diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
index a0ff3e64d3a2c86e603bb704d59e83366adcf4e6..a886b900f76e043157b596a0f45c147d62effac4 100755
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
@@ -147,7 +147,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
protected static final String LDAP_INSTITUTE = "institute";
protected static final String LDAP_UID = "uid";
-
+
private String[] userAttribs = new String[]
{
LDAP_FIRST_NAME, LDAP_LAST_NAME, LDAP_ADDRESS, LDAP_CITY,
@@ -312,7 +312,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
catch (UserNotFoundException e)
{
throw new RuntimeException("BUG: new user " + userDN.toNormalizedString() +
- " not found because " + e.getMessage());
+ " not found");
}
}
catch (LDAPException e)
@@ -372,8 +372,8 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
try
{
// add new user
-
- DN userX500DN = getUserRequestsDN(user.getUserID().getName());
+
+ DN userX500DN = getUserRequestsDN(user.getUserID().getName());
List<Attribute> attributes = new ArrayList<Attribute>();
addAttribute(attributes, LDAP_OBJECT_CLASS, LDAP_INET_ORG_PERSON);
addAttribute(attributes, LDAP_OBJECT_CLASS, LDAP_INET_USER);
@@ -382,13 +382,13 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
.getName());
addAttribute(attributes, LADP_USER_PASSWORD, new String(userRequest
.getPassword()));
- addAttribute(attributes, LDAP_NUMERICID,
+ addAttribute(attributes, LDAP_NUMERICID,
String.valueOf(genNextNumericId()));
for (Principal princ : user.getIdentities())
{
if (princ instanceof X500Principal)
{
- addAttribute(attributes, LDAP_DISTINGUISHED_NAME,
+ addAttribute(attributes, LDAP_DISTINGUISHED_NAME,
princ.getName());
}
}
@@ -551,8 +551,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
}
public User<T> getAugmentedUser(final T userID)
- throws UserNotFoundException, TransientException,
- AccessControlException
+ throws UserNotFoundException, TransientException
{
String searchField = userLdapAttrib.get(userID.getClass());
if (searchField == null)
@@ -563,19 +562,16 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
try
{
- Filter filter =
- Filter.createNOTFilter(Filter.createPresenceFilter("nsaccountlock"));
- filter =
- Filter.createANDFilter(filter,
- Filter.createEqualityFilter(searchField, userID.getName()));
- SearchRequest searchRequest =
- new SearchRequest(config.getUsersDN(), SearchScope.ONE,
- filter, identityAttribs);
+ searchField = "(" + searchField + "=" + userID.getName() + ")";
- searchRequest.addControl(
- new ProxiedAuthorizationV2RequestControl(
- "dn:" + getSubjectDN().toNormalizedString()));
+ logger.debug("search field: " + searchField);
+
+ // TODO: Search must take into account deleted users (nsaccountlock attr)
+
+ SearchRequest searchRequest =
+ new SearchRequest(config.getUsersDN(), SearchScope.ONE,
+ searchField, identityAttribs);
SearchResultEntry searchResult = getConnection().searchForEntry(searchRequest);
@@ -1097,9 +1093,9 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
LdapDAO.checkLdapResult(code);
}
}
-
+
/**
- * Method to return a randomly generated user numeric ID. The default
+ * Method to return a randomly generated user numeric ID. The default
* implementation returns a value between 10000 and Integer.MAX_VALUE.
* Services that support a different mechanism for generating numeric
* IDs overide this method.
diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java
index 1489d221cccae4f434e8a720a0b53375656c9cbc..f39a41af9f1c305945416d3b2961b559a5938bd3 100755
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java
@@ -115,14 +115,14 @@ public class LdapUserPersistence<T extends Principal>
}
}
}
-
+
/**
* Add the new user.
*
* @param user
*
* @return User instance.
- *
+ *
* @throws TransientException If an temporary, unexpected problem occurred.
* @throws AccessControlException If the operation is not permitted.
*/
@@ -151,7 +151,7 @@ public class LdapUserPersistence<T extends Principal>
* @param userID The userID.
*
* @return User instance.
- *
+ *
* @throws UserNotFoundException when the user is not found.
* @throws TransientException If an temporary, unexpected problem occurred.
* @throws AccessControlException If the operation is not permitted.
@@ -214,8 +214,7 @@ public class LdapUserPersistence<T extends Principal>
* @throws AccessControlException If the operation is not permitted.
*/
public User<T> getAugmentedUser(T userID)
- throws UserNotFoundException, TransientException,
- AccessControlException
+ throws UserNotFoundException, TransientException
{
LdapUserDAO<T> userDAO = null;
try
@@ -238,7 +237,7 @@ public class LdapUserPersistence<T extends Principal>
* @param userID The userID.
