From 4e806081638f22dade6802c2996295d263d3e377 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Mon, 12 Feb 2007 16:39:30 +0000
Subject: [PATCH] Implement support for the proxied-auth privilege, which will be required in order to use the proxied authorization control. This privilege is also used to determine whether a user can specify an alternate authorization identity for the SASL DIGEST-MD5 and PLAIN mechanisms.
---
opends/src/server/org/opends/server/core/SearchOperation.java | 79 ++++++++++++++++++++++++---------------
1 files changed, 49 insertions(+), 30 deletions(-)
diff --git a/opends/src/server/org/opends/server/core/SearchOperation.java b/opends/src/server/org/opends/server/core/SearchOperation.java
index d8b6f44..15a319a 100644
--- a/opends/src/server/org/opends/server/core/SearchOperation.java
+++ b/opends/src/server/org/opends/server/core/SearchOperation.java
@@ -66,6 +66,7 @@
import org.opends.server.types.Entry;
import org.opends.server.types.FilterType;
import org.opends.server.types.OperationType;
+import org.opends.server.types.Privilege;
import org.opends.server.types.ResultCode;
import org.opends.server.types.SearchFilter;
import org.opends.server.types.SearchResultEntry;
@@ -1760,6 +1761,17 @@
}
else if (oid.equals(OID_PROXIED_AUTH_V1))
{
+ // The requester must have the PROXIED_AUTH privilige in order to be
+ // able to use this control.
+ if (! clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this))
+ {
+ int msgID = MSGID_PROXYAUTH_INSUFFICIENT_PRIVILEGES;
+ appendErrorMessage(getMessage(msgID));
+ setResultCode(ResultCode.AUTHORIZATION_DENIED);
+ break searchProcessing;
+ }
+
+
ProxiedAuthV1Control proxyControl;
if (c instanceof ProxiedAuthV1Control)
{
@@ -1783,28 +1795,37 @@
}
- Entry authorizationEntry;
- try
- {
- authorizationEntry = proxyControl.getAuthorizationEntry();
- }
- catch (DirectoryException de)
- {
- assert debugException(CLASS_NAME, "run", de);
+ Entry authorizationEntry;
+ try
+ {
+ authorizationEntry = proxyControl.getAuthorizationEntry();
+ }
+ catch (DirectoryException de)
+ {
+ assert debugException(CLASS_NAME, "run", de);
- setResultCode(de.getResultCode());
- appendErrorMessage(de.getErrorMessage());
+ setResultCode(de.getResultCode());
+ appendErrorMessage(de.getErrorMessage());
- break searchProcessing;
- }
+ break searchProcessing;
+ }
- // FIXME -- Should we specifically check permissions here, or let
- // the earlier access control checks handle it?
- setAuthorizationEntry(authorizationEntry);
+ setAuthorizationEntry(authorizationEntry);
}
else if (oid.equals(OID_PROXIED_AUTH_V2))
{
+ // The requester must have the PROXIED_AUTH privilige in order to be
+ // able to use this control.
+ if (! clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this))
+ {
+ int msgID = MSGID_PROXYAUTH_INSUFFICIENT_PRIVILEGES;
+ appendErrorMessage(getMessage(msgID));
+ setResultCode(ResultCode.AUTHORIZATION_DENIED);
+ break searchProcessing;
+ }
+
+
ProxiedAuthV2Control proxyControl;
if (c instanceof ProxiedAuthV2Control)
{
@@ -1828,25 +1849,23 @@
}
- Entry authorizationEntry;
- try
- {
- authorizationEntry = proxyControl.getAuthorizationEntry();
- }
- catch (DirectoryException de)
- {
- assert debugException(CLASS_NAME, "run", de);
+ Entry authorizationEntry;
+ try
+ {
+ authorizationEntry = proxyControl.getAuthorizationEntry();
+ }
+ catch (DirectoryException de)
+ {
+ assert debugException(CLASS_NAME, "run", de);
- setResultCode(de.getResultCode());
- appendErrorMessage(de.getErrorMessage());
+ setResultCode(de.getResultCode());
+ appendErrorMessage(de.getErrorMessage());
- break searchProcessing;
- }
+ break searchProcessing;
+ }
- // FIXME -- Should we specifically check permissions here, or let
- // the earlier access control checks handle it?
- setAuthorizationEntry(authorizationEntry);
+ setAuthorizationEntry(authorizationEntry);
}
else if (oid.equals(OID_PERSISTENT_SEARCH))
{
--
Gitblit v1.10.0