From 2aa25e93e3ccf66f1afed1f5c191fae8da4209dc Mon Sep 17 00:00:00 2001
From: Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
Date: Wed, 06 Mar 2013 15:51:04 +0000
Subject: [PATCH] OPENDJ-655 Message about authentication failures should contain identification of the user for easier analysis.
---
opendj-sdk/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java | 203 +++++++++++++++++++++-----------------------------
1 files changed, 86 insertions(+), 117 deletions(-)
diff --git a/opendj-sdk/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java b/opendj-sdk/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
index 6ca0485..9188291 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
@@ -23,7 +23,7 @@
*
*
* Copyright 2008-2010 Sun Microsystems, Inc.
- * Portions copyright 2011-2012 ForgeRock AS.
+ * Portions copyright 2011-2013 ForgeRock AS.
*/
package org.opends.server.workflowelement.localbackend;
@@ -200,122 +200,7 @@
pwPolicyWarningValue = -1 ;
pluginConfigManager = DirectoryServer.getPluginConfigManager();
-
- // Create a labeled block of code that we can break out of if a problem is
- // detected.
-bindProcessing:
- {
- // Check to see if the client has permission to perform the
- // bind.
-
- // FIXME: for now assume that this will check all permission
- // pertinent to the operation. This includes any controls
- // specified.
- try
- {
- if (!AccessControlConfigManager.getInstance()
- .getAccessControlHandler().isAllowed(this))
- {
- setResultCode(ResultCode.INVALID_CREDENTIALS);
- setAuthFailureReason(ERR_BIND_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS
- .get(String.valueOf(bindDN)));
- break bindProcessing;
- }
- }
- catch (DirectoryException e)
- {
- setResultCode(e.getResultCode());
- setAuthFailureReason(e.getMessageObject());
- break bindProcessing;
- }
-
- // Check to see if there are any controls in the request. If so, then see
- // if there is any special processing required.
- try
- {
- handleRequestControls();
- }
- catch (DirectoryException de)
- {
- if (debugEnabled())
- {
- TRACER.debugCaught(DebugLogLevel.ERROR, de);
- }
-
- setResponseData(de);
- break bindProcessing;
- }
-
-
- // Check to see if this is a simple bind or a SASL bind and process
- // accordingly.
- switch (getAuthenticationType())
- {
- case SIMPLE:
- try
- {
- if (! processSimpleBind())
- {
- break bindProcessing;
- }
- }
- catch (DirectoryException de)
- {
- if (debugEnabled())
- {
- TRACER.debugCaught(DebugLogLevel.ERROR, de);
- }
-
- if (de.getResultCode() == ResultCode.INVALID_CREDENTIALS)
- {
- setResultCode(ResultCode.INVALID_CREDENTIALS);
- setAuthFailureReason(de.getMessageObject());
- }
- else
- {
- setResponseData(de);
- }
- break bindProcessing;
- }
- break;
-
-
- case SASL:
- try
- {
- if (! processSASLBind())
- {
- break bindProcessing;
- }
- }
- catch (DirectoryException de)
- {
- if (debugEnabled())
- {
- TRACER.debugCaught(DebugLogLevel.ERROR, de);
- }
-
- if (de.getResultCode() == ResultCode.INVALID_CREDENTIALS)
- {
- setResultCode(ResultCode.INVALID_CREDENTIALS);
- setAuthFailureReason(de.getMessageObject());
- }
- else
- {
- setResponseData(de);
- }
- break bindProcessing;
- }
- break;
-
-
- default:
- // Send a protocol error response to the client and disconnect.
- // NYI
- setResultCode(ResultCode.PROTOCOL_ERROR);
- }
- }
-
+ processBind();
// Update the user's account with any password policy changes that may be
// required.
@@ -421,6 +306,90 @@
}
+ /**
+ * Performs the checks and processing necessary for the current bind operation
+ * (simple or SASL).
+ */
+ private void processBind()
+ {
+ // Check to see if the client has permission to perform the
+ // bind.
+
+ // FIXME: for now assume that this will check all permission
+ // pertinent to the operation. This includes any controls
+ // specified.
+ try
+ {
+ if (!AccessControlConfigManager.getInstance().getAccessControlHandler()
+ .isAllowed(this))
+ {
+ setResultCode(ResultCode.INVALID_CREDENTIALS);
+ setAuthFailureReason(ERR_BIND_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get());
+ return;
+ }
+ }
+ catch (DirectoryException e)
+ {
+ setResultCode(e.getResultCode());
+ setAuthFailureReason(e.getMessageObject());
+ return;
+ }
+
+ // Check to see if there are any controls in the request. If so, then see
+ // if there is any special processing required.
+ try
+ {
+ handleRequestControls();
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
+ {
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
+ }
+
+ setResponseData(de);
+ return;
+ }
+
+ // Check to see if this is a simple bind or a SASL bind and process
+ // accordingly.
+ try
+ {
+ switch (getAuthenticationType())
+ {
+ case SIMPLE:
+ processSimpleBind();
+ break;
+
+ case SASL:
+ processSASLBind();
+ break;
+
+ default:
+ // Send a protocol error response to the client and disconnect.
+ // We should never come here.
+ setResultCode(ResultCode.PROTOCOL_ERROR);
+ }
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
+ {
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
+ }
+
+ if (de.getResultCode() == ResultCode.INVALID_CREDENTIALS)
+ {
+ setResultCode(ResultCode.INVALID_CREDENTIALS);
+ setAuthFailureReason(de.getMessageObject());
+ }
+ else
+ {
+ setResponseData(de);
+ }
+ }
+ }
/**
* Handles request control processing for this bind operation.
--
Gitblit v1.10.0