Re: JSTL issue
On 13/04/2021 20:17, Jean-Louis MONTEIRO wrote: Hi guys, I have one JSTL issue and I'd need your feedback on it. https://github.com/eclipse-ee4j/jstl-api/issues/140 Can you guys have a look and let me know what you think? That looks like a side-effect of the various improvements we made to the Default Servlet to do a better job of including content with a variety of (potentially incompatible) encodings. Generally, I'd expect the BoM to be skipped. Historically, Tomcat didn't skip the BoM, so the original golden file was generated on that basis. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1888741 - in /tomcat/site/trunk: docs/presentations.html xdocs/presentations.xml
Author: schultz Date: Tue Apr 13 19:30:47 2021 New Revision: 1888741 URL: http://svn.apache.org/viewvc?rev=1888741=rev Log: Add links to slides where known. Remove old topic proposal. Modified: tomcat/site/trunk/docs/presentations.html tomcat/site/trunk/xdocs/presentations.xml Modified: tomcat/site/trunk/docs/presentations.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/presentations.html?rev=1888741=1888740=1888741=diff == --- tomcat/site/trunk/docs/presentations.html (original) +++ tomcat/site/trunk/docs/presentations.html Tue Apr 13 19:30:47 2021 @@ -25,7 +25,6 @@ mailing list. for sysadmins : how to set up Tomcat logging tools and formulas for tuning Tomcat for specific load scenarios when and how to generate heap dumps, and how to (roughly) interpret them -Hardening Tomcat to make it more secure @@ -42,6 +41,7 @@ li.targeted { State of the Cat - Mark Thomas, +http://people.apache.org/~markt/presentations/2020-09-29-state-of-the-cat.pdf;>slides, https://www.youtube.com/watch?v=uDy-Dwexy2Q;>video @@ -58,6 +58,7 @@ li.targeted { Split your Tomcat Installation for Easier Upgrades - Christopher Schultz, +https://people.apache.org/~schultz/presentations/ApacheCon%20NA%202020/Splitting%20Your%20Tomcat%20Installation.pdf;>slides, https://www.youtube.com/watch?v=nu229pb09D0;>video @@ -74,6 +75,7 @@ li.targeted { Migrating from AJP to HTTP: It's About Time - Christopher Schultz, +https://people.apache.org/~schultz/presentations/ApacheCon%20NA%202020/Migrating%20from%20AJP%20to%20HTTP.pdf;>slides, https://www.youtube.com/watch?v=qUjUEvGFstI;>video @@ -82,6 +84,7 @@ li.targeted { Getting Started Hacking Tomcat - Christopher Schultz, +https://people.apache.org/~schultz/presentations/ApacheCon%20NA%202020/Getting%20Started%20Hacking%20Tomcat.pdf;>slides, https://www.youtube.com/watch?v=O2wXAldxQWA;>video @@ -90,6 +93,7 @@ li.targeted { Openly Handling Security Vulnerabilities (QA/Panel) - Mark Thomas, Christopher Schultz, Coty Sutherland, +https://people.apache.org/~schultz/presentations/ApacheCon%20NA%202020/Openly%20Handling%20Security%20Vulnerabilities.pdf;>slides, https://www.youtube.com/watch?v=tGjyX6meGcA;>video Modified: tomcat/site/trunk/xdocs/presentations.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/presentations.xml?rev=1888741=1888740=1888741=diff == --- tomcat/site/trunk/xdocs/presentations.xml (original) +++ tomcat/site/trunk/xdocs/presentations.xml Tue Apr 13 19:30:47 2021 @@ -31,7 +31,6 @@ mailing list. for sysadmins : how to set up Tomcat logging tools and formulas for tuning Tomcat for specific load scenarios when and how to generate heap dumps, and how to (roughly) interpret them -Hardening Tomcat to make it more secure @@ -48,6 +47,7 @@ li.targeted { State of the Cat - Mark Thomas, +http://people.apache.org/~markt/presentations/2020-09-29-state-of-the-cat.pdf;>slides, https://www.youtube.com/watch?v=uDy-Dwexy2Q;>video @@ -64,6 +64,7 @@ li.targeted { Split your Tomcat Installation for Easier Upgrades - Christopher Schultz, +https://people.apache.org/~schultz/presentations/ApacheCon%20NA%202020/Splitting%20Your%20Tomcat%20Installation.pdf;>slides, https://www.youtube.com/watch?v=nu229pb09D0;>video @@ -80,6 +81,7 @@ li.targeted { Migrating from AJP to HTTP: It's About Time - Christopher Schultz, +https://people.apache.org/~schultz/presentations/ApacheCon%20NA%202020/Migrating%20from%20AJP%20to%20HTTP.pdf;>slides, https://www.youtube.com/watch?v=qUjUEvGFstI;>video @@ -88,6 +90,7 @@ li.targeted { Getting Started Hacking Tomcat - Christopher Schultz, +https://people.apache.org/~schultz/presentations/ApacheCon%20NA%202020/Getting%20Started%20Hacking%20Tomcat.pdf;>slides, https://www.youtube.com/watch?v=O2wXAldxQWA;>video @@ -96,6 +99,7 @@ li.targeted { Openly Handling Security Vulnerabilities (QA/Panel) - Mark Thomas, Christopher Schultz, Coty Sutherland, +https://people.apache.org/~schultz/presentations/ApacheCon%20NA%202020/Openly%20Handling%20Security%20Vulnerabilities.pdf;>slides, https://www.youtube.com/watch?v=tGjyX6meGcA;>video - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65240] New: Multi line CATALINA_OPTS is failing in with new catalina.sh
https://bz.apache.org/bugzilla/show_bug.cgi?id=65240 Bug ID: 65240 Summary: Multi line CATALINA_OPTS is failing in with new catalina.sh Product: Tomcat 7 Version: 7.0.108 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Integration Assignee: dev@tomcat.apache.org Reporter: e...@wp.pl Target Milestone: --- Steps: 1. Add setenv.sh with multiline variable. 2. Run tomcat (e.g. via init.d script). In log I got things like: /usr/share/apache-tomcat-7.0.108/bin/catalina.sh: line 509: -Dfile.encoding=UTF-8: command not found This is with `sentenv.sh` more or less like this: ``` if [ "$1" != "stop" ] ; then CATALINA_OPTS="$CATALINA_OPTS -Xms512m -Xmx1800m -XX:MaxPermSize=512m -XX:NewRatio=4 -XX:+UseCompressedOops -Dcom.sun.management.jmxremote -Dfile.encoding=UTF-8 " fi ``` There were more options but I guess any lines will be a problem there. The solution for me was to change evals to something like: eval exec "\"$_RUNJDB\"" "\"$CATALINA_LOGGING_CONFIG\"" $LOGGING_MANAGER "$JAVA_OPTS" $CATALINA_OPTS \ So basically replace `"$CATALINA_OPTS"` with `$CATALINA_OPTS`. Not sure why was this changed to quoted var? Seem to have worked fine before. At least for us ;-) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
