From 50eecfac301a49564cd88a2d8c180bbd72a6185d Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Sun, 04 Feb 2007 02:58:26 +0000
Subject: [PATCH] Update the process that SASL mechanisms use to set authentication info for the bind operation.  Previously, they were setting it directly in the client connection, which introduced the possibility that a failure in bind processing which occurred after the SASL credentials were validated could result in a case in which a failure was returned to the client but the associated connection could still be authenticated in the server.  SASL mechanism handlers will now set the authentication info in the bind operation and it will only be updated in the client connection if all processing associated with the bind operation is successful.

---
 opends/src/server/org/opends/server/extensions/AnonymousSASLMechanismHandler.java |   61 ++++++------------------------
 1 files changed, 12 insertions(+), 49 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/AnonymousSASLMechanismHandler.java b/opends/src/server/org/opends/server/extensions/AnonymousSASLMechanismHandler.java
index f6333dd..2f23864 100644
--- a/opends/src/server/org/opends/server/extensions/AnonymousSASLMechanismHandler.java
+++ b/opends/src/server/org/opends/server/extensions/AnonymousSASLMechanismHandler.java
@@ -22,7 +22,7 @@
  * CDDL HEADER END
  *
  *
- *      Portions Copyright 2006 Sun Microsystems, Inc.
+ *      Portions Copyright 2006-2007 Sun Microsystems, Inc.
  */
 package org.opends.server.extensions;
 
@@ -81,21 +81,9 @@
 
 
   /**
-   * Initializes this SASL mechanism handler based on the information in the
-   * provided configuration entry.  It should also register itself with the
-   * Directory Server for the particular kinds of SASL mechanisms that it
-   * will process.
-   *
-   * @param  configEntry  The configuration entry that contains the information
-   *                      to use to initialize this SASL mechanism handler.
-   *
-   * @throws  ConfigException  If an unrecoverable problem arises in the
-   *                           process of performing the initialization.
-   *
-   * @throws  InitializationException  If a problem occurs during initialization
-   *                                   that is not related to the server
-   *                                   configuration.
+   * {@inheritDoc}
    */
+  @Override()
   public void initializeSASLMechanismHandler(ConfigEntry configEntry)
          throws ConfigException, InitializationException
   {
@@ -112,9 +100,9 @@
 
 
   /**
-   * Performs any finalization that may be necessary for this SASL mechanism
-   * handler.
+   * {@inheritDoc}
    */
+  @Override()
   public void finalizeSASLMechanismHandler()
   {
     assert debugEnter(CLASS_NAME, "finalizeSASLMechanismHandler");
@@ -126,15 +114,9 @@
 
 
   /**
-   * Processes the provided SASL bind operation.  Note that if the SASL
-   * processing gets far enough to be able to map the associated request to a
-   * user entry (regardless of whether the authentication is ultimately
-   * successful), then this method must call the
-   * <CODE>BindOperation.setSASLAuthUserEntry</CODE> to provide it with the
-   * entry for the user that attempted to authenticate.
-   *
-   * @param  bindOperation  The SASL bind operation to be processed.
+   * {@inheritDoc}
    */
+  @Override()
   public void processSASLBind(BindOperation bindOperation)
   {
     assert debugEnter(CLASS_NAME, "processSASLBind",
@@ -161,25 +143,16 @@
     // Authenticate the client anonymously and indicate that the bind was
     // successful.
     AuthenticationInfo authInfo = new AuthenticationInfo();
-    bindOperation.getClientConnection().setAuthenticationInfo(authInfo);
+    bindOperation.setAuthenticationInfo(authInfo);
     bindOperation.setResultCode(ResultCode.SUCCESS);
   }
 
 
 
   /**
-   * Indicates whether the specified SASL mechanism is password-based or uses
-   * some other form of credentials (e.g., an SSL client certificate or Kerberos
-   * ticket).
-   *
-   * @param  mechanism  The name of the mechanism for which to make the
-   *                    determination.  This will only be invoked with names of
-   *                    mechanisms for which this handler has previously
-   *                    registered.
-   *
-   * @return  <CODE>true</CODE> if this SASL mechanism is password-based, or
-   *          <CODE>false</CODE> if it uses some other form of credentials.
+   * {@inheritDoc}
    */
+  @Override()
   public boolean isPasswordBased(String mechanism)
   {
     assert debugEnter(CLASS_NAME, "isPasswordBased", String.valueOf(mechanism));
@@ -191,19 +164,9 @@
 
 
   /**
-   * Indicates whether the specified SASL mechanism should be considered secure
-   * (i.e., it does not expose the authentication credentials in a manner that
-   * is useful to a third-party observer, and other aspects of the
-   * authentication are generally secure).
-   *
-   * @param  mechanism  The name of the mechanism for which to make the
-   *                    determination.  This will only be invoked with names of
-   *                    mechanisms for which this handler has previously
-   *                    registered.
-   *
-   * @return  <CODE>true</CODE> if this SASL mechanism should be considered
-   *          secure, or <CODE>false</CODE> if not.
+   * {@inheritDoc}
    */
+  @Override()
   public boolean isSecure(String mechanism)
   {
     assert debugEnter(CLASS_NAME, "isSecure", String.valueOf(mechanism));

--
Gitblit v1.10.0