Skip to content

Commit

Permalink
Payara 1339 (#1712)
Browse files Browse the repository at this point in the history 
* ODCS: (IDCINTER-72) Forward port bug 23745407

git-svn-id: https://svn.java.net/svn/glassfish~svn/trunk/main@64795 6f3ba3e3-413c-0410-a8aa-90bee3ab43b5

* Missed copyright header year change. IDCINTER-71,72,73

git-svn-id: https://svn.java.net/svn/glassfish~svn/trunk/main@64880 6f3ba3e3-413c-0410-a8aa-90bee3ab43b5
  • Loading branch information
@smillidge
smillidge authored Jul 5, 2017
1 parent 23b2f7b commit 8fdd719
Show file tree
Hide file tree
Showing 4 changed files with 54 additions and 33 deletions.
2 changes: 1 addition & 1 deletion appserver/admingui/common/src/main/resources/security/securityAttrs.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved.
Copyright (c) 1997-2017 Oracle and/or its affiliates. All rights reserved.
The contents of this file are subject to the terms of either the GNU
General Public License Version 2 only ("GPL") or the Common Development
Expand Down
2 changes: 1 addition & 1 deletion nucleus/admin/template/src/main/resources/config/server.policy
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2013-2014 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013-2017 Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
Expand Down
81 changes: 51 additions & 30 deletions ...us/security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 1997-2014 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997-2017 Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
Expand Down Expand Up @@ -65,6 +65,9 @@
import com.sun.enterprise.security.auth.realm.IASRealm;
import java.lang.StringBuffer;
import java.util.regex.Matcher;
import javax.naming.directory.Attributes;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.glassfish.internal.api.RelativePathResolver;
import org.jvnet.hk2.annotations.Service;
import sun.security.x509.X500Name;
Expand Down Expand Up @@ -128,6 +131,8 @@ public final class LDAPRealm extends IASRealm
public static final String PARAM_GRPDN="group-base-dn";
public static final String PARAM_GRP_SEARCH_FILTER="group-search-filter";
public static final String PARAM_GRP_TARGET="group-target";
public static final String PARAM_DYNAMIC_GRP_FILTER="dynamic-group-search-filter";
public static final String PARAM_DYNAMIC_GRP_TARGET="dynamic-group-target";
public static final String PARAM_MODE="mode";
public static final String PARAM_JNDICF="jndiCtxFactory";
public static final String PARAM_POOLSIZE="pool-size";
Expand All @@ -149,6 +154,7 @@ public final class LDAPRealm extends IASRealm
private static final String GRP_SEARCH_FILTER_DEFAULT=
"uniquemember="+SUBST_SUBJECT_DN;
private static final String GRP_TARGET_DEFAULT="cn";
private static final String DYNAMIC_GRP_TARGET_DEFAULT="ismemberof";//"memberOf";
private static final String MODE_DEFAULT=MODE_FIND_BIND;
private static final String JNDICF_DEFAULT=
"com.sun.jndi.ldap.LdapCtxFactory";
Expand Down Expand Up @@ -234,10 +240,18 @@ public synchronized void init(Properties props)
PARAM_GRP_SEARCH_FILTER, GRP_SEARCH_FILTER_DEFAULT);
this.setProperty(PARAM_GRP_SEARCH_FILTER, grpSearchFilter);

String dynGrpSearchFilter = props.getProperty(
PARAM_DYNAMIC_GRP_FILTER, SEARCH_FILTER_DEFAULT);
this.setProperty(PARAM_DYNAMIC_GRP_FILTER, dynGrpSearchFilter);

String grpTarget = props.getProperty(
PARAM_GRP_TARGET, GRP_TARGET_DEFAULT);
this.setProperty(PARAM_GRP_TARGET, grpTarget);

String dynGrpTarget = props.getProperty(
PARAM_DYNAMIC_GRP_TARGET, DYNAMIC_GRP_TARGET_DEFAULT);
this.setProperty(PARAM_DYNAMIC_GRP_TARGET, dynGrpTarget);

String objectFactory = props.getProperty(
DYNAMIC_GROUP_FACTORY_OBJECT_PROPERTY, DYNAMIC_GROUP_OBJECT_FACTORY);
this.setProperty(DYNAMIC_GROUP_FACTORY_OBJECT_PROPERTY, objectFactory);
Expand Down Expand Up @@ -363,6 +377,9 @@ private List<String> getGroups(String userDN) {
//no authentication has happened through the realm.
DirContext ctx = null;
String srcFilter = null;

String dynFilter = null;
String dynMember = getProperty(PARAM_DYNAMIC_GRP_TARGET);
try {
ctx = new InitialDirContext(getLdapBindProps());

