From 5067760c866efc66b933457bd399affa47c9e9a4 Mon Sep 17 00:00:00 2001
From: matthew_swift <matthew_swift@localhost>
Date: Fri, 24 Apr 2009 12:52:54 +0000
Subject: [PATCH] Fix issue 3928: Wrong error message sent to access log (while correct one is in error log)
---
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java | 19 ++
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java | 19 ++
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java | 19 ++
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java | 19 ++
opends/src/server/org/opends/server/core/ExtendedOperationBasis.java | 50 +++++--
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java | 19 ++
opends/src/server/org/opends/server/api/AccessControlHandler.java | 76 +++++++++++-
opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java | 65 ++++------
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java | 19 ++
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java | 19 ++
10 files changed, 226 insertions(+), 98 deletions(-)
diff --git a/opends/src/server/org/opends/server/api/AccessControlHandler.java b/opends/src/server/org/opends/server/api/AccessControlHandler.java
index e7d6578..ccb590a 100644
--- a/opends/src/server/org/opends/server/api/AccessControlHandler.java
+++ b/opends/src/server/org/opends/server/api/AccessControlHandler.java
@@ -129,9 +129,15 @@
* The operation for which to make the determination.
* @return {@code true} if the operation should be allowed by the
* access control configuration, or {@code false} if not.
+ * @throws DirectoryException
+ * If an error occurred while performing the access
+ * control check. For example, if an attribute could not
+ * be decoded. Care must be taken not to expose any
+ * potentially sensitive information in the exception.
*/
public abstract boolean isAllowed(
- LocalBackendAddOperation addOperation);
+ LocalBackendAddOperation addOperation)
+ throws DirectoryException;
@@ -148,9 +154,17 @@
* The control for which to make the determination.
* @return {@code true} if the control should be allowed by the
* access control configuration, or {@code false} if not.
+ * @throws DirectoryException
+ * If an error occurred while performing the access
+ * control check. For example, if an attribute could not
+ * be decoded. Care must be taken not to expose any
+ * potentially sensitive information in the exception.
*/
- public abstract boolean isAllowed(DN dn, Operation op,
- Control control);
+ public abstract boolean isAllowed(
+ DN dn,
+ Operation op,
+ Control control)
+ throws DirectoryException;
@@ -163,9 +177,15 @@
* The operation for which to make the determination.
* @return {@code true} if the operation should be allowed by the
* access control configuration, or {@code false} if not.
+ * @throws DirectoryException
+ * If an error occurred while performing the access
+ * control check. For example, if an attribute could not
+ * be decoded. Care must be taken not to expose any
+ * potentially sensitive information in the exception.
*/
public abstract boolean isAllowed(
- LocalBackendBindOperation bindOperation);
+ LocalBackendBindOperation bindOperation)
+ throws DirectoryException;
@@ -178,9 +198,15 @@
* The operation for which to make the determination.
* @return {@code true} if the operation should be allowed by the
* access control configuration, or {@code false} if not.
+ * @throws DirectoryException
+ * If an error occurred while performing the access
+ * control check. For example, if an attribute could not
+ * be decoded. Care must be taken not to expose any
+ * potentially sensitive information in the exception.
*/
public abstract boolean isAllowed(
- LocalBackendCompareOperation compareOperation);
+ LocalBackendCompareOperation compareOperation)
+ throws DirectoryException;
@@ -193,9 +219,15 @@
* The operation for which to make the determination.
* @return {@code true} if the operation should be allowed by the
* access control configuration, or {@code false} if not.
+ * @throws DirectoryException
+ * If an error occurred while performing the access
+ * control check. For example, if an attribute could not
+ * be decoded. Care must be taken not to expose any
+ * potentially sensitive information in the exception.
*/
public abstract boolean isAllowed(
- LocalBackendDeleteOperation deleteOperation);
+ LocalBackendDeleteOperation deleteOperation)
+ throws DirectoryException;
@@ -208,9 +240,15 @@
* The operation for which to make the determination.
