Remove unnecessary null checks for Operation.getRequestControls()

Jean-Noël Rouvignac

22.13.2015 edf8944f0ae80b608797206944cbd2db8d08a9a7

Remove unnecessary null checks for Operation.getRequestControls()

 opendj-server-legacy/src/main/java/org/opends/server/backends/pluggable/EntryContainer.java

@@ -2352,15 +2352,11 @@
   */
  private static boolean isManageDsaITOperation(Operation operation)
  {
    List<Control> controls = operation.getRequestControls();
    if (controls != null)
    for (Control control : operation.getRequestControls())
    {
      for (Control control : controls)
      if (ServerConstants.OID_MANAGE_DSAIT_CONTROL.equals(control.getOID()))
      {
        if (ServerConstants.OID_MANAGE_DSAIT_CONTROL.equals(control.getOID()))
        {
          return true;
        }
        return true;
      }
    }
    return false;

 opendj-server-legacy/src/main/java/org/opends/server/core/ExtendedOperationBasis.java

@@ -38,9 +38,16 @@
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ResultCode;
import org.opends.server.api.AccessControlHandler;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.ExtendedOperationHandler;
import org.opends.server.types.*;
import org.opends.server.types.AbstractOperation;
import org.opends.server.types.CancelResult;
import org.opends.server.types.CanceledOperationException;
import org.opends.server.types.Control;
import org.opends.server.types.DN;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.OperationType;
import org.opends.server.types.operation.PostOperationExtendedOperation;
import org.opends.server.types.operation.PostResponseExtendedOperation;
import org.opends.server.types.operation.PreOperationExtendedOperation;
@@ -303,53 +310,44 @@

      // Look at the controls included in the request and ensure that all
      // critical controls are supported by the handler.
      List<Control> requestControls = getRequestControls();
      if (requestControls != null && !requestControls.isEmpty())
      for (Iterator<Control> iter = getRequestControls().iterator(); iter.hasNext();)
      {
        for (Iterator<Control> iter = requestControls.iterator(); iter
            .hasNext();)
        final Control c = iter.next();
        try
        {
          final Control c = iter.next();
          try
          if (!getAccessControlHandler().isAllowed(getAuthorizationDN(), this, c))
          {
            if (!AccessControlConfigManager.getInstance()
                .getAccessControlHandler()
                .isAllowed(getAuthorizationDN(), this, c))
            // As per RFC 4511 4.1.11.
            if (c.isCritical())
            {
              // As per RFC 4511 4.1.11.
              if (c.isCritical())
              {
                setResultCode(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION);
                appendErrorMessage(ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS
                    .get(c.getOID()));
              }
              else
              {
                // We don't want to process this non-critical control, so
                // remove it.
                iter.remove();
                continue;
              }
              setResultCode(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION);
              appendErrorMessage(ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(c.getOID()));
            }
            else
            {
              // We don't want to process this non-critical control, so remove it.
              iter.remove();
              continue;
            }
          }
          catch (DirectoryException e)
          {
            setResultCode(e.getResultCode());
            appendErrorMessage(e.getMessageObject());
            return;
          }
        }
        catch (DirectoryException e)
        {
          setResultCode(e.getResultCode());
          appendErrorMessage(e.getMessageObject());
          return;
        }

          if (! c.isCritical())
          {
            // The control isn't critical, so we don't care if it's supported
            // or not.
          }
          else if (! handler.supportsControl(c.getOID()))
          {
            setResultCode(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION);
            appendErrorMessage(ERR_EXTENDED_UNSUPPORTED_CRITICAL_CONTROL.get(requestOID, c.getOID()));
            return;
          }
        if (!c.isCritical())
        {
          // The control isn't critical, so we don't care if it's supported
          // or not.
        }
        else if (!handler.supportsControl(c.getOID()))
        {
          setResultCode(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION);
          appendErrorMessage(ERR_EXTENDED_UNSUPPORTED_CRITICAL_CONTROL.get(requestOID, c.getOID()));
          return;
        }
      }

@@ -362,7 +360,7 @@
      // and any other controls specified.
      try
      {
        if (!AccessControlConfigManager.getInstance().getAccessControlHandler().isAllowed(this))
        if (!getAccessControlHandler().isAllowed(this))
        {
          setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
          appendErrorMessage(ERR_EXTENDED_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(requestOID));
@@ -438,7 +436,11 @@
    }
  }

  /** {@inheritDoc} */
  private AccessControlHandler<?> getAccessControlHandler()
  {
    return AccessControlConfigManager.getInstance().getAccessControlHandler();
  }

  @Override
  public final void toString(StringBuilder buffer)
  {
@@ -450,6 +452,4 @@
    buffer.append(requestOID);
    buffer.append(")");
  }

