From 74d7af9059994d7c6e1b08316429b8dcb017a70b Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Thu, 04 Jun 2015 10:53:55 +0000
Subject: [PATCH] FR-721 OPENDJ-2071 improve aci checks for proxy auth controls

---
 opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciContainer.java |   34 ++--------------------------------
 1 files changed, 2 insertions(+), 32 deletions(-)

diff --git a/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciContainer.java b/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciContainer.java
index 47c8145..aefa568 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciContainer.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciContainer.java
@@ -118,18 +118,6 @@
     private Entry authorizationEntry;
 
     /**
-     * Used to save the current authorization entry when the authorization
-     * entry is switched during a proxy access check.
-     */
-    private final Entry saveAuthorizationEntry;
-
-    /**
-     * This entry is only used if proxied authorization is being used.  It is
-     * the original authorization entry before the proxied authorization change.
-     */
-    private Entry origAuthorizationEntry;
-
-    /**
      * True if proxied authorization is being used.
      */
     private boolean proxiedAuthorization;
@@ -248,8 +236,7 @@
 
       //If the proxied authorization control was processed, then the operation
       //will contain an attachment containing the original authorization entry.
-      this.origAuthorizationEntry =
-                      (Entry) operation.getAttachment(ORIG_AUTH_ENTRY);
+      final Entry origAuthorizationEntry = (Entry) operation.getAttachment(ORIG_AUTH_ENTRY);
       this.proxiedAuthorization = origAuthorizationEntry != null;
       this.authorizationEntry=operation.getAuthorizationEntry();
 
@@ -292,8 +279,7 @@
 
       //Reference the current authorization entry, so it can be put back
       //if an access proxy check was performed.
-      this.saveAuthorizationEntry=this.authorizationEntry;
-      this.rightsMask = rights;
+        this.rightsMask = rights;
     }
 
     /**
@@ -312,7 +298,6 @@
         this.clientConnection=operation.getClientConnection();
         this.authInfo = authInfo;
         this.authorizationEntry = authInfo.getAuthorizationEntry();
-        this.saveAuthorizationEntry=this.authorizationEntry;
         this.rightsMask = rights;
     }
   /**
@@ -489,21 +474,6 @@
      return this.authzid.equals(this.authorizationEntry.getName());
     }
 
-  /**
-   * If the specified value is true, then the original authorization entry,
-   * which is the  entry before the switch performed by the proxied
-   * authorization control processing should be set to the current
-   * authorization entry. If the specified value is false then the proxied
-   * authorization entry is switched back using the saved copy.
-   * @param val The value used to select the authorization entry to use.
-   */
-    public void useOrigAuthorizationEntry(boolean val) {
-      if(val)
-        authorizationEntry=origAuthorizationEntry;
-      else
-        authorizationEntry=saveAuthorizationEntry;
-    }
-
     /** {@inheritDoc} */
     @Override
     public void setDenyList(List<Aci> denys) {

--
Gitblit v1.10.0