From 74d7af9059994d7c6e1b08316429b8dcb017a70b Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Thu, 04 Jun 2015 10:53:55 +0000
Subject: [PATCH] FR-721 OPENDJ-2071 improve aci checks for proxy auth controls

---
 opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java |   30 ------------------------------
 1 files changed, 0 insertions(+), 30 deletions(-)

diff --git a/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java b/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java
index 938995e..e59db6d 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -559,36 +559,6 @@
       }
     }
 
-    // Check proxy authorization only if the entry has not already been
-    // processed (working on a new entry). If working on a new entry,
-    // then only do a proxy check if the right is not set to ACI_PROXY
-    // and the proxied authorization control has been decoded.
-    if (!container.hasSeenEntry())
-    {
-      if (container.isProxiedAuthorization()
-          && !container.hasRights(ACI_PROXY)
-          && !container.hasRights(ACI_SKIP_PROXY_CHECK))
-      {
-        int currentRights = container.getRights();
-        // Save the current rights so they can be put back if on success.
-        container.setRights(ACI_PROXY);
-        // Switch to the original authorization entry, not the proxied one.
-        container.useOrigAuthorizationEntry(true);
-        if (!accessAllowed(container))
-        {
-          return false;
-        }
-        // Access is ok, put the original rights back.
-        container.setRights(currentRights);
-        // Put the proxied authorization entry back to the current
-        // authorization entry.
-        container.useOrigAuthorizationEntry(false);
-      }
-      // Set the seen flag so proxy processing is not performed for this
-      // entry again.
-      container.setSeenEntry(true);
-    }
-
     // First get all allowed candidate ACIs.
     List<Aci> candidates = aciList.getCandidateAcis(dn);
     /*

--
Gitblit v1.10.0