}


 opendj-server-legacy/src/main/java/org/opends/server/extensions/PasswordModifyExtendedOperation.java

@@ -37,7 +37,13 @@
import static org.opends.server.util.StaticUtils.*;

import java.io.IOException;
import java.util.*;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageBuilder;
@@ -54,7 +60,11 @@
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.server.ExtendedOperationHandlerCfg;
import org.opends.server.admin.std.server.PasswordModifyExtendedOperationHandlerCfg;
import org.opends.server.api.*;
import org.opends.server.api.AuthenticationPolicy;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.ExtendedOperationHandler;
import org.opends.server.api.IdentityMapper;
import org.opends.server.api.PasswordStorageScheme;
import org.opends.server.controls.PasswordPolicyErrorType;
import org.opends.server.controls.PasswordPolicyResponseControl;
import org.opends.server.core.DirectoryServer;
@@ -64,8 +74,20 @@
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.schema.AuthPasswordSyntax;
import org.opends.server.schema.UserPasswordSyntax;
import org.opends.server.types.*;
import org.opends.server.types.AccountStatusNotification;
import org.opends.server.types.AccountStatusNotificationProperty;
import org.opends.server.types.AdditionalLogItem;
import org.opends.server.types.AttributeBuilder;
import org.opends.server.types.AttributeType;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.Control;
import org.opends.server.types.DN;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.LockManager.DNLock;
import org.opends.server.types.Modification;
import org.opends.server.types.Privilege;

/**
 * This class implements the password modify extended operation defined in RFC
@@ -167,20 +189,16 @@
    // Look at the set of controls included in the request, if there are any.
    boolean                   noOpRequested        = false;
    boolean                   pwPolicyRequested    = false;
    List<Control> controls = operation.getRequestControls();
    if (controls != null)
    for (Control c : operation.getRequestControls())
    {
      for (Control c : controls)
      String oid = c.getOID();
      if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
      {
        String oid = c.getOID();
        if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
        {
          noOpRequested = true;
        }
        else if (OID_PASSWORD_POLICY_CONTROL.equals(oid))
        {
          pwPolicyRequested = true;
        }
        noOpRequested = true;
      }
      else if (OID_PASSWORD_POLICY_CONTROL.equals(oid))
      {
        pwPolicyRequested = true;
      }
    }


 opendj-server-legacy/src/main/java/org/opends/server/replication/plugin/MultimasterReplication.java

@@ -156,10 +156,9 @@
         * running later do not generate CSN, solve conflicts and forward the
         * operation to the replication server.
         */
        final List<Control> controls = op.getRequestControls();
        for (Iterator<Control> iter = controls.iterator(); iter.hasNext();)
        for (Iterator<Control> it = op.getRequestControls().iterator(); it.hasNext();)
        {
          Control c = iter.next();
          Control c = it.next();
          if (OID_REPLICATION_REPAIR_CONTROL.equals(c.getOID()))
          {
            op.setSynchronizationOperation(true);
@@ -169,7 +168,7 @@
            processed and the local backend will fail if it finds a control that
            it does not know about and that is marked as critical.
            */
            iter.remove();
            it.remove();
            return null;
          }
        }

 opendj-server-legacy/src/main/java/org/opends/server/types/AbstractOperation.java

@@ -31,6 +31,7 @@
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;

import org.forgerock.i18n.LocalizableMessage;
@@ -167,16 +168,7 @@
    this.operationID      = operationID;
    this.messageID        = messageID;
    this.useNanoTime = DirectoryServer.getUseNanoTime();

    if (requestControls == null)
    {
      this.requestControls = new ArrayList<>(0);
    }
    else
    {
      this.requestControls  = requestControls;
    }

    this.requestControls = requestControls != null ? requestControls : new ArrayList<Control>(0);
    authorizationEntry = clientConnection.getAuthenticationInfo().getAuthorizationEntry();
  }

@@ -225,16 +217,16 @@
      ControlDecoder<T> d) throws DirectoryException
  {
    String oid = d.getOID();
    for(int i = 0; i < requestControls.size(); i++)
    for (ListIterator<Control> it = requestControls.listIterator(); it.hasNext();)
    {
      Control c = requestControls.get(i);
      Control c = it.next();
      if(c.getOID().equals(oid))
      {
        if(c instanceof LDAPControl)
        {
          T decodedControl = d.decode(c.isCritical(),
              ((LDAPControl) c).getValue());
          requestControls.set(i, decodedControl);
          it.set(decodedControl);
          return decodedControl;
        }
        else

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java

@@ -980,91 +980,78 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(parentDN, this);