*
* @return Boolean.
- *
+ *
* @throws UserNotFoundException when the user is not found.
* @throws TransientException If an temporary, unexpected problem occurred.
* @throws AccessControlException If the operation is not permitted.
@@ -267,13 +266,13 @@ public class LdapUserPersistence<T extends Principal>
* @param user The user to update.
*
* @return User instance.
- *
+ *
* @throws UserNotFoundException when the user is not found.
* @throws TransientException If an temporary, unexpected problem occurred.
* @throws AccessControlException If the operation is not permitted.
*/
public User<T> modifyUser(User<T> user)
- throws UserNotFoundException, TransientException,
+ throws UserNotFoundException, TransientException,
AccessControlException
{
LdapUserDAO<T> userDAO = null;
@@ -318,18 +317,18 @@ public class LdapUserPersistence<T extends Principal>
}
}
}
-
+
/**
* Delete the user specified by userID.
*
* @param userID The userID.
- *
+ *
* @throws UserNotFoundException when the user is not found.
* @throws TransientException If an temporary, unexpected problem occurred.
* @throws AccessControlException If the operation is not permitted.
*/
public void deleteUser(T userID)
- throws UserNotFoundException, TransientException,
+ throws UserNotFoundException, TransientException,
AccessControlException
{
LdapUserDAO<T> userDAO = null;
@@ -346,17 +345,17 @@ public class LdapUserPersistence<T extends Principal>
}
}
}
-
+
/**
* Get all groups the user specified by userID belongs to. This method is created
* to provide optimization for the LDAP server.
- *
+ *
* @param userID The userID.
* @param isAdmin return only admin Groups when true, else return non-admin
* Groups.
- *
+ *
* @return Collection of Group DN.
- *
+ *
* @throws UserNotFoundException when the user is not found.
* @throws TransientException If an temporary, unexpected problem occurred.
* @throws AccessControlException If the operation is not permitted.
@@ -378,7 +377,7 @@ public class LdapUserPersistence<T extends Principal>
}
}
}
-
+
/**
* Check whether the user is a member of the group. This method is created
* to provide optimization for the LDAP server.
diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
index b03b9a5250f8a9ead1f8d0167e3697715f55e07a..ee81cfd60b063125547483e437c89e58a1d5cb13 100644
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
@@ -136,28 +136,29 @@ public class GetUserAction extends AbstractUserAction
try
{
user = userPersistence.getUser(principal);
-
- // Only return user profile info, first and last name.
- if (detail != null && detail.equalsIgnoreCase("display"))
- {
- user.getIdentities().clear();
- Set<PersonalDetails> details = user.getDetails(PersonalDetails.class);
- if (details.isEmpty())
- {
- String error = principal.getName() + " missing required PersonalDetails";
- throw new IllegalStateException(error);
- }
- PersonalDetails pd = details.iterator().next();
- user.details.clear();
- user.details.add(new PersonalDetails(pd.getFirstName(), pd.getLastName()));
- }
}
catch (UserNotFoundException e)
{
user = userPersistence.getPendingUser(principal);
}
+
+ // Only return user profile info, first and last name.
+ if (detail != null && detail.equalsIgnoreCase("display"))
+ {
+ user.getIdentities().clear();
+ Set<PersonalDetails> details = user.getDetails(PersonalDetails.class);
+ if (details.isEmpty())
+ {
+ String error = principal.getName() + " missing required PersonalDetails";
+ throw new IllegalStateException(error);
+ }
+ PersonalDetails pd = details.iterator().next();
+ user.details.clear();
+ user.details.add(new PersonalDetails(pd.getFirstName(), pd.getLastName()));
+ }
+
}
-
+
return user;
}
diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java
index 49a4bd5d6866f247c608c67b50d852d41a8c4177..e73a9ae960f0fe30961108681ca9c8964c1b34b3 100644
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java
@@ -70,6 +70,9 @@ package ca.nrc.cadc.ac.server.web.users;
import ca.nrc.cadc.ac.server.web.SyncOutput;
import ca.nrc.cadc.auth.AuthenticationUtil;
+import ca.nrc.cadc.auth.ServletPrincipalExtractor;
+import ca.nrc.cadc.auth.X509CertificateChain;
+import ca.nrc.cadc.util.ArrayUtil;
import ca.nrc.cadc.util.StringUtil;
import org.apache.log4j.Logger;
@@ -84,6 +87,9 @@ import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedActionException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Set;
public class UserServlet extends HttpServlet
{
@@ -126,7 +132,7 @@ public class UserServlet extends HttpServlet
// Special case: if the calling subject has a servops X500Principal,
// AND it is a GET request, do not augment the subject.