* @return {@code true} if the operation should be allowed by the
* access control configuration, or {@code false} if not.
+ * @throws DirectoryException
+ * If an error occurred while performing the access
+ * control check. For example, if an attribute could not
+ * be decoded. Care must be taken not to expose any
+ * potentially sensitive information in the exception.
*/
public abstract boolean isAllowed(
- ExtendedOperation extendedOperation);
+ ExtendedOperation extendedOperation)
+ throws DirectoryException;
@@ -223,9 +261,15 @@
* The operation for which to make the determination.
* @return {@code true} if the operation should be allowed by the
* access control configuration, or {@code false} if not.
+ * @throws DirectoryException
+ * If an error occurred while performing the access
+ * control check. For example, if an attribute could not
+ * be decoded. Care must be taken not to expose any
+ * potentially sensitive information in the exception.
*/
public abstract boolean isAllowed(
- LocalBackendModifyOperation modifyOperation);
+ LocalBackendModifyOperation modifyOperation)
+ throws DirectoryException;
@@ -238,9 +282,15 @@
* The operation for which to make the determination.
* @return {@code true} if the operation should be allowed by the
* access control configuration, or {@code false} if not.
+ * @throws DirectoryException
+ * If an error occurred while performing the access
+ * control check. For example, if an attribute could not
+ * be decoded. Care must be taken not to expose any
+ * potentially sensitive information in the exception.
*/
public abstract boolean isAllowed(
- LocalBackendModifyDNOperation modifyDNOperation);
+ LocalBackendModifyDNOperation modifyDNOperation)
+ throws DirectoryException;
@@ -256,9 +306,15 @@
* The operation for which to make the determination.
* @return {@code true} if the operation should be allowed by the
* access control configuration, or {@code false} if not.
+ * @throws DirectoryException
+ * If an error occurred while performing the access
+ * control check. For example, if an attribute could not
+ * be decoded. Care must be taken not to expose any
+ * potentially sensitive information in the exception.
*/
public abstract boolean isAllowed(
- LocalBackendSearchOperation searchOperation);
+ LocalBackendSearchOperation searchOperation)
+ throws DirectoryException;
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index 8e8d4c7..829d1e9 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -77,6 +77,7 @@
import org.opends.server.types.Operation;
import org.opends.server.types.Privilege;
import org.opends.server.types.RDN;
+import org.opends.server.types.ResultCode;
import org.opends.server.types.SearchFilter;
import org.opends.server.types.SearchResultEntry;
import org.opends.server.types.SearchResultReference;
@@ -89,7 +90,7 @@
* The AciHandler class performs the main processing for the dseecompat
* package.
*/
-public class AciHandler extends
+public final class AciHandler extends
AccessControlHandler<DseeCompatAccessControlHandlerCfg>
{
/**
@@ -318,6 +319,7 @@
*/
@Override
public boolean isAllowed(DN entryDN, Operation op, Control control)
+ throws DirectoryException
{
boolean ret;
if (!(ret = skipAccessCheck(op)))
@@ -335,31 +337,20 @@
}
else if (control.getOID().equals(OID_GET_EFFECTIVE_RIGHTS))
{
- try
+ GetEffectiveRightsRequestControl getEffectiveRightsControl;
+ if (control instanceof LDAPControl)
{
- GetEffectiveRightsRequestControl getEffectiveRightsControl;
- if (control instanceof LDAPControl)
- {
- getEffectiveRightsControl =
- GetEffectiveRightsRequestControl.DECODER.decode(control
- .isCritical(), ((LDAPControl) control).getValue());
- }
- else
- {
- getEffectiveRightsControl =
- (GetEffectiveRightsRequestControl) control;
- }
- op.setAttachment(OID_GET_EFFECTIVE_RIGHTS,
- getEffectiveRightsControl);
+ getEffectiveRightsControl =
+ GetEffectiveRightsRequestControl.DECODER.decode(control
+ .isCritical(), ((LDAPControl) control).getValue());
}
- catch (DirectoryException de)
+ else
{
- Message message =
- WARN_ACI_SYNTAX_DECODE_EFFECTIVERIGHTS_FAIL.get(de
- .getMessage());
- logError(message);
- ret = false;
+ getEffectiveRightsControl =
+ (GetEffectiveRightsRequestControl) control;
}
+ op.setAttachment(OID_GET_EFFECTIVE_RIGHTS,
+ getEffectiveRightsControl);
}
return ret;
}
@@ -388,14 +379,11 @@
/**
- * Check access on add operations.