JSTL issue
Hi guys, I have one JSTL issue and I'd need your feedback on it. https://github.com/eclipse-ee4j/jstl-api/issues/140 Can you guys have a look and let me know what you think? -- Jean-Louis
buildbot failure in on tomcat-85-trunk
The Buildbot has detected a new failure on builder tomcat-85-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-85-trunk/builds/2691 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-85-commit' triggered this build Build Source Stamp: [branch 8.5.x] 40a13688f35508f1e7a1b3251e06c1c7062e5218 Blamelist: Christopher Schultz BUILD FAILED: failed shell_8 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 7.0.x updated: Fix typo
This is an automated email from the ASF dual-hosted git repository. schultz pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/7.0.x by this push: new 402eb6b Fix typo 402eb6b is described below commit 402eb6bd2d9b3fafe434f858304898b51b9b85e4 Author: Christopher Schultz AuthorDate: Tue Apr 13 14:03:22 2021 -0400 Fix typo --- webapps/docs/manager-howto.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/manager-howto.xml b/webapps/docs/manager-howto.xml index 6b03e00..32d537f 100644 --- a/webapps/docs/manager-howto.xml +++ b/webapps/docs/manager-howto.xml @@ -1017,7 +1017,7 @@ on each of deployed web applications will be available. -The JXMProxyServlet also supports a "get" command that you can use to +The JMXProxyServlet also supports a "get" command that you can use to fetch the value of a specific MBean's attribute. The general form of the get command is: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix typo
This is an automated email from the ASF dual-hosted git repository. schultz pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 40a1368 Fix typo 40a1368 is described below commit 40a13688f35508f1e7a1b3251e06c1c7062e5218 Author: Christopher Schultz AuthorDate: Tue Apr 13 14:03:22 2021 -0400 Fix typo --- webapps/docs/manager-howto.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/manager-howto.xml b/webapps/docs/manager-howto.xml index 059b939..0a88e72 100644 --- a/webapps/docs/manager-howto.xml +++ b/webapps/docs/manager-howto.xml @@ -1114,7 +1114,7 @@ on each of deployed web applications will be available. -The JXMProxyServlet also supports a "get" command that you can use to +The JMXProxyServlet also supports a "get" command that you can use to fetch the value of a specific MBean's attribute. The general form of the get command is: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Fix typo
This is an automated email from the ASF dual-hosted git repository. schultz pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new b7c1897 Fix typo b7c1897 is described below commit b7c1897a950b2608dbbd54f024173ad9ae40fcfd Author: Christopher Schultz AuthorDate: Tue Apr 13 14:03:22 2021 -0400 Fix typo --- webapps/docs/manager-howto.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/manager-howto.xml b/webapps/docs/manager-howto.xml index a854266..f0ef4fd 100644 --- a/webapps/docs/manager-howto.xml +++ b/webapps/docs/manager-howto.xml @@ -1128,7 +1128,7 @@ on each of deployed web applications will be available. -The JXMProxyServlet also supports a "get" command that you can use to +The JMXProxyServlet also supports a "get" command that you can use to fetch the value of a specific MBean's attribute. The general form of the get command is: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] efge commented on pull request #406: Improve the SSLValve so it is able to handle the ssl_client_escaped_cert header from Nginx
efge commented on pull request #406: URL: https://github.com/apache/tomcat/pull/406#issuecomment-818892057 (force-pushed to rebase and fix conflicts in changelog.xml) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-85-trunk
The Buildbot has detected a restored build on builder tomcat-85-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-85-trunk/builds/2690 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-85-commit' triggered this build Build Source Stamp: [branch 8.5.x] a78afd02bbae333f8fb98bd75b9b04599159d34c Blamelist: Mark Thomas Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-9-trunk
The Buildbot has detected a restored build on builder tomcat-9-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-9-trunk/builds/730 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-9-commit' triggered this build Build Source Stamp: [branch 9.0.x] 0fc92265fa0c8751f7f72d9390443f1e6cabbcf1 Blamelist: Mark Thomas Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-trunk
The Buildbot has detected a restored build on builder tomcat-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/5789 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch master] e3c5de01a556dd4e81eaecc75806cebe558d8c1c Blamelist: Mark Thomas Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1888737 - in /tomcat/site/trunk: docs/legal.html xdocs/legal.xml