Expand All @@ -385,16 +402,20 @@ private List<String> getGroups(String userDN) {

}
StringBuffer sb = new StringBuffer(getProperty(PARAM_GRP_SEARCH_FILTER));
StringBuffer dynSb = new StringBuffer(getProperty(PARAM_DYNAMIC_GRP_FILTER));
substitute(sb, SUBST_SUBJECT_NAME, _username);
substitute(sb, SUBST_SUBJECT_DN, userDN);
substitute(dynSb, SUBST_SUBJECT_NAME, _username);
substitute(dynSb, SUBST_SUBJECT_DN, userDN);

srcFilter = sb.toString();
dynFilter = dynSb.toString();
List<String> groupsList = new ArrayList<String>();
groupsList.addAll(groupSearch(ctx, getProperty(PARAM_GRPDN), srcFilter, getProperty(PARAM_GRP_TARGET)));
// search filter is constructed internally as
// as a groupofURLS
groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), getProperty(PARAM_GRP_TARGET),
userDN));
groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), dynMember,
dynFilter, getProperty(PARAM_GRP_TARGET)));
return groupsList;
} catch (Exception e) {
_logger.log(Level.WARNING, "ldaprealm.groupsearcherror",e);
Expand Down Expand Up @@ -489,6 +510,9 @@ public String[] findAndBind(String _username, char[] _password)
DirContext ctx = null;
String srcFilter = null;
String[] grpList = null;

String dynFilter = null;
String dynMember = getProperty(PARAM_DYNAMIC_GRP_TARGET);
try {
ctx = new InitialDirContext(getLdapBindProps());
String realUserDN = userSearch(ctx, getProperty(PARAM_USERDN), userid);
Expand All @@ -505,16 +529,21 @@ public String[] findAndBind(String _username, char[] _password)

// search groups using above connection, substituting %d (and %s)
sb = new StringBuffer(getProperty(PARAM_GRP_SEARCH_FILTER));
StringBuffer dynSb = new StringBuffer(getProperty(PARAM_DYNAMIC_GRP_FILTER));

substitute(sb, SUBST_SUBJECT_NAME, _username);
substitute(sb, SUBST_SUBJECT_DN, realUserDN);
substitute(dynSb, SUBST_SUBJECT_NAME, _username);
substitute(dynSb, SUBST_SUBJECT_DN, realUserDN);

srcFilter = sb.toString();
dynFilter = dynSb.toString();
ArrayList groupsList = new ArrayList();
groupsList.addAll(groupSearch(ctx, getProperty(PARAM_GRPDN), srcFilter, getProperty(PARAM_GRP_TARGET)));
// search filter is constructed internally as
// as a groupofURLS
groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), getProperty(PARAM_GRP_TARGET),
realUserDN));
groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), dynMember,
dynFilter, getProperty(PARAM_GRP_TARGET)));
grpList = new String[groupsList.size()];
groupsList.toArray(grpList);
} catch (Exception e) {
Expand Down Expand Up @@ -647,45 +676,37 @@ private boolean bindAsUser(String bindDN, char[] password)
*
*/
private List dynamicGroupSearch(DirContext ctx, String baseDN,
String target, String userDN)
String memberOfAttr, String filter, String target) throws NamingException
{
List groupList = new ArrayList();
String filter = DYNAMIC_GROUP_FILTER;

String[] targets = new String[] { target, "memberUrl" };

String[] targets = new String[] { memberOfAttr };
try {
SearchControls ctls = new SearchControls();
ctls.setReturningAttributes(targets);
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
ctls.setReturningObjFlag(true);
//Set this to false to avoid objects and hence exposing ldap object
//injection.
ctls.setReturningObjFlag(false);

NamingEnumeration e = ctx.search(baseDN, filter, ctls);

while(e.hasMore()) {
SearchResult res = (SearchResult)e.next();
Object searchedObject = res.getObject();


if (searchedObject instanceof GroupOfURLs){ // dynamic group

GroupOfURLs gurls = (GroupOfURLs) searchedObject;
Principal x500principal = new X500Principal(userDN);
if (gurls.isMember(x500principal)) {

Attribute grpAttr = res.getAttributes().get(target);
int sz = grpAttr.size();
for (int i=0; i<sz; i++) {
String s = (String)grpAttr.get(i);
groupList.add(s);
Attribute isMemberOf = res.getAttributes().get(memberOfAttr);
if (isMemberOf != null) {
for (Enumeration values = isMemberOf.getAll();
values.hasMoreElements();) {
String groupDN = (String) values.nextElement();
LdapName dn = new LdapName(groupDN);
for(Rdn rdn : dn.getRdns()) {
if(rdn.getType().equalsIgnoreCase(target)) {
groupList.add(rdn.getValue());
break;
}
}
}

}

// recommended by Jaya Hangal from JDK team
if (searchedObject instanceof Context) {
((Context)searchedObject).close();
}
}
} catch (Exception e) {
Expand Down
2 changes: 1 addition & 1 deletion nucleus/security/core/src/main/resources/config/server.policy
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2004-2014 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004-2017 Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
Expand Down

0 comments on commit 8fdd719

Please sign in to comment.