    List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    for (Control c : getRequestControls())
    {
      for (Control c : requestControls)
      final String oid = c.getOID();

      if (OID_LDAP_ASSERTION.equals(oid))
      {
        final String  oid = c.getOID();
        // RFC 4528 mandates support for Add operation basically
        // suggesting an assertion on self. As daft as it may be
        // we gonna have to support this for RFC compliance.
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

        if (OID_LDAP_ASSERTION.equals(oid))
        SearchFilter filter;
        try
        {
          // RFC 4528 mandates support for Add operation basically
          // suggesting an assertion on self. As daft as it may be
          // we gonna have to support this for RFC compliance.
          LDAPAssertionRequestControl assertControl =
            getRequestControl(LDAPAssertionRequestControl.DECODER);
          filter = assertControl.getSearchFilter();
        }
        catch (DirectoryException de)
        {
          logger.traceException(de);

          SearchFilter filter;
          try
          throw newDirectoryException(entryDN, de.getResultCode(),
              ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
        }

        // Check if the current user has permission to make this determination.
        if (!getAccessControlHandler().isAllowed(this, entry, filter))
        {
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
        }

        try
        {
          if (!filter.matchesEntry(entry))
          {
            filter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            logger.traceException(de);

            throw newDirectoryException(entryDN, de.getResultCode(),
                ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
                    entryDN, de.getMessageObject()));
          }

          // Check if the current user has permission to make this determination.
          if (!getAccessControlHandler().isAllowed(this, entry, filter))
          {
            throw new DirectoryException(
                ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

          try
          {
            if (!filter.matchesEntry(entry))
            {
              throw newDirectoryException(entryDN, ResultCode.ASSERTION_FAILED,
                  ERR_ADD_ASSERTION_FAILED.get(entryDN));
            }
          }
          catch (DirectoryException de)
          {
            if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
            {
              throw de;
            }

            logger.traceException(de);

            throw newDirectoryException(entryDN, de.getResultCode(),
                ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
                    entryDN, de.getMessageObject()));
            throw newDirectoryException(entryDN, ResultCode.ASSERTION_FAILED, ERR_ADD_ASSERTION_FAILED.get(entryDN));
          }
        }
        else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
        catch (DirectoryException de)
        {
          noOp = true;
          if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
          {
            throw de;
          }

          logger.traceException(de);

          throw newDirectoryException(entryDN, de.getResultCode(),
              ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
        }
        else if (OID_LDAP_READENTRY_POSTREAD.equals(oid))
        {
          postReadRequest =
                getRequestControl(LDAPPostReadRequestControl.DECODER);
        }
        else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
        {
          continue;
        }
        else if (OID_PASSWORD_POLICY_CONTROL.equals(oid))
        {
          // We don't need to do anything here because it's already handled
          // in LocalBackendAddOperation.handlePasswordPolicy().
        }
        // NYI -- Add support for additional controls.
        else if (c.isCritical()
            && (backend == null || !backend.supportsControl(oid)))
        {
          throw newDirectoryException(entryDN,
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_ADD_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
        }
      }
      else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
      {
        noOp = true;
      }
      else if (OID_LDAP_READENTRY_POSTREAD.equals(oid))
      {
        postReadRequest = getRequestControl(LDAPPostReadRequestControl.DECODER);
      }
      else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
      {
        continue;
      }
      else if (OID_PASSWORD_POLICY_CONTROL.equals(oid))
      {
        // We don't need to do anything here because it's already handled
        // in LocalBackendAddOperation.handlePasswordPolicy().
      }
      else if (c.isCritical() && (backend == null || !backend.supportsControl(oid)))
      {
        throw newDirectoryException(entryDN, ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
            ERR_ADD_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
      }
    }
  }

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java

@@ -325,29 +325,22 @@
  {
    LocalBackendWorkflowElement.removeAllDisallowedControls(bindDN, this);

    List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    for (Control c : getRequestControls())
    {
      for (Control c : requestControls)
      final String oid = c.getOID();

      if (OID_AUTHZID_REQUEST.equals(oid))
      {
        final String  oid = c.getOID();

        if (OID_AUTHZID_REQUEST.equals(oid))
        {
          returnAuthzID = true;
        }
        else if (OID_PASSWORD_POLICY_CONTROL.equals(oid))
        {
          pwPolicyControlRequested = true;
        }

        // NYI -- Add support for additional controls.
        else if (c.isCritical())
        {
          throw new DirectoryException(
                         ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
                         ERR_BIND_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
        }
        returnAuthzID = true;
      }
      else if (OID_PASSWORD_POLICY_CONTROL.equals(oid))
      {
        pwPolicyControlRequested = true;
      }
      else if (c.isCritical())
      {
        throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
            ERR_BIND_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
      }
    }
  }
@@ -363,8 +356,7 @@
   */
  private boolean processSimpleBind() throws DirectoryException
  {
    // See if this is an anonymous bind.  If so, then determine whether
    // to allow it.
    // See if this is an anonymous bind. If so, then determine whether to allow it.
    ByteString simplePassword = getSimplePassword();
    if (simplePassword == null || simplePassword.length() == 0)
    {