Author: fschumacher Date: Tue Apr 13 15:51:05 2021 New Revision: 1888737 URL: http://svn.apache.org/viewvc?rev=1888737=rev Log: a late Happy New Year :) Modified: tomcat/site/trunk/docs/legal.html tomcat/site/trunk/xdocs/legal.xml Modified: tomcat/site/trunk/docs/legal.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/legal.html?rev=1888737=1888736=1888737=diff == --- tomcat/site/trunk/docs/legal.html (original) +++ tomcat/site/trunk/docs/legal.html Tue Apr 13 15:51:05 2021 @@ -4,7 +4,7 @@ Apache TomcatHomeTaglibsMaven PluginDownloadWhich version?https://tomcat.apache.org/download-10.cgi;>Tomcat 10https://tomcat.apache.org/download-90.cgi;>Tomcat 9https://tomcat.apache.org/download-80.cgi;>Tomcat 8https://tomcat.apache.org/download-70.cgi;>Tomcat 7https://tomcat.apache.org/download-migration.cgi;>Tomcat Migration Tool for Jakarta EEhttps://tomcat.apache.org/download-connectors.cgi;>Tomcat Connectorshttps://tomcat.apache.org/download-native.cgi;>Tomcat Nativehttps://tomcat.apache.org/download-taglibs.cgi;>Taglibshttps://archive.apache.org/dist/tomcat/;>A rchivesDocumentationTomcat 10.0Tomcat 9.0Tomcat 8.5Tomcat 7.0Tomcat ConnectorsTomcat Nativehttps://cwiki.apache.org/confluence/display/TOMCAT;>WikiMigration GuidePresentationshttps://cwiki.apache.org/confluence/x/Bi8lBg;>SpecificationsProblems?Security ReportsFind helphttps://cwiki.apache.org/confluence/display/TOMCAT/FAQ;>FAQMailing ListsBug Databas eIRCGet InvolvedOverviewSource codeBuildbothttps://cwiki.apache.org/confluence/x/vIPzBQ;>TranslationsToolsMediahttps://twitter.com/theapachetomcat;>Twitterhttps://www.youtube.com/c/ApacheTomcatOfficial;>YouTubehttps://blogs.apache.org/tomcat/;>BlogMiscWho We Arehttps://www.redbubble.com/people/comdev/works/30885254-apache-tomcat;>SwagHeritagehttp://www.apache.org;>Apache HomeResourcesContactLegal< /li>https://www.apache.org/foundation/contributing.html;>Support Apachehttps://www.apache.org/foundation/sponsorship.html;>Sponsorshiphttp://www.apache.org/foundation/thanks.html;>Thankshttp://www.apache.org/licenses/;>LicenseContentLegal Stuff They Make Us Say -All material on this website is Copyright 1999-2020, The Apache +All material on this website is Copyright 1999-2021, The Apache Software Foundation Modified: tomcat/site/trunk/xdocs/legal.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/legal.xml?rev=1888737=1888736=1888737=diff == --- tomcat/site/trunk/xdocs/legal.xml (original) +++ tomcat/site/trunk/xdocs/legal.xml Tue Apr 13 15:51:05 2021 @@ -11,7 +11,7 @@ -All material on this website is Copyright 1999-2020, The Apache +All material on this website is Copyright 1999-2021, The Apache Software Foundation - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1888736 - in /tomcat/site/trunk: docs/presentations.html docs/sitemap-main.xml xdocs/presentations.xml xdocs/sitemap-main.xml
Author: fschumacher Date: Tue Apr 13 15:43:22 2021 New Revision: 1888736 URL: http://svn.apache.org/viewvc?rev=1888736=rev Log: Add presentations for ApacheCon @Home 2020 Modified: tomcat/site/trunk/docs/presentations.html tomcat/site/trunk/docs/sitemap-main.xml tomcat/site/trunk/xdocs/presentations.xml tomcat/site/trunk/xdocs/sitemap-main.xml Modified: tomcat/site/trunk/docs/presentations.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/presentations.html?rev=1888736=1888735=1888736=diff == --- tomcat/site/trunk/docs/presentations.html (original) +++ tomcat/site/trunk/docs/presentations.html Tue Apr 13 15:43:22 2021 @@ -38,6 +38,62 @@ li.targeted { transition:ease-in-out 1s; } +ApacheCon @Home 2020 + + +State of the Cat - Mark Thomas, +https://www.youtube.com/watch?v=uDy-Dwexy2Q;>video + + +Lost in the Docs - Felix Schumacher, +https://www.youtube.com/watch?v=pSU0l5kbcJ8;>video + + +Deploying a Production Instance - Andrew Carr, +https://www.youtube.com/watch?v=V75wPfhYsj4;>video + + +HTTP/2, HTTP/3, and SSL/TLS State of the Art in our Servers (httpd, Traffic Server, and Tomcat) - Jean-Frederic Clere, +https://www.youtube.com/watch?v=xzqOU6ILJzQ;>video + + +Split your Tomcat Installation for Easier Upgrades - Christopher Schultz, +https://www.youtube.com/watch?v=nu229pb09D0;>video + + +Tomcat: New and Upcoming - Rmy Maucherat, +https://www.youtube.com/watch?v=L5PFoJyS-aU;>video + + +Reverse-Proxying with nginx - Igal Sapir, +https://www.youtube.com/watch?v=8e1V9tVwNR8;>video + + +Tomcat: From a Cluster to a Cloud - Jean-Frederic Clere, +https://www.youtube.com/watch?v=COsTWphp2fk;>video + + +Migrating from AJP to HTTP: It's About Time - Christopher Schultz, +https://www.youtube.com/watch?v=qUjUEvGFstI;>video + + +Tomcat 10 and Jakarta EE - Mark Thomas, +https://www.youtube.com/watch?v=10PkrWRPgPU;>video + + +Getting Started Hacking Tomcat - Christopher Schultz, +https://www.youtube.com/watch?v=O2wXAldxQWA;>video + + +Apache Tomcat and Spring Boot - Andrew Carr, +https://www.youtube.com/watch?v=Nk-rKXQC0BU;>video + + +Openly Handling Security Vulnerabilities (QA/Panel) - Mark Thomas, Christopher Schultz, Coty Sutherland, +https://www.youtube.com/watch?v=tGjyX6meGcA;>video + + + Webinar Series 2020 Modified: tomcat/site/trunk/docs/sitemap-main.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/sitemap-main.xml?rev=1888736=1888735=1888736=diff == --- tomcat/site/trunk/docs/sitemap-main.xml (original) +++ tomcat/site/trunk/docs/sitemap-main.xml Tue Apr 13 15:43:22 2021 @@ -177,6 +177,11 @@ 0.4 +http://tomcat.apache.org/presentations.html +monthly +0.4 + + http://tomcat.apache.org/whoweare.html weekly 0.5 @@ -186,4 +191,4 @@ weekly 0.5 - \ No newline at end of file + Modified: tomcat/site/trunk/xdocs/presentations.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/presentations.xml?rev=1888736=1888735=1888736=diff == --- tomcat/site/trunk/xdocs/presentations.xml (original) +++ tomcat/site/trunk/xdocs/presentations.xml Tue Apr 13 15:43:22 2021 @@ -44,6 +44,62 @@ li.targeted { transition:ease-in-out 1s; } + + + +State of the Cat - Mark Thomas, +https://www.youtube.com/watch?v=uDy-Dwexy2Q;>video + + +Lost in the Docs - Felix Schumacher, +https://www.youtube.com/watch?v=pSU0l5kbcJ8;>video + + +Deploying a Production Instance - Andrew Carr, +https://www.youtube.com/watch?v=V75wPfhYsj4;>video + + +HTTP/2, HTTP/3, and SSL/TLS State of the Art in our Servers (httpd, Traffic Server, and Tomcat) - Jean-Frederic Clere, +https://www.youtube.com/watch?v=xzqOU6ILJzQ;>video + + +Split your Tomcat Installation for Easier Upgrades - Christopher Schultz, +https://www.youtube.com/watch?v=nu229pb09D0;>video + + +Tomcat: New and Upcoming - Rémy Maucherat, +https://www.youtube.com/watch?v=L5PFoJyS-aU;>video + + +Reverse-Proxying with nginx - Igal Sapir, +https://www.youtube.com/watch?v=8e1V9tVwNR8;>video + + +Tomcat: From a Cluster to a Cloud - Jean-Frederic Clere, +https://www.youtube.com/watch?v=COsTWphp2fk;>video + + +Migrating from AJP to HTTP: It's About Time - Christopher Schultz, +https://www.youtube.com/watch?v=qUjUEvGFstI;>video + + +Tomcat 10 and Jakarta EE - Mark Thomas, +https://www.youtube.com/watch?v=10PkrWRPgPU;>video + + +Getting Started Hacking Tomcat - Christopher Schultz, +https://www.youtube.com/watch?v=O2wXAldxQWA;>video + + +Apache Tomcat and Spring Boot -