- *
- * @param operation
- * The add operation to check access on.
- * @return True if access is allowed.
+ * {@inheritDoc}
*/
@Override
public boolean isAllowed(LocalBackendAddOperation operation)
+ throws DirectoryException
{
AciLDAPOperationContainer operationContainer =
new AciLDAPOperationContainer(operation, ACI_ADD);
@@ -543,15 +531,11 @@
/**
- * Check access on modify operations.
- *
- * @param operation
- * The modify operation to check access on.
- * @return True if access is allowed.
+ * {@inheritDoc}
*/
-
@Override
public boolean isAllowed(LocalBackendModifyOperation operation)
+ throws DirectoryException
{
AciLDAPOperationContainer operationContainer =
new AciLDAPOperationContainer(operation, ACI_NULL);
@@ -910,9 +894,12 @@
* @param skipAccessCheck
* True if access checking should be skipped.
* @return True if access is allowed.
+ * @throws DirectoryException
+ * If a modified ACI could not be decoded.
*/
private boolean aciCheckMods(AciLDAPOperationContainer container,
LocalBackendModifyOperation operation, boolean skipAccessCheck)
+ throws DirectoryException
{
Entry resourceEntry = container.getResourceEntry();
DN dn = resourceEntry.getDN();
@@ -1044,8 +1031,8 @@
Message message =
WARN_ACI_MODIFY_FAILED_DECODE.get(String.valueOf(dn),
ex.getMessage());
- logError(message);
- return false;
+ throw new DirectoryException(
+ ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
}
}
}
@@ -1598,9 +1585,11 @@
* The authorization DN.
* @return True if the entry has no ACI attributes or if all of the
* "aci" attributes values pass ACI syntax checking.
+ * @throws DirectoryException
+ * If a modified ACI could not be decoded.
*/
private boolean verifySyntax(Entry entry, Operation operation,
- DN clientDN)
+ DN clientDN) throws DirectoryException
{
if (entry.hasOperationalAttribute(aciType))
{
@@ -1633,8 +1622,8 @@
Message message =
WARN_ACI_ADD_FAILED_DECODE.get(String.valueOf(entry
.getDN()), ex.getMessage());
- logError(message);
- return false;
+ throw new DirectoryException(
+ ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
}
}
}
diff --git a/opends/src/server/org/opends/server/core/ExtendedOperationBasis.java b/opends/src/server/org/opends/server/core/ExtendedOperationBasis.java
index 527f19a..a50bc70 100644
--- a/opends/src/server/org/opends/server/core/ExtendedOperationBasis.java
+++ b/opends/src/server/org/opends/server/core/ExtendedOperationBasis.java
@@ -22,7 +22,7 @@
* CDDL HEADER END
*
*
- * Copyright 2006-2008 Sun Microsystems, Inc.
+ * Copyright 2006-2009 Sun Microsystems, Inc.
*/
package org.opends.server.core;
import org.opends.messages.MessageBuilder;
@@ -47,6 +47,7 @@
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.types.*;
+
import static org.opends.messages.CoreMessages.*;
import static org.opends.server.util.ServerConstants.*;
@@ -362,6 +363,7 @@
* managing synchronization, and any other work that might need to
* be done in the course of processing.
