From 50eecfac301a49564cd88a2d8c180bbd72a6185d Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Sun, 04 Feb 2007 02:58:26 +0000
Subject: [PATCH] Update the process that SASL mechanisms use to set authentication info for the bind operation.  Previously, they were setting it directly in the client connection, which introduced the possibility that a failure in bind processing which occurred after the SASL credentials were validated could result in a case in which a failure was returned to the client but the associated connection could still be authenticated in the server.  SASL mechanism handlers will now set the authentication info in the bind operation and it will only be updated in the client connection if all processing associated with the bind operation is successful.

---
 opends/src/server/org/opends/server/api/SASLMechanismHandler.java |   29 ++++++++++++++++++++++-------
 1 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/opends/src/server/org/opends/server/api/SASLMechanismHandler.java b/opends/src/server/org/opends/server/api/SASLMechanismHandler.java
index 371fc0e..cf47814 100644
--- a/opends/src/server/org/opends/server/api/SASLMechanismHandler.java
+++ b/opends/src/server/org/opends/server/api/SASLMechanismHandler.java
@@ -22,7 +22,7 @@
  * CDDL HEADER END
  *
  *
- *      Portions Copyright 2006 Sun Microsystems, Inc.
+ *      Portions Copyright 2006-2007 Sun Microsystems, Inc.
  */
 package org.opends.server.api;
 
@@ -91,12 +91,27 @@
 
 
   /**
-   * Processes the provided SASL bind operation.  Note that if the
-   * SASL processing gets far enough to be able to map the associated
-   * request to a user entry (regardless of whether the authentication
-   * is ultimately successful), then this method must call the
-   * <CODE>BindOperation.setSASLAuthUserEntry</CODE> to provide it
-   * with the entry for the user that attempted to authenticate.
+   * Processes the SASL bind operation.  SASL mechanism
+   * implementations must ensure that the following actions are taken
+   * during the processing of this method:
+   * <UL>
+   *   <LI>The {@code BindOperation.setResultCode} method must be used
+   *       to set the appropriate result code.</LI>
+   *   <LI>If the SASL processing gets far enough to be able to map
+   *       the request to a user entry (regardless of whether the
+   *       authentication is ultimately successful), then this method
+   *       must call the {@code BindOperation.setSASLAuthUserEntry}
+   *       method to provide it with the entry for the user that
+   *       attempted to authenticate.</LI>
+   *   <LI>If the bind processing was successful, then the
+   *       {@code BindOperation.setAuthenticationInfo} method must be
+   *       used to set the authentication info for the bind
+   *       operation.</LI>
+   *   <LI>If the bind processing was not successful, then the
+   *       {@code BindOperation.setAuthFailureReason} method should be
+   *       used to provide a message explaining why the authentication
+   *       failed.</LI>
+   * </UL>
    *
    * @param  bindOperation  The SASL bind operation to be processed.
    */

--
Gitblit v1.10.0