[tomcat] branch 9.0.x updated: Add unboundid.jar to test class path so new tests can compile
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 0fc9226 Add unboundid.jar to test class path so new tests can compile 0fc9226 is described below commit 0fc92265fa0c8751f7f72d9390443f1e6cabbcf1 Author: Mark Thomas AuthorDate: Tue Apr 13 16:23:59 2021 +0100 Add unboundid.jar to test class path so new tests can compile --- build.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/build.xml b/build.xml index b186186..ecc7511 100644 --- a/build.xml +++ b/build.xml @@ -256,6 +256,7 @@ + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Add unboundid.jar to test class path so new tests can compile
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new a78afd0 Add unboundid.jar to test class path so new tests can compile a78afd0 is described below commit a78afd02bbae333f8fb98bd75b9b04599159d34c Author: Mark Thomas AuthorDate: Tue Apr 13 16:23:59 2021 +0100 Add unboundid.jar to test class path so new tests can compile --- build.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/build.xml b/build.xml index fffa5c1..461eac7 100644 --- a/build.xml +++ b/build.xml @@ -246,6 +246,7 @@ + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Add unboundid.jar to test class path so new tests can compile
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new e3c5de0 Add unboundid.jar to test class path so new tests can compile e3c5de0 is described below commit e3c5de01a556dd4e81eaecc75806cebe558d8c1c Author: Mark Thomas AuthorDate: Tue Apr 13 16:23:59 2021 +0100 Add unboundid.jar to test class path so new tests can compile --- build.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/build.xml b/build.xml index 835cc36..e2f57e0 100644 --- a/build.xml +++ b/build.xml @@ -257,6 +257,7 @@ + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 7.0.x updated (7115dc3 -> e21eb47)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 7115dc3 Corrected instructions to reduce unit tests verbosity new 0f544f1 Code alignment with 8.5.x - no functional change new e21eb47 Fix BZ 65224. Correct escaping in JNDIRealm The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/org/apache/catalina/realm/JNDIRealm.java | 875 +- webapps/docs/changelog.xml| 4 + 2 files changed, 447 insertions(+), 432 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Fix BZ 65224. Correct escaping in JNDIRealm
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit e21eb4764ccda55e5a35a5a7c19a6fd2b0757fe9 Author: Mark Thomas AuthorDate: Tue Apr 13 16:09:56 2021 +0100 Fix BZ 65224. Correct escaping in JNDIRealm --- java/org/apache/catalina/realm/JNDIRealm.java | 161 ++ webapps/docs/changelog.xml| 4 + 2 files changed, 142 insertions(+), 23 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index a9032cf..6425194 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -205,13 +205,11 @@ public class JNDIRealm extends RealmBase { */ protected String connectionURL = null; - /** * The directory context linking us to our directory server. */ protected DirContext context = null; - /** * The JNDI context factory used to acquire our InitialContext. By * default, assumes use of an LDAP server using the standard JNDI LDAP @@ -291,7 +289,6 @@ public class JNDIRealm extends RealmBase { */ protected MessageFormat userSearchFormat = null; - /** * Should we search the entire subtree for matching users? */ @@ -915,8 +912,7 @@ public class JNDIRealm extends RealmBase { int len = this.userPatternArray.length; userPatternFormatArray = new MessageFormat[len]; for (int i=0; i < len; i++) { -userPatternFormatArray[i] = -new MessageFormat(userPatternArray[i]); +userPatternFormatArray[i] = new MessageFormat(userPatternArray[i]); } } } @@ -1462,7 +1458,7 @@ public class JNDIRealm extends RealmBase { * @exception NamingException if a directory server error occurs */ protected User getUser(DirContext context, String username, String credentials, int curUserPattern) - throws NamingException { +throws NamingException { User user = null; @@ -1589,8 +1585,11 @@ public class JNDIRealm extends RealmBase { return null; } -// Form the dn from the user pattern -String dn = userPatternFormatArray[curUserPattern].format(new String[] { username }); +// Form the DistinguishedName from the user pattern. +// Escape in case username contains a character with special meaning in +// an attribute value. +String dn = userPatternFormatArray[curUserPattern].format( +new String[] { doAttributeValueEscaping(username) }); try { user = getUserByPattern(context, username, attrIds, dn); @@ -1630,7 +1629,9 @@ public class JNDIRealm extends RealmBase { } // Form the search filter -String filter = userSearchFormat.format(new String[] { username }); +// Escape in case username contains a character with special meaning in +// a search filter. +String filter = userSearchFormat.format(new String[] { doFilterEscaping(username) }); // Set up the search controls SearchControls constraints = new SearchControls(); @@ -1798,6 +1799,8 @@ public class JNDIRealm extends RealmBase { return false; } +// This is returned from the directory so will be attribute value +// escaped if required