*/
+ @Override
public final void run()
{
setResultCode(ResultCode.UNDEFINED);
@@ -417,15 +419,25 @@
{
for (Control c : requestControls)
{
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().
- isAllowed(this.getAuthorizationDN(), this, c)) {
- setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
-
- appendErrorMessage(ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(
- c.getOID()));
+ try
+ {
+ if (!AccessControlConfigManager.getInstance()
+ .getAccessControlHandler().isAllowed(
+ this.getAuthorizationDN(), this, c))
+ {
+ setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+ appendErrorMessage(ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS
+ .get(c.getOID()));
+ return;
+ }
+ }
+ catch (DirectoryException e)
+ {
+ setResultCode(e.getResultCode());
+ appendErrorMessage(e.getMessageObject());
return;
}
+
if (! c.isCritical())
{
// The control isn't critical, so we don't care if it's supported
@@ -451,13 +463,21 @@
// FIXME: for now assume that this will check all permission
// pertinent to the operation. This includes proxy authorization
// and any other controls specified.
- if (AccessControlConfigManager.getInstance()
- .getAccessControlHandler().isAllowed(this) == false) {
- setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
-
- appendErrorMessage(ERR_EXTENDED_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(
- String.valueOf(requestOID)));
-
+ try
+ {
+ if (AccessControlConfigManager.getInstance()
+ .getAccessControlHandler().isAllowed(this) == false)
+ {
+ setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+ appendErrorMessage(ERR_EXTENDED_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS
+ .get(String.valueOf(requestOID)));
+ return;
+ }
+ }
+ catch (DirectoryException e)
+ {
+ setResultCode(e.getResultCode());
+ appendErrorMessage(e.getMessageObject());
return;
}
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
index 69483c8..bb0ace1 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
@@ -550,12 +550,21 @@
// FIXME: earlier checks to see if the entry already exists or
// if the parent entry does not exist may have already exposed
// sensitive information to the client.
- if (AccessControlConfigManager.getInstance().getAccessControlHandler().
- isAllowed(this) == false)
+ try
{
- setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
- appendErrorMessage(ERR_ADD_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(
- String.valueOf(entryDN)));
+ if (AccessControlConfigManager.getInstance()
+ .getAccessControlHandler().isAllowed(this) == false)
+ {
+ setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+ appendErrorMessage(ERR_ADD_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS
+ .get(String.valueOf(entryDN)));
+ break addProcessing;
+ }
+ }
+ catch (DirectoryException e)
+ {
+ setResultCode(e.getResultCode());
+ appendErrorMessage(e.getMessageObject());
break addProcessing;
}
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
index be86dcb..4d5374b 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
@@ -233,12 +233,21 @@
// FIXME: for now assume that this will check all permission
// pertinent to the operation. This includes any controls
// specified.
- if (! AccessControlConfigManager.getInstance().getAccessControlHandler().
- isAllowed(this))
+ try
{
- setResultCode(ResultCode.INVALID_CREDENTIALS);
- setAuthFailureReason(ERR_BIND_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(
- String.valueOf(bindDN)));
+ if (!AccessControlConfigManager.getInstance()
+ .getAccessControlHandler().isAllowed(this))
+ {
+ setResultCode(ResultCode.INVALID_CREDENTIALS);
+ setAuthFailureReason(ERR_BIND_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS
+ .get(String.valueOf(bindDN)));
+ break bindProcessing;
+ }
+ }
+ catch (DirectoryException e)
+ {
+ setResultCode(e.getResultCode());
+ setAuthFailureReason(e.getMessageObject());
break bindProcessing;
}
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java
index 2302dd3..aab4329 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java
@@ -278,12 +278,21 @@
// FIXME: earlier checks to see if the entry already exists may
// have already exposed sensitive information to the client.
