedName) name);

28
ldap/src/test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java
View File

@ -17,7 +17,7 @@ package org.springframework.security.ldap.authentication;
import static org.junit.Assert.*;
import org.junit.Test;
import org.junit.*;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@ -80,8 +80,34 @@ public class BindAuthenticatorTests extends AbstractLdapIntegrationTests {
authenticator.setUserSearch(new FilterBasedLdapUserSearch("ou=people", "(cn={0})", getContextSource()));
authenticator.authenticate(new UsernamePasswordAuthenticationToken("mouse, jerry", "jerryspassword"));
authenticator.authenticate(new UsernamePasswordAuthenticationToken("slash/guy", "slashguyspassword"));
// SEC-1661
authenticator.setUserSearch(new FilterBasedLdapUserSearch("ou=\\\"quoted people\\\"", "(cn={0})", getContextSource()));
authenticator.authenticate(new UsernamePasswordAuthenticationToken("quoteguy", "quoteguyspassword"));
}
/*
@Test
public void messingWithEscapedChars() throws Exception {
Hashtable<String,String> env = new Hashtable<String,String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:22389/dc=springsource,dc=com");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=admin,dc=springsource,dc=com");
env.put(Context.SECURITY_CREDENTIALS, "password");
InitialDirContext idc = new InitialDirContext(env);
SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
DistinguishedName baseDn = new DistinguishedName("ou=\\\"quoted people\\\"");
NamingEnumeration<SearchResult> matches = idc.search(baseDn, "(cn=*)", new Object[] {"quoteguy"}, searchControls);
while(matches.hasMore()) {
SearchResult match = matches.next();
DistinguishedName dn = new DistinguishedName(match.getName());
System.out.println("**** Match: " + match.getName() + " ***** " + dn);
}
}
*/
@Test
public void testAuthenticationWithWrongPasswordFails() {
authenticator.setUserDnPatterns(new String[] {"uid={0},ou=people"});

16
ldap/src/test/resources/test-server.ldif
View File

@ -13,6 +13,11 @@ objectclass: top
objectclass: organizationalUnit
ou: people
dn: ou=\"quoted people\",dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
ou: "quoted people"
dn: ou=otherpeople,dc=springframework,dc=org
objectclass: top
objectclass: organizationalUnit
@ -68,6 +73,17 @@ sn: Slash
uid: slashguy
userPassword: slashguyspassword
dn: cn=quoteguy,ou=\"quoted people\",dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: quoteguy
sn: Quote
uid: quoteguy
userPassword: quoteguyspassword
dn: cn=developers,ou=groups,dc=springframework,dc=org
objectclass: top
objectclass: groupOfNames