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java

@@ -318,74 +318,63 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

    List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    for (Control c : getRequestControls())
    {
      for (Control c : requestControls)
      final String oid = c.getOID();

      if (OID_LDAP_ASSERTION.equals(oid))
      {
        final String  oid = c.getOID();
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

        if (OID_LDAP_ASSERTION.equals(oid))
        SearchFilter filter;
        try
        {
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);
          filter = assertControl.getSearchFilter();
        }
        catch (DirectoryException de)
        {
          logger.traceException(de);

          SearchFilter filter;
          try
          {
            filter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            logger.traceException(de);
          throw newDirectoryException(entry, de.getResultCode(),
              ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
        }

            throw newDirectoryException(entry, de.getResultCode(),
                ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
          }

          // Check if the current user has permission to make this determination.
          if (!getAccessControlHandler().isAllowed(this, entry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
        // Check if the current user has permission to make this determination.
        if (!getAccessControlHandler().isAllowed(this, entry, filter))
        {
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

          try
          {
            if (!filter.matchesEntry(entry))
            {
              throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED,
                  ERR_COMPARE_ASSERTION_FAILED.get(entryDN));
            }
          }
          catch (DirectoryException de)
          {
            if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
            {
              throw de;
            }

            logger.traceException(de);

            throw newDirectoryException(entry, de.getResultCode(),
                ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
          }
        }
        else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))

        try
        {
          continue;
          if (!filter.matchesEntry(entry))
          {
            throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED, ERR_COMPARE_ASSERTION_FAILED.get(entryDN));
          }
        }

        // NYI -- Add support for additional controls.
        else if (c.isCritical()
            && (backend == null || !backend.supportsControl(oid)))
        catch (DirectoryException de)
        {
          throw new DirectoryException(
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_COMPARE_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
          if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
          {
            throw de;
          }

          logger.traceException(de);

          throw newDirectoryException(entry, de.getResultCode(),
              ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
        }
      }
      else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
      {
        continue;
      }
      else if (c.isCritical() && (backend == null || !backend.supportsControl(oid)))
      {
        throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
            ERR_COMPARE_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
      }
    }
  }


 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java

@@ -26,7 +26,6 @@
 */
package org.opends.server.workflowelement.localbackend;

import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;

import org.forgerock.i18n.LocalizableMessage;
@@ -392,89 +391,73 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

    List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    for (Control c : getRequestControls())
    {
      for (Control c : requestControls)
      final String oid = c.getOID();
      if (OID_LDAP_ASSERTION.equals(oid))
      {
        final String oid = c.getOID();
        if (OID_LDAP_ASSERTION.equals(oid))
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

        SearchFilter filter;
        try
        {
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);
          filter = assertControl.getSearchFilter();
        }
        catch (DirectoryException de)
        {
          logger.traceException(de);

          SearchFilter filter;
          try
          {
            filter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            logger.traceException(de);
          throw newDirectoryException(entry, de.getResultCode(),
              ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
        }

            throw newDirectoryException(entry, de.getResultCode(),
                ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
          }

          // Check if the current user has permission to make this determination.
          if (!getAccessControlHandler().isAllowed(this, entry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
        // Check if the current user has permission to make this determination.
        if (!getAccessControlHandler().isAllowed(this, entry, filter))
        {
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }
        }

          try
        try
        {
          if (!filter.matchesEntry(entry))
          {
            if (!filter.matchesEntry(entry))
            {
              throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED,
                  ERR_DELETE_ASSERTION_FAILED.get(entryDN));
            }
            throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED, ERR_DELETE_ASSERTION_FAILED.get(entryDN));
          }
          catch (DirectoryException de)
        }
        catch (DirectoryException de)
        {
          if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
          {
            if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
            {
              throw de;
            }

            logger.traceException(de);

            throw newDirectoryException(entry, de.getResultCode(),
                ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
            throw de;
          }
        }
        else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
        {
          noOp = true;
        }
        else if (OID_LDAP_READENTRY_PREREAD.equals(oid))
        {
          preReadRequest =
                getRequestControl(LDAPPreReadRequestControl.DECODER);
        }
        else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
        {
          continue;
        }
        // NYI -- Add support for additional controls.
        else if (c.isCritical()
            && (backend == null || !backend.supportsControl(oid)))
        {
          throw newDirectoryException(entry,
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_DELETE_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));

          logger.traceException(de);

          throw newDirectoryException(entry, de.getResultCode(),
              ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
        }
      }
      else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
      {
        noOp = true;
      }
      else if (OID_LDAP_READENTRY_PREREAD.equals(oid))
      {
        preReadRequest = getRequestControl(LDAPPreReadRequestControl.DECODER);
      }
      else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
      {
        continue;
      }
      else if (c.isCritical() && (backend == null || !backend.supportsControl(oid)))
      {
        throw newDirectoryException(entry, ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
            ERR_DELETE_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
      }
    }
  }

  private DN getName(Entry e)
  {
    return e != null ? e.getName() : DN.rootDN();
  }

