SEC-1670: Take account of JNDI CompositeName escaping in value of SearchResult.getName() when performing a search for a user entry in SpringSecurityLdapTemplate.

tekul · tekul · commit a790c7e19249 · 2011-02-03T17:57:43.000Z
diff --git a/ldap/slapd.conf b/ldap/slapd.conf
@@ -44,8 +44,8 @@ access to dn.subtree="ou=users,dc=qbe,dc=com"
   by *        read
 
 
-overlay ppolicy
-ppolicy_default "cn=default,ou=policies,dc=springsource,dc=com"
-ppolicy_use_lockout
-ppolicy_hash_cleartext
+#overlay ppolicy
+#ppolicy_default "cn=default,ou=policies,dc=springsource,dc=com"
+#ppolicy_use_lockout
+#ppolicy_hash_cleartext
 
diff --git a/ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java b/ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java
@@ -20,6 +20,7 @@
 import java.util.HashSet;
 import java.util.Set;
 
+import javax.naming.CompositeName;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.PartialResultException;
@@ -208,7 +209,7 @@ public Object executeWithContext(DirContext ctx) throws NamingException {
                         while (resultsEnum.hasMore()) {
                             SearchResult searchResult = resultsEnum.next();
                             // Work out the DN of the matched entry
-                            DistinguishedName dn = new DistinguishedName(searchResult.getName());
+                            DistinguishedName dn = new DistinguishedName(new CompositeName(searchResult.getName()));
 
                             if (base.length() > 0) {
                                 dn.prepend(searchBaseDn);
diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/BindAuthenticator.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/BindAuthenticator.java
@@ -113,6 +113,8 @@ private DirContextOperations bindWithDn(String userDnStr, String username, Strin
             // Check for password policy control
             PasswordPolicyControl ppolicy = PasswordPolicyControlExtractor.extractControl(ctx);
 
+            logger.debug("Retrieving attributes...");
+
             Attributes attrs = ctx.getAttributes(userDn, getUserAttributes());
 
             DirContextAdapter result = new DirContextAdapter(attrs, userDn, ctxSource.getBaseLdapPath());
diff --git a/ldap/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java b/ldap/src/test/java/org/springframework/security/ldap/AbstractLdapIntegrationTests.java
@@ -48,7 +48,7 @@ protected AbstractLdapIntegrationTests() {
     @BeforeClass
     public static void startServer() throws Exception {
         contextSource = new DefaultSpringSecurityContextSource("ldap://127.0.0.1:53389/dc=springframework,dc=org");
-// OpenLDAP option
+// OpenLDAP configuration
 //        contextSource = new DefaultSpringSecurityContextSource("ldap://127.0.0.1:22389/dc=springsource,dc=com");
 //        contextSource.setUserDn("cn=admin,dc=springsource,dc=com");
 //        contextSource.setPassword("password");
diff --git a/ldap/src/test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java b/ldap/src/test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java
@@ -82,7 +82,9 @@ public void testAuthenticationWithUserSearch() throws Exception {
         authenticator.authenticate(new UsernamePasswordAuthenticationToken("slash/guy", "slashguyspassword"));
         // SEC-1661
         authenticator.setUserSearch(new FilterBasedLdapUserSearch("ou=\\\"quoted people\\\"", "(cn={0})", getContextSource()));
-        authenticator.authenticate(new UsernamePasswordAuthenticationToken("quoteguy", "quoteguyspassword"));
+        authenticator.authenticate(new UsernamePasswordAuthenticationToken("quote\"guy", "quoteguyspassword"));
+        authenticator.setUserSearch(new FilterBasedLdapUserSearch("", "(cn={0})", getContextSource()));
+        authenticator.authenticate(new UsernamePasswordAuthenticationToken("quote\"guy", "quoteguyspassword"));
     }
 /*
     @Test
diff --git a/ldap/src/test/resources/test-server.ldif b/ldap/src/test/resources/test-server.ldif
@@ -73,12 +73,12 @@ sn: Slash
 uid: slashguy
 userPassword: slashguyspassword
 
-dn: cn=quoteguy,ou=\"quoted people\",dc=springframework,dc=org
+dn: cn=quote\"guy,ou=\"quoted people\",dc=springframework,dc=org
 objectclass: top
 objectclass: person
 objectclass: organizationalPerson
 objectclass: inetOrgPerson
-cn: quoteguy
+cn: quote\"guy
 sn: Quote
 uid: quoteguy
 userPassword: quoteguyspassword