Subject subject;
- if (action instanceof GetUserAction && isNotAugmentedSubject())
+ if (action instanceof GetUserAction && isNotAugmentedSubject(request))
{
subject = Subject.getSubject(AccessController.getContext());
log.debug("subject not augmented: " + subject);
@@ -250,27 +256,24 @@ public class UserServlet extends HttpServlet
}
}
- protected boolean isNotAugmentedSubject()
+ protected boolean isNotAugmentedSubject(HttpServletRequest request)
{
- boolean notAugmented = false;
- Subject subject = Subject.getSubject(AccessController.getContext());
- log.debug("subject: " + subject);
- if (subject != null)
+ ServletPrincipalExtractor extractor = new ServletPrincipalExtractor(request);
+ Set<Principal> principals = extractor.getPrincipals();
+ log.debug("Principals: " + principals);
+
+ for (Principal principal : principals)
{
- log.debug("notAugmentedX500User" + notAugmentedX500User);
- for (Principal principal : subject.getPrincipals())
+ if (principal instanceof X500Principal)
{
- if (principal instanceof X500Principal)
+ if (principal.getName().equalsIgnoreCase(notAugmentedX500User))
{
- log.debug("principal: " + principal.getName());
- if (principal.getName().equalsIgnoreCase(notAugmentedX500User))
- {
- notAugmented = true;
- break;
- }
+ return true;
}
}
}
- return notAugmented;
+
+ return false;
+
}
}
diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java
index f132ab47a23e4cfefc37606ef875d6377e01ef5f..1812fc7eaa9cc6704f2022fe4b3085fda9eb5a5e 100644
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java
@@ -72,10 +72,13 @@ package ca.nrc.cadc.auth;
import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.server.ldap.LdapUserPersistence;
+import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.profiler.Profiler;
import org.apache.log4j.Logger;
import javax.security.auth.Subject;
+
+import java.security.AccessControlException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
@@ -123,34 +126,31 @@ public class AuthenticatorImpl implements Authenticator
protected void augmentSubject(final Subject subject)
{
+
try
{
- PrivilegedExceptionAction<Object> action =
- new PrivilegedExceptionAction<Object>()
- {
- public Object run() throws Exception
- {
- try
- {
- LdapUserPersistence<Principal> dao = new LdapUserPersistence<Principal>();
- User<Principal> user = dao.getAugmentedUser(subject.getPrincipals().iterator().next());
- subject.getPrincipals().addAll(user.getIdentities());
- }
- catch (UserNotFoundException e)
- {
- // ignore, could be an anonymous user
- }
- return null;
- }
- };
-
- Subject.doAs(subject, action);
+ LdapUserPersistence<Principal> dao = new LdapUserPersistence<Principal>();
+ User<Principal> user = dao.getAugmentedUser(subject.getPrincipals().iterator().next());
+ if (user.getIdentities() != null)
+ {
+ log.debug("Found " + user.getIdentities().size() + " principals after agument");
+ }
+ else
+ {
+ log.debug("Null identities after augment");
+ }
+ subject.getPrincipals().addAll(user.getIdentities());
}
- catch (PrivilegedActionException e)
+ catch (UserNotFoundException e)
{
- String msg = "Error augmenting subject " + subject;
- throw new RuntimeException(msg, e);
+ // ignore, could be an anonymous user
+ log.debug("could not find user for augmenting", e);
}
+ catch (TransientException e)
+ {
+ throw new IllegalStateException("Internal error", e);
+ }
+
}
}
diff --git a/projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java b/projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java
index 732e406596b8cadc758526c86342742ebd4ccd1c..2e64ba5f286d43d54fc6d9f6d2573d121de8c981 100644
--- a/projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java
+++ b/projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java
@@ -79,6 +79,7 @@ import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.UserDetails;
import ca.nrc.cadc.ac.UserRequest;
import ca.nrc.cadc.ac.WriterException;
+import ca.nrc.cadc.auth.DNPrincipal;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.auth.NumericPrincipal;
@@ -266,6 +267,10 @@ public abstract class AbstractReaderWriter
{
principal = new X500Principal(identity);
}
+ else if (type.equals(IdentityType.ENTRY_DN.getValue()))
+ {
+ principal = new DNPrincipal(identity);
+ }
else
{
String error = "Unknown type attribute: " + type;
@@ -729,6 +734,10 @@ public abstract class AbstractReaderWriter
{
identityElement.setAttribute("type", IdentityType.X500.getValue());
}
+ else if ((identity instanceof DNPrincipal))
+ {
+ identityElement.setAttribute("type", IdentityType.ENTRY_DN.getValue());
+ }
else
{
String error = "Unsupported Principal type " +