  /**
   * Handle conflict resolution.
   * @return  {@code true} if processing should continue for the operation, or

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java

@@ -37,6 +37,7 @@
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ModificationType;
import org.forgerock.opendj.ldap.ResultCode;
import org.opends.server.api.AccessControlHandler;
import org.opends.server.api.Backend;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.SynchronizationProvider;
@@ -360,8 +361,7 @@
      // to the client.
      try
      {
        if (!AccessControlConfigManager.getInstance().getAccessControlHandler()
            .isAllowed(this))
        if (!getAccessControlHandler().isAllowed(this))
        {
          setResultCodeAndMessageNoInfoDisclosure(currentEntry, entryDN,
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
@@ -527,103 +527,92 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

    final List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    for (ListIterator<Control> iter = getRequestControls().listIterator(); iter.hasNext();)
    {
      for (ListIterator<Control> iter = requestControls.listIterator(); iter.hasNext();)
      final Control c = iter.next();
      final String oid = c.getOID();

      if (OID_LDAP_ASSERTION.equals(oid))
      {
        final Control c = iter.next();
        final String  oid = c.getOID();
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

        if (OID_LDAP_ASSERTION.equals(oid))
        SearchFilter filter;
        try
        {
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);
          filter = assertControl.getSearchFilter();
        }
        catch (DirectoryException de)
        {
          logger.traceException(de);

          SearchFilter filter;
          try
          {
            filter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            logger.traceException(de);
          throw newDirectoryException(currentEntry, de.getResultCode(),
              ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
        }

            throw newDirectoryException(currentEntry, de.getResultCode(),
                ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
          }

          // Check if the current user has permission to make
          // this determination.
          if (!AccessControlConfigManager.getInstance().
            getAccessControlHandler().isAllowed(this, currentEntry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
        // Check if the current user has permission to make this determination.
        if (!getAccessControlHandler().isAllowed(this, currentEntry, filter))
        {
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
        }

        try
        {
          if (!filter.matchesEntry(currentEntry))
          {
            throw newDirectoryException(currentEntry, ResultCode.ASSERTION_FAILED,
                ERR_MODDN_ASSERTION_FAILED.get(entryDN));
          }
        }
        catch (DirectoryException de)
        {
          if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
          {
            throw de;
          }

          try
          {
            if (!filter.matchesEntry(currentEntry))
            {
              throw newDirectoryException(currentEntry,
                  ResultCode.ASSERTION_FAILED,
                  ERR_MODDN_ASSERTION_FAILED.get(entryDN));
            }
          }
          catch (DirectoryException de)
          {
            if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
            {
              throw de;
            }
          logger.traceException(de);

            logger.traceException(de);

            throw newDirectoryException(currentEntry, de.getResultCode(),
                ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
          }
          throw newDirectoryException(currentEntry, de.getResultCode(),
              ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
        }
        else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
      }
      else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
      {
        noOp = true;
      }
      else if (OID_LDAP_READENTRY_PREREAD.equals(oid))
      {
        preReadRequest = getRequestControl(LDAPPreReadRequestControl.DECODER);
        iter.set(preReadRequest);
      }
      else if (OID_LDAP_READENTRY_POSTREAD.equals(oid))
      {
        if (c instanceof LDAPPostReadRequestControl)
        {
          noOp = true;
          postReadRequest = (LDAPPostReadRequestControl) c;
        }
        else if (OID_LDAP_READENTRY_PREREAD.equals(oid))
        else
        {
          preReadRequest = getRequestControl(LDAPPreReadRequestControl.DECODER);
          iter.set(preReadRequest);
          postReadRequest = getRequestControl(LDAPPostReadRequestControl.DECODER);
          iter.set(postReadRequest);
        }
        else if (OID_LDAP_READENTRY_POSTREAD.equals(oid))
        {
          if (c instanceof LDAPPostReadRequestControl)
          {
            postReadRequest = (LDAPPostReadRequestControl) c;
          }
          else
          {
            postReadRequest = getRequestControl(LDAPPostReadRequestControl.DECODER);
            iter.set(postReadRequest);
          }
        }
        else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
        {
          continue;
        }
        else if (c.isCritical()
            && (backend == null || !backend.supportsControl(oid)))
        {
          throw new DirectoryException(
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_MODDN_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
        }
      }
      else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
      {
        continue;
      }
      else if (c.isCritical() && (backend == null || !backend.supportsControl(oid)))
      {
        throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
            ERR_MODDN_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
      }
    }
  }

  private DN getName(Entry e)
  private AccessControlHandler<?> getAccessControlHandler()
  {
    return e != null ? e.getName() : DN.rootDN();
    return AccessControlConfigManager.getInstance().getAccessControlHandler();
  }

