From a790c7e19249139039883c30689e9ff7d191e688 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Thu, 3 Feb 2011 17:57:43 +0000 Subject: [PATCH] SEC-1670: Take account of JNDI CompositeName escaping in value of SearchResult.getName() when performing a search for a user entry in SpringSecurityLdapTemplate. --- ldap/slapd.conf | 8 ++++---- .../security/ldap/SpringSecurityLdapTemplate.java | 3 ++- .../security/ldap/authentication/BindAuthenticator.java | 2 ++ .../security/ldap/AbstractLdapIntegrationTests.java | 2 +- .../ldap/authentication/BindAuthenticatorTests.java | 4 +++- ldap/src/test/resources/test-server.ldif | 4 ++-- 6 files changed, 14 insertions(+), 9 deletions(-) diff --git a/ldap/slapd.conf b/ldap/slapd.conf index d52cba0e5a..ea07fd79ac 100755 --- a/ldap/slapd.conf +++ b/ldap/slapd.conf @@ -44,8 +44,8 @@ access to dn.subtree="ou=users,dc=qbe,dc=com" by * read -overlay ppolicy -ppolicy_default "cn=default,ou=policies,dc=springsource,dc=com" -ppolicy_use_lockout -ppolicy_hash_cleartext +#overlay ppolicy +#ppolicy_default "cn=default,ou=policies,dc=springsource,dc=com" +#ppolicy_use_lockout +#ppolicy_hash_cleartext diff --git a/ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java b/ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java index 1e91e94109..bb3d2208db 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java +++ b/ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java @@ -20,6 +20,7 @@ import java.util.Arrays; import java.util.HashSet; import java.util.Set; +import javax.naming.CompositeName; import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.PartialResultException; @@ -208,7 +209,7 @@ public class SpringSecurityLdapTemplate extends LdapTemplate { while (resultsEnum.hasMore()) { SearchResult searchResult = resultsEnum.next(); // Work out the DN of the matched entry - DistinguishedName dn = new DistinguishedName(searchResult.getName()); + DistinguishedName dn = new DistinguishedName(new CompositeName(searchResult.getName())); if (base.length() > 0) { dn.prepend(searchBaseDn); diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/BindAuthenticator.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/BindAuthenticator.java index 12695ba9bf..9ab1c7933b 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/authentication/BindAuthenticator.java +++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/BindAuthenticator.java @@ -113,6 +113,8 @@ public class BindAuthenticator extends AbstractLdapAuthenticator { // Check for password policy control PasswordPolicyControl ppolicy = PasswordPolicyControlExtractor.extractControl(ctx); + logger.debug("Retrieving attributes..."); + Attributes attrs = ctx.getAttributes(userDn, getUserAttributes()); DirContextAdapter result = new DirContextAdapter(attrs, userDn, ctxSource.getBaseLdapPath()); diff --git a/ldap/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java b/ldap/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java index ceaf823ce5..29732d99d8 100644 --- a/ldap/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java +++ b/ldap/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java @@ -48,7 +48,7 @@ public abstract class AbstractLdapIntegrationTests { @BeforeClass public static void startServer() throws Exception { contextSource = new DefaultSpringSecurityContextSource("ldap://127.0.0.1:53389/dc=springframework,dc=org"); -// OpenLDAP option +// OpenLDAP configuration // contextSource = new DefaultSpringSecurityContextSource("ldap://127.0.0.1:22389/dc=springsource,dc=com"); // contextSource.setUserDn("cn=admin,dc=springsource,dc=com"); // contextSource.setPassword("password"); diff --git a/ldap/src/test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java b/ldap/src/test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java index ce68f55001..58956fe312 100644 --- a/ldap/src/test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java +++ b/ldap/src/test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java @@ -82,7 +82,9 @@ public class BindAuthenticatorTests extends AbstractLdapIntegrationTests { authenticator.authenticate(new UsernamePasswordAuthenticationToken("slash/guy", "slashguyspassword")); // SEC-1661 authenticator.setUserSearch(new FilterBasedLdapUserSearch("ou=\\\"quoted people\\\"", "(cn={0})", getContextSource())); - authenticator.authenticate(new UsernamePasswordAuthenticationToken("quoteguy", "quoteguyspassword")); + authenticator.authenticate(new UsernamePasswordAuthenticationToken("quote\"guy", "quoteguyspassword")); + authenticator.setUserSearch(new FilterBasedLdapUserSearch("", "(cn={0})", getContextSource())); + authenticator.authenticate(new UsernamePasswordAuthenticationToken("quote\"guy", "quoteguyspassword")); } /* @Test diff --git a/ldap/src/test/resources/test-server.ldif b/ldap/src/test/resources/test-server.ldif index 0e72399391..6411eead3d 100644 --- a/ldap/src/test/resources/test-server.ldif +++ b/ldap/src/test/resources/test-server.ldif @@ -73,12 +73,12 @@ sn: Slash uid: slashguy userPassword: slashguyspassword -dn: cn=quoteguy,ou=\"quoted people\",dc=springframework,dc=org +dn: cn=quote\"guy,ou=\"quoted people\",dc=springframework,dc=org objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson -cn: quoteguy +cn: quote\"guy sn: Quote uid: quoteguy userPassword: quoteguyspassword