String dn = user.getDN(); if (dn == null) { return false; @@ -1888,7 +1891,11 @@ public class JNDIRealm extends RealmBase { return null; } +// This is returned from the directory so will be attribute value +// escaped if required String dn = user.getDN(); +// This is the name the user provided to the authentication process so +// it will not be escaped String username = user.getUserName(); String userRoleId = user.getUserRoleId(); @@ -1920,8 +1927,13 @@ public class JNDIRealm extends RealmBase { return list; } -// Set up parameters for an appropriate search -String filter = roleFormat.format(new String[] { doRFC2254Encoding(dn), username, userRoleId }); +// Set up parameters for an appropriate search filter +// The dn is already attribute value escaped but the others are not +// This is a filter so all input will require filter escaping +String filter = roleFormat.format(new String[] { +doFilterEscaping(dn), +doFilterEscaping(doAttributeValueEscaping(username)), +doFilterEscaping(doAttributeValueEscaping(userRoleId)) }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); @@ -1936,7 +1948,9 @@
[tomcat] 01/02: Code alignment with 8.5.x - no functional change
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 0f544f1b9a8f686346135a3cc8765c3179a6af2b Author: Mark Thomas AuthorDate: Tue Apr 13 16:01:13 2021 +0100 Code alignment with 8.5.x - no functional change --- java/org/apache/catalina/realm/JNDIRealm.java | 718 +++--- 1 file changed, 307 insertions(+), 411 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index aef4053..a9032cf 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -183,7 +183,6 @@ import org.ietf.jgss.GSSName; */ public class JNDIRealm extends RealmBase { - // - Instance Variables /** @@ -196,13 +195,11 @@ public class JNDIRealm extends RealmBase { */ protected String connectionName = null; - /** * The connection password for the server we will contact. */ protected String connectionPassword = null; - /** * The connection URL for the server we will contact. */ @@ -222,7 +219,6 @@ public class JNDIRealm extends RealmBase { */ protected String contextFactory = "com.sun.jndi.ldap.LdapCtxFactory"; - /** * How aliases should be dereferenced during search operations. */ @@ -237,13 +233,13 @@ public class JNDIRealm extends RealmBase { /** * Descriptive information about this Realm implementation. */ -protected static final String info = -"org.apache.catalina.realm.JNDIRealm/1.0"; - +protected static final String info = "org.apache.catalina.realm.JNDIRealm/1.0"; /** * Descriptive information about this Realm implementation. + * @deprecated This will be removed in Tomcat 9 onwards. */ +@Deprecated protected static final String name = "JNDIRealm"; @@ -253,7 +249,6 @@ public class JNDIRealm extends RealmBase { */ protected String protocol = null; - /** * Should we ignore PartialResultExceptions when iterating over NamingEnumerations? * Microsoft Active Directory often returns referrals, which lead @@ -263,7 +258,6 @@ public class JNDIRealm extends RealmBase { */ protected boolean adCompat = false; - /** * How should we handle referrals? Microsoft Active Directory often returns * referrals. If you need to follow them set referrals to "follow". @@ -272,20 +266,17 @@ public class JNDIRealm extends RealmBase { */ protected String referrals = null; - /** * The base element for user searches. */ protected String userBase = ""; - /** * The message format used to search for a user, with "{0}" marking * the spot where the username goes. */ protected String userSearch = null; - /** * When searching for users, should the search be performed as the user * currently being authenticated? If false, {@link #connectionName} and @@ -294,7 +285,6 @@ public class JNDIRealm extends RealmBase { */ private boolean userSearchAsUser = false; - /** * The MessageFormat object associated with the current * userSearch. @@ -307,7 +297,6 @@ public class JNDIRealm extends RealmBase { */ protected boolean userSubtree = false; - /** * The attribute name used to retrieve the user password. */ @@ -321,7 +310,6 @@ public class JNDIRealm extends RealmBase { */ protected String userRoleAttribute = null; - /** * A string of LDAP user patterns or paths, ":"-separated * These will be used to form the distinguished name of a @@ -332,7 +320,6 @@ public class JNDIRealm extends RealmBase { */ protected String[] userPatternArray = null; - /** * The message format used to form the distinguished name of a * user, with "{0}" marking the spot where the specified username @@ -340,7 +327,6 @@ public class JNDIRealm extends RealmBase { */ protected String userPattern = null; - /** * An array of MessageFormat objects associated with the current * userPatternArray. @@ -352,34 +338,29 @@ public class JNDIRealm extends RealmBase { */ protected String roleBase = ""; - /** * The MessageFormat object associated with the current * roleBase. */ protected MessageFormat roleBaseFormat = null; - /** * The MessageFormat object associated with the current * roleSearch. */ protected MessageFormat roleFormat = null; - /** * The name of an attribute in the user's entry containing * roles for that user */ protected String userRoleName = null; - /** * The name of the attribute containing roles held elsewhere */
buildbot failure in on tomcat-85-trunk
The Buildbot has detected a new failure on builder tomcat-85-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-85-trunk/builds/2689 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-85-commit' triggered this build Build Source Stamp: [branch 8.5.x] 999a22d1eca9e62be04d24a8e508c2afe1fcbada Blamelist: Igal Sapir ,Mark Thomas BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-9-trunk