  /**

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java

@@ -632,104 +632,92 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

    List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    for (ListIterator<Control> iter = getRequestControls().listIterator(); iter.hasNext();)
    {
      for (ListIterator<Control> iter = requestControls.listIterator(); iter.hasNext();)
      final Control c = iter.next();
      final String oid = c.getOID();

      if (OID_LDAP_ASSERTION.equals(oid))
      {
        final Control c = iter.next();
        final String  oid = c.getOID();
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

        if (OID_LDAP_ASSERTION.equals(oid))
        SearchFilter filter;
        try
        {
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);
          filter = assertControl.getSearchFilter();
        }
        catch (DirectoryException de)
        {
          logger.traceException(de);

          SearchFilter filter;
          try
          {
            filter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            logger.traceException(de);
          throw newDirectoryException(currentEntry, de.getResultCode(),
              ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
        }

            throw newDirectoryException(currentEntry, de.getResultCode(),
                ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
                    entryDN, de.getMessageObject()));
          }

          // Check if the current user has permission to make this determination.
          if (!getAccessControlHandler().isAllowed(this, currentEntry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
        // Check if the current user has permission to make this determination.
        if (!getAccessControlHandler().isAllowed(this, currentEntry, filter))
        {
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
        }

        try
        {
          if (!filter.matchesEntry(currentEntry))
          {
            throw newDirectoryException(currentEntry, ResultCode.ASSERTION_FAILED,
                ERR_MODIFY_ASSERTION_FAILED.get(entryDN));
          }
        }
        catch (DirectoryException de)
        {
          if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
          {
            throw de;
          }

          try
          {
            if (!filter.matchesEntry(currentEntry))
            {
              throw newDirectoryException(currentEntry,
                  ResultCode.ASSERTION_FAILED,
                  ERR_MODIFY_ASSERTION_FAILED.get(entryDN));
            }
          }
          catch (DirectoryException de)
          {
            if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
            {
              throw de;
            }
          logger.traceException(de);

            logger.traceException(de);

            throw newDirectoryException(currentEntry, de.getResultCode(),
                ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
                    entryDN, de.getMessageObject()));
          }
          throw newDirectoryException(currentEntry, de.getResultCode(),
              ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
        }
        else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
      }
      else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
      {
        noOp = true;
      }
      else if (OID_PERMISSIVE_MODIFY_CONTROL.equals(oid))
      {
        permissiveModify = true;
      }
      else if (OID_LDAP_READENTRY_PREREAD.equals(oid))
      {
        preReadRequest = getRequestControl(LDAPPreReadRequestControl.DECODER);
      }
      else if (OID_LDAP_READENTRY_POSTREAD.equals(oid))
      {
        if (c instanceof LDAPPostReadRequestControl)
        {
          noOp = true;
          postReadRequest = (LDAPPostReadRequestControl) c;
        }
        else if (OID_PERMISSIVE_MODIFY_CONTROL.equals(oid))
        else
        {
          permissiveModify = true;
          postReadRequest = getRequestControl(LDAPPostReadRequestControl.DECODER);
          iter.set(postReadRequest);
        }
        else if (OID_LDAP_READENTRY_PREREAD.equals(oid))
        {
          preReadRequest = getRequestControl(LDAPPreReadRequestControl.DECODER);
        }
        else if (OID_LDAP_READENTRY_POSTREAD.equals(oid))
        {
          if (c instanceof LDAPPostReadRequestControl)
          {
            postReadRequest = (LDAPPostReadRequestControl) c;
          }
          else
          {
            postReadRequest = getRequestControl(LDAPPostReadRequestControl.DECODER);
            iter.set(postReadRequest);
          }
        }
        else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
        {
          continue;
        }
        else if (OID_PASSWORD_POLICY_CONTROL.equals(oid))
        {
          pwPolicyControlRequested = true;
        }
        // NYI -- Add support for additional controls.
        else if (c.isCritical()
            && (backend == null || !backend.supportsControl(oid)))
        {
          throw newDirectoryException(currentEntry,
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_MODIFY_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
        }
      }
      else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
      {
        continue;
      }
      else if (OID_PASSWORD_POLICY_CONTROL.equals(oid))
      {
        pwPolicyControlRequested = true;
      }
      else if (c.isCritical() && (backend == null || !backend.supportsControl(oid)))
      {
        throw newDirectoryException(currentEntry, ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
            ERR_MODIFY_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
      }
    }
  }

