From 1112197854c0922ba9a48acbb986b3f20d743c8f Mon Sep 17 00:00:00 2001
From: Matthew Swift <matthew.swift@forgerock.com>
Date: Thu, 10 May 2012 11:28:13 +0000
Subject: [PATCH] Fix OPENDJ-475: Incorrect behaviour/result code regarding non-critical controls

---
 opends/src/server/org/opends/server/workflowelement/externalchangelog/ECLSearchOperation.java |   20 ++++++++++++++++----
 1 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/opends/src/server/org/opends/server/workflowelement/externalchangelog/ECLSearchOperation.java b/opends/src/server/org/opends/server/workflowelement/externalchangelog/ECLSearchOperation.java
index 36dc59f..b54689f 100644
--- a/opends/src/server/org/opends/server/workflowelement/externalchangelog/ECLSearchOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/externalchangelog/ECLSearchOperation.java
@@ -405,11 +405,23 @@
       {
         Control c   = requestControls.get(i);
         String  oid = c.getOID();
-        if (! AccessControlConfigManager.getInstance().
-            getAccessControlHandler().isAllowed(baseDN, this, c))
+
+        if (!AccessControlConfigManager.getInstance().getAccessControlHandler()
+            .isAllowed(baseDN, this, c))
         {
-          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
-              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+          // As per RFC 4511 4.1.11.
+          if (c.isCritical())
+          {
+            throw new DirectoryException(
+                ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
+                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+          }
+          else
+          {
+            // We don't want to process this non-critical control, so remove it.
+            removeRequestControl(c);
+            continue;
+          }
         }
 
         if (oid.equals(OID_ECL_COOKIE_EXCHANGE_CONTROL))

--
Gitblit v1.10.0