The Buildbot has detected a new failure on builder tomcat-9-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-9-trunk/builds/729 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-9-commit' triggered this build Build Source Stamp: [branch 9.0.x] 07d770fd5f8f1cc3ea3b493c96cd50baac52001b Blamelist: Igal Sapir ,Mark Thomas BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/5788 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch master] b201511dfb4f74faa5ebd21248a269bbbd9b21b4 Blamelist: Mark Thomas BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 09/10: Expand tests to cover escaping of substituted roleBaes values
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit ad22db641dcd61c2e8078f658fa709897b5da375 Author: Mark Thomas AuthorDate: Tue Apr 13 15:19:31 2021 +0100 Expand tests to cover escaping of substituted roleBaes values While the UnboundedID LDAP SDK doesn't appear to have a preference some servers (Windows AD, OpenLDAP) do appear to. --- java/org/apache/catalina/realm/JNDIRealm.java| 4 +++- test/org/apache/catalina/realm/TestJNDIRealmIntegration.java | 10 +- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 33895e4..f1354d1 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1912,7 +1912,9 @@ public class JNDIRealm extends RealmBase { Name name = np.parse(dn); String nameParts[] = new String[name.size()]; for (int i = 0; i < name.size(); i++) { -nameParts[i] = name.get(i); +// May have been returned with \ escaping rather than +// \. Make sure it is \. +nameParts[i] = convertToHexEscape(name.get(i)); } base = connection.roleBaseFormat.format(nameParts); } else { diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index d019fc0..cd69267 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -60,7 +60,7 @@ public class TestJNDIRealmIntegration { addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, parameterSets); addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, parameterSets); } -parameterSets.add(new Object[] { "cn={0},ou=sub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, +parameterSets.add(new Object[] { "cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, "{3},ou=people,dc=example,dc=com", "testsub", "test", new String[] {"TestGroup4"} }); return parameterSets; } @@ -227,14 +227,14 @@ public class TestJNDIRealmIntegration { Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); AddRequest addPeopleSub = new AddRequest( -"dn: ou=sub,ou=people,dc=example,dc=com", +"dn: ou=s\\;ub,ou=people,dc=example,dc=com", "objectClass: top", "objectClass: organizationalUnit"); result = conn.processOperation(addPeopleSub); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); AddRequest addUserTestSub = new AddRequest( -"dn: cn=testsub,ou=sub,ou=people,dc=example,dc=com", +"dn: cn=testsub,ou=s\\;ub,ou=people,dc=example,dc=com", "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", @@ -245,11 +245,11 @@ public class TestJNDIRealmIntegration { Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); AddRequest addGroupTest4 = new AddRequest( -"dn: cn=TestGroup4,ou=sub,ou=people,dc=example,dc=com", +"dn: cn=TestGroup4,ou=s\\;ub,ou=people,dc=example,dc=com", "objectClass: top", "objectClass: groupOfNames", "cn: TestGroup4", -"member: cn=testsub,ou=sub,ou=people,dc=example,dc=com"); +"member: cn=testsub,ou=s\\;ub,ou=people,dc=example,dc=com"); result = conn.processOperation(addGroupTest4); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 03/10: Rename for clarity
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 0a272b00aed57526dbfc8b881ab253c23c61f100 Author: Mark Thomas AuthorDate: Tue Apr 13 11:35:07 2021 +0100 Rename for clarity --- java/org/apache/catalina/realm/JNDIRealm.java | 30 +-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 9f43b94..1b74c2b 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1884,7 +1884,7 @@ public class JNDIRealm extends RealmBase { } // Set up parameters for an appropriate search -String filter = connection.roleFormat.format(new String[] { doRFC2254Encoding(dn), username, userRoleId }); +String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), username, userRoleId }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); @@ -1956,7 +1956,7 @@ public class JNDIRealm extends RealmBase { Map newThisRound = new HashMap<>(); // Stores the groups we find in this iteration for (Entry group : newGroups.entrySet()) { -filter = connection.roleFormat.format(new String[] { doRFC2254Encoding(group.getKey()), +filter = connection.roleFormat.format(new String[] { doFilterEscaping(group.getKey()), group.getValue(), group.getValue() }); if (containerLog.isTraceEnabled()) { @@ -2754,10 +2754,36 @@ public class JNDIRealm extends RealmBase { * ) - \29 * \ - \5c * \0 - \00 + * * @param inString string to escape according to RFC 2254 guidelines + * * @return String the escaped/encoded result + * + * @deprecated Will be removed in Tomcat 10.1.x onwards */ +@Deprecated protected String doRFC2254Encoding(String inString) { +return doFilterEscaping(inString); +} + + +/** + * Given an LDAP search string, returns the string with certain characters + * escaped according to RFC 2254 guidelines. + * The character mapping is as follows: + * char - Replacement + *--- + * * - \2a + * ( - \28 + * ) - \29 + * \ - \5c + * \0 - \00 + * + * @param inString string to escape according to RFC 2254 guidelines + * + * @return String the escaped/encoded result + */ +protected String doFilterEscaping(String inString) { StringBuilder buf = new StringBuilder(inString.length()); for (int i = 0; i < inString.length(); i++) { char c = inString.charAt(i); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 07/10: Expanded tests to cover nested roles and fix escaping issues in search