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java

@@ -26,7 +26,6 @@
 */
package org.opends.server.workflowelement.localbackend;

import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;

import org.forgerock.i18n.slf4j.LocalizedLogger;
@@ -285,138 +284,117 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(baseDN, this);

    List<Control> requestControls  = getRequestControls();
    if (requestControls != null && ! requestControls.isEmpty())
    for (Control c : getRequestControls())
    {
      for (Control c : requestControls)
      final String oid = c.getOID();

      if (OID_LDAP_ASSERTION.equals(oid))
      {
        final String  oid = c.getOID();
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

        if (OID_LDAP_ASSERTION.equals(oid))
        SearchFilter assertionFilter;
        try
        {
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);
          assertionFilter = assertControl.getSearchFilter();
        }
        catch (DirectoryException de)
        {
          logger.traceException(de);

          SearchFilter assertionFilter;
          try
          {
            assertionFilter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            logger.traceException(de);
          throw new DirectoryException(de.getResultCode(),
              ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(de.getMessageObject()), de);
        }

            throw new DirectoryException(de.getResultCode(),
                           ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                de.getMessageObject()), de);
          }
        Entry entry;
        try
        {
          entry = DirectoryServer.getEntry(baseDN);
        }
        catch (DirectoryException de)
        {
          logger.traceException(de);

          Entry entry;
          try
          {
            entry = DirectoryServer.getEntry(baseDN);
          }
          catch (DirectoryException de)
          {
            logger.traceException(de);
          throw new DirectoryException(de.getResultCode(),
              ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(de.getMessageObject()));
        }

            throw new DirectoryException(de.getResultCode(),
                           ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(
                                de.getMessageObject()));
          }
        if (entry == null)
        {
          throw new DirectoryException(ResultCode.NO_SUCH_OBJECT, ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
        }

          if (entry == null)
          {
            throw new DirectoryException(ResultCode.NO_SUCH_OBJECT,
                           ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
          }

          // Check if the current user has permission to make this determination.
          if (!getAccessControlHandler().isAllowed(this, entry, assertionFilter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
        // Check if the current user has permission to make this determination.
        if (!getAccessControlHandler().isAllowed(this, entry, assertionFilter))
        {
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }
        }

          try {
            if (! assertionFilter.matchesEntry(entry))
            {
              throw new DirectoryException(ResultCode.ASSERTION_FAILED,
                                           ERR_SEARCH_ASSERTION_FAILED.get());
            }
          }
          catch (DirectoryException de)
        try
        {
          if (!assertionFilter.matchesEntry(entry))
          {
            if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
            {
              throw de;
            }

            logger.traceException(de);

            throw new DirectoryException(de.getResultCode(),
                           ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                de.getMessageObject()), de);
            throw new DirectoryException(ResultCode.ASSERTION_FAILED, ERR_SEARCH_ASSERTION_FAILED.get());
          }
        }
        else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
        catch (DirectoryException de)
        {
          continue;
        }
        else if (OID_PERSISTENT_SEARCH.equals(oid))
        {
          final PersistentSearchControl ctrl =
              getRequestControl(PersistentSearchControl.DECODER);
          if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
          {
            throw de;
          }

          persistentSearch = new PersistentSearch(this,
              ctrl.getChangeTypes(), ctrl.getChangesOnly(), ctrl.getReturnECs());
        }
        else if (OID_LDAP_SUBENTRIES.equals(oid))
        {
          SubentriesControl subentriesControl =
                  getRequestControl(SubentriesControl.DECODER);
          setReturnSubentriesOnly(subentriesControl.getVisibility());
        }
        else if (OID_LDUP_SUBENTRIES.equals(oid))
        {
          // Support for legacy draft-ietf-ldup-subentry.
          addAdditionalLogItem(AdditionalLogItem.keyOnly(getClass(),
              "obsoleteSubentryControl"));
          logger.traceException(de);