- if (! AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this))
+ try
{
- setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
- appendErrorMessage(ERR_COMPARE_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(
- String.valueOf(entryDN)));
+ if (!AccessControlConfigManager.getInstance()
+ .getAccessControlHandler().isAllowed(this))
+ {
+ setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+ appendErrorMessage(ERR_COMPARE_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS
+ .get(String.valueOf(entryDN)));
+ break compareProcessing;
+ }
+ }
+ catch (DirectoryException e)
+ {
+ setResultCode(e.getResultCode());
+ appendErrorMessage(e.getMessageObject());
break compareProcessing;
}
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java
index d4f6f49..6b60609 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java
@@ -278,12 +278,21 @@
// FIXME: earlier checks to see if the entry already exists may
// have already exposed sensitive information to the client.
- if (! AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this))
+ try
{
- setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
- appendErrorMessage(ERR_DELETE_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(
- String.valueOf(entryDN)));
+ if (!AccessControlConfigManager.getInstance()
+ .getAccessControlHandler().isAllowed(this))
+ {
+ setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+ appendErrorMessage(ERR_DELETE_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS
+ .get(String.valueOf(entryDN)));
+ break deleteProcessing;
+ }
+ }
+ catch (DirectoryException e)
+ {
+ setResultCode(e.getResultCode());
+ appendErrorMessage(e.getMessageObject());
break deleteProcessing;
}
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java
index 3c198bb..451d4f1 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java
@@ -450,12 +450,21 @@
// FIXME: earlier checks to see if the entry or new superior
// already exists may have already exposed sensitive information
// to the client.
- if (! AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this))
+ try
{
- setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
- appendErrorMessage(ERR_MODDN_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(
- String.valueOf(entryDN)));
+ if (!AccessControlConfigManager.getInstance()
+ .getAccessControlHandler().isAllowed(this))
+ {
+ setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+ appendErrorMessage(ERR_MODDN_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS
+ .get(String.valueOf(entryDN)));
+ break modifyDNProcessing;
+ }
+ }
+ catch (DirectoryException e)
+ {
+ setResultCode(e.getResultCode());
+ appendErrorMessage(e.getMessageObject());
break modifyDNProcessing;
}
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
index 6d011ca..0431fb0 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
@@ -499,12 +499,21 @@
// FIXME: earlier checks to see if the entry already exists may have
// already exposed sensitive information to the client.
- if (! AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this))
+ try
{
- setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
- appendErrorMessage(ERR_MODIFY_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(
- String.valueOf(entryDN)));
+ if (!AccessControlConfigManager.getInstance()
+ .getAccessControlHandler().isAllowed(this))
+ {
+ setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+ appendErrorMessage(ERR_MODIFY_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS
+ .get(String.valueOf(entryDN)));
+ break modifyProcessing;
+ }
+ }
+ catch (DirectoryException e)
+ {
+ setResultCode(e.getResultCode());
+ appendErrorMessage(e.getMessageObject());
break modifyProcessing;
}
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java
index 33e96a1..b80adaf 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java
@@ -191,12 +191,21 @@
// FIXME: for now assume that this will check all permission
// pertinent to the operation. This includes proxy authorization
// and any other controls specified.
- if (! AccessControlConfigManager.getInstance().getAccessControlHandler().
- isAllowed(this))
+ try
{
- setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
- appendErrorMessage(ERR_SEARCH_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(
- String.valueOf(baseDN)));
+ if (!AccessControlConfigManager.getInstance()
+ .getAccessControlHandler().isAllowed(this))
+ {
+ setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+ appendErrorMessage(ERR_SEARCH_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS
+ .get(String.valueOf(baseDN)));
+ break searchProcessing;
+ }
+ }
+ catch (DirectoryException e)
+ {
+ setResultCode(e.getResultCode());
+ appendErrorMessage(e.getMessageObject());
break searchProcessing;
}
--
Gitblit v1.10.0