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit d3407672774e372fae8b5898d55f85d16f22b972 Author: Mark Thomas AuthorDate: Tue Apr 13 12:54:24 2021 +0100 Expanded tests to cover nested roles and fix escaping issues in search --- java/org/apache/catalina/realm/JNDIRealm.java | 9 -- .../catalina/realm/TestJNDIRealmIntegration.java | 34 +- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 7598539..437e9a9 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1969,8 +1969,13 @@ public class JNDIRealm extends RealmBase { Map newThisRound = new HashMap<>(); // Stores the groups we find in this iteration for (Entry group : newGroups.entrySet()) { -filter = connection.roleFormat.format(new String[] { doFilterEscaping(group.getKey()), -group.getValue(), group.getValue() }); +// Group key is already value escaped if required +// Group value is not value escaped +// Everything needs to be filter escaped +filter = connection.roleFormat.format(new String[] { +doFilterEscaping(group.getKey()), + doFilterEscaping(doAttributeValueEscaping(group.getValue())), + doFilterEscaping(doAttributeValueEscaping(group.getValue())) }); if (containerLog.isTraceEnabled()) { containerLog.trace("Perform a nested group search with base "+ roleBase + diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index 8302e47..cf47369 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -52,7 +52,7 @@ public class TestJNDIRealmIntegration { private static InMemoryDirectoryServer ldapServer; -@Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") +@Parameterized.Parameters(name = "{index}: user[{4}], pwd[{5}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { @@ -71,6 +71,8 @@ public class TestJNDIRealmIntegration { "t;", "test", new String[] {"TestGroup"} }); parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t*", "test", new String[] {"TestGroup"} }); +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +"t=", "test", new String[] {"TestGroup*3"} }); } @@ -102,6 +104,7 @@ public class TestJNDIRealmIntegration { realm.setRoleName("cn"); realm.setRoleBase("ou=people,dc=example,dc=com"); realm.setRoleSearch(realmConfigRoleSearch); +realm.setRoleNested(true); GenericPrincipal p = (GenericPrincipal) realm.authenticate(username, credentials); @@ -178,6 +181,17 @@ public class TestJNDIRealmIntegration { result = conn.processOperation(addUserTestAsterisk); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); +AddRequest addUserTestEquals = new AddRequest( +"dn: cn=t\\=,ou=people,dc=example,dc=com", +"objectClass: top", +"objectClass: person", +"objectClass: organizationalPerson", +"cn: t=", +"sn: Tequals", +"userPassword: test"); +result = conn.processOperation(addUserTestEquals); +Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); + AddRequest addGroupTest = new AddRequest( "dn: cn=TestGroup,ou=people,dc=example,dc=com", "objectClass: top", @@ -188,6 +202,24 @@ public class TestJNDIRealmIntegration { "member: cn=t\\*,ou=people,dc=example,dc=com"); result = conn.processOperation(addGroupTest); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); + +AddRequest addGroupTest2 = new AddRequest( +"dn: cn=Test\\Group*3,ou=people,dc=example,dc=com", +"objectClass: top", +"objectClass: groupOfNames", +"cn: Test>Group*3", +"member: cn=Test\\
[tomcat] 10/10: Update changelog
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 999a22d1eca9e62be04d24a8e508c2afe1fcbada Author: Mark Thomas AuthorDate: Tue Apr 13 15:19:37 2021 +0100 Update changelog --- webapps/docs/changelog.xml | 4 1 file changed, 4 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 2f71b9a..63c9e6e 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -110,6 +110,10 @@ Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt) + +65224: Ensure the correct escaping of attribute values and +search filters in the JNDIRealm. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/10: Add attribute value escaping to support user names containing '; '
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 24dfb30076997b640e5123e92c4b8d7f206f609c Author: Mark Thomas AuthorDate: Tue Apr 13 11:12:02 2021 +0100 Add attribute value escaping to support user names containing ';' --- java/org/apache/catalina/realm/JNDIRealm.java | 79 +++- .../realm/TestJNDIRealmAttributeValueEscape.java | 86 ++ .../catalina/realm/TestJNDIRealmIntegration.java | 15 +++- 3 files changed, 177 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index e4ba051..9f43b94 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1549,8 +1549,11 @@ public class JNDIRealm extends RealmBase { return null; } -// Form the dn from the user pattern -String dn = connection.userPatternFormatArray[curUserPattern].format(new String[] { username }); +// Form the DistinguishedName from the user pattern. +// Escape in case username contains a character with special meaning in +// an attribute value. +String dn = connection.userPatternFormatArray[curUserPattern].format( +new String[] { doAttributeValueEscaping(username) }); try { user = getUserByPattern(connection.context, username, attrIds, dn); @@ -2839,6 +2842,78 @@ public class JNDIRealm extends RealmBase { } +/** + * Implements the necessary escaping to represent an attribute value as a + * String as per RFC 4514. + * + * @param input The original attribute value + * @return The string representation of the attribute value + */ +protected String doAttributeValueEscaping(String input) { +int len = input.length(); +StringBuilder result = new StringBuilder(); + +for (int i = 0; i < len; i++) { +char c = input.charAt(i); +switch (c) { +case ' ': { +if (i == 0 || i == (len -1)) { +result.append("\\20"); +} else { +result.append(c); +} +break; +} +case '#': { +if (i == 0 ) { +result.append("\\23"); +} else { +result.append(c); +} +break; +} +case '\"': { +result.append("\\22"); +break; +} +case '+': { +result.append("\\2B"); +break; +} +case ',': { +result.append("\\2C"); +break; +} +case ';': { +result.append("\\3B"); +break; +} +case '<': { +result.append("\\3C"); +break; +} +case '>': { +result.append("\\3E"); +break; +} +case '\\': { +result.append("\\5C"); +break; +} +case '\u': { +result.append("\\00"); +break; +} +default: +result.append(c); +} + +} + +return result.toString(); +} + + protected static String convertToHexEscape(String input) { if (input.indexOf('\\') == -1) { // No escaping present. Return original. diff --git a/test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java b/test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java new file mode 100644 index 000..677bcc5 --- /dev/null +++ b/test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java @@ -0,0 +1,86 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific
[tomcat] 08/10: Expand testing to cover substitution in roleBase. Fix bugs.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 6a9129ac9bd06555ce04bb564a76fc3987311f38 Author: Mark Thomas AuthorDate: Tue Apr 13 14:47:07 2021 +0100 Expand testing to cover substitution in roleBase. Fix bugs. The code incorrectly referred to the original roleBase rather than the local version that includes the substituted value(s). --- java/org/apache/catalina/realm/JNDIRealm.java | 4 +- .../catalina/realm/TestJNDIRealmIntegration.java | 56 +- 2 files changed, 46 insertions(+), 14 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 437e9a9..33895e4 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1935,7 +1935,7 @@ public class JNDIRealm extends RealmBase { if (attrs == null) { continue; } -String dname = getDistinguishedName(connection.context, roleBase, result); +String dname = getDistinguishedName(connection.context, base, result); String name = getAttributeValue(roleName, attrs); if (name != null && dname != null) { groupMap.put(dname, name); @@ -1982,7 +1982,7 @@ public class JNDIRealm extends RealmBase { " and filter " + filter); } -results = searchAsUser(connection.context, user, roleBase, filter, controls, isRoleSearchAsUser()); +results = searchAsUser(connection.context, user, base, filter, controls, isRoleSearchAsUser()); try { while (results.hasMore()) { diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index cf47369..d019fc0 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -49,29 +49,32 @@ public class TestJNDIRealmIntegration { private static final String ROLE_SEARCH_A = "member={0}"; private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com"; private static final String ROLE_SEARCH_C = "member=cn={2},ou=people,dc=example,dc=com"; +private static final String ROLE_BASE = "ou=people,dc=example,dc=com"; private static InMemoryDirectoryServer ldapServer; -@Parameterized.Parameters(name = "{index}: user[{4}], pwd[{5}]") +@Parameterized.Parameters(name = "{index}: user[{5}], pwd[{6}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { -addUsers(USER_PATTERN, null, null, roleSearch, parameterSets); -addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets); +addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, parameterSets); +addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, parameterSets); } +parameterSets.add(new Object[] { "cn={0},ou=sub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, +"{3},ou=people,dc=example,dc=com", "testsub", "test", new String[] {"TestGroup4"} }); return parameterSets; } private static void addUsers(String userPattern, String userSearch, String userBase, String roleSearch, -List parameterSets) { -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +String roleBase, List parameterSets) { +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "test", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "t;", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "t*", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "t=", "test", new String[] {"TestGroup*3"} }); } @@ -85,10 +88,12 @@ public class TestJNDIRealmIntegration { @Parameter(3) public String realmConfigRoleSearch; @Parameter(4) -public String username; +public String
[tomcat] 06/10: Expand tests and fix escaping issue in userRoleAttribute filter
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 79580e7f70a07c083be07307376511bb864d5a7b Author: Mark Thomas AuthorDate: Tue Apr 13 12:20:06 2021 +0100 Expand tests and fix escaping issue in userRoleAttribute filter --- java/org/apache/catalina/realm/JNDIRealm.java| 6 -- test/org/apache/catalina/realm/TestJNDIRealmIntegration.java | 8 +--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index d6976c7..7598539 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1891,11 +1891,13 @@ public class JNDIRealm extends RealmBase { return list; } -// Set up parameters for an appropriate search +// Set up parameters for an appropriate search filter +// The dn is already attribute value escaped but the others are not +// This is a filter so all input will require filter escaping String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), doFilterEscaping(doAttributeValueEscaping(username)), -userRoleId }); +doFilterEscaping(doAttributeValueEscaping(userRoleId)) }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index 3d9969e..8302e47 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -48,13 +48,14 @@ public class TestJNDIRealmIntegration { private static final String USER_BASE = "ou=people,dc=example,dc=com"; private static final String ROLE_SEARCH_A = "member={0}"; private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com"; +private static final String ROLE_SEARCH_C = "member=cn={2},ou=people,dc=example,dc=com"; private static InMemoryDirectoryServer ldapServer; @Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); -for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B }) { +for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { addUsers(USER_PATTERN, null, null, roleSearch, parameterSets); addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets); } @@ -128,6 +129,7 @@ public class TestJNDIRealmIntegration { try (LDAPConnection conn = ldapServer