          setReturnSubentriesOnly(true);
          throw new DirectoryException(de.getResultCode(),
              ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(de.getMessageObject()), de);
        }
        else if (OID_MATCHED_VALUES.equals(oid))
        {
          MatchedValuesControl matchedValuesControl =
                getRequestControl(MatchedValuesControl.DECODER);
          setMatchedValuesControl(matchedValuesControl);
        }
        else if (OID_ACCOUNT_USABLE_CONTROL.equals(oid))
        {
          setIncludeUsableControl(true);
        }
        else if (OID_REAL_ATTRS_ONLY.equals(oid))
        {
          setRealAttributesOnly(true);
        }
        else if (OID_VIRTUAL_ATTRS_ONLY.equals(oid))
        {
          setVirtualAttributesOnly(true);
        }
        else if (OID_GET_EFFECTIVE_RIGHTS.equals(oid) &&
          DirectoryServer.isSupportedControl(OID_GET_EFFECTIVE_RIGHTS))
        {
          // Do nothing here and let AciHandler deal with it.
        }
      }
      else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
      {
        continue;
      }
      else if (OID_PERSISTENT_SEARCH.equals(oid))
      {
        final PersistentSearchControl ctl = getRequestControl(PersistentSearchControl.DECODER);
        persistentSearch = new PersistentSearch(this, ctl.getChangeTypes(), ctl.getChangesOnly(), ctl.getReturnECs());
      }
      else if (OID_LDAP_SUBENTRIES.equals(oid))
      {
        SubentriesControl subentriesControl = getRequestControl(SubentriesControl.DECODER);
        setReturnSubentriesOnly(subentriesControl.getVisibility());
      }
      else if (OID_LDUP_SUBENTRIES.equals(oid))
      {
        // Support for legacy draft-ietf-ldup-subentry.
        addAdditionalLogItem(AdditionalLogItem.keyOnly(getClass(), "obsoleteSubentryControl"));

        // NYI -- Add support for additional controls.
        else if (c.isCritical() && !backendSupportsControl(oid))
        {
          throw new DirectoryException(
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_SEARCH_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
        }
        setReturnSubentriesOnly(true);
      }
      else if (OID_MATCHED_VALUES.equals(oid))
      {
        setMatchedValuesControl(getRequestControl(MatchedValuesControl.DECODER));
      }
      else if (OID_ACCOUNT_USABLE_CONTROL.equals(oid))
      {
        setIncludeUsableControl(true);
      }
      else if (OID_REAL_ATTRS_ONLY.equals(oid))
      {
        setRealAttributesOnly(true);
      }
      else if (OID_VIRTUAL_ATTRS_ONLY.equals(oid))
      {
        setVirtualAttributesOnly(true);
      }
      else if (OID_GET_EFFECTIVE_RIGHTS.equals(oid) && DirectoryServer.isSupportedControl(OID_GET_EFFECTIVE_RIGHTS))
      {
        // Do nothing here and let AciHandler deal with it.
      }
      else if (c.isCritical() && !backendSupportsControl(oid))
      {
        throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
            ERR_SEARCH_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
      }
    }
  }

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendWorkflowElement.java

@@ -315,30 +315,25 @@
   */
  static void removeAllDisallowedControls(DN targetDN, Operation operation) throws DirectoryException
  {
    List<Control> requestControls = operation.getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    for (Iterator<Control> iter = operation.getRequestControls().iterator(); iter.hasNext();)
    {
      for (Iterator<Control> iter = requestControls.iterator(); iter.hasNext();)
      final Control control = iter.next();
      if (isProxyAuthzControl(control.getOID()))
      {
        final Control control = iter.next();
        if (isProxyAuthzControl(control.getOID()))
        continue;
      }

      if (!getAccessControlHandler().isAllowed(targetDN, operation, control))
      {
        // As per RFC 4511 4.1.11.
        if (control.isCritical())
        {
          continue;
          throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(control.getOID()));
        }

        if (!getAccessControlHandler().isAllowed(targetDN, operation, control))
        {
          // As per RFC 4511 4.1.11.
          if (control.isCritical())
          {
            throw new DirectoryException(
                ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(control.getOID()));
          }

          // We do not want the backend to process this non-critical control, so remove it.
          iter.remove();
        }
        // We do not want the backend to process this non-critical control, so remove it.
        iter.remove();
      }
    }
  }
@@ -354,28 +349,23 @@
   */
  static void evaluateProxyAuthControls(Operation operation) throws DirectoryException
  {
    final List<Control> requestControls = operation.getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    for (Control control : operation.getRequestControls())
    {
      for (Control control : requestControls)
      final String oid = control.getOID();
      if (isProxyAuthzControl(oid))
      {
        final String oid = control.getOID();
        if (isProxyAuthzControl(oid))
        DN authDN = operation.getClientConnection().getAuthenticationInfo().getAuthenticationDN();
        if (getAccessControlHandler().isAllowed(authDN, operation, control))
        {
          if (getAccessControlHandler().isAllowed(operation.getClientConnection()
                  .getAuthenticationInfo().getAuthenticationDN(), operation, control))
          processProxyAuthControls(operation, oid);
        }
        else
        {
          // As per RFC 4511 4.1.11.
          if (control.isCritical())
          {
            processProxyAuthControls(operation, oid);
          }
          else
          {
            // As per RFC 4511 4.1.11.
            if (control.isCritical())
            {
              throw new DirectoryException(
                      ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
                      ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(control.getOID()));
            }
            throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(control.getOID()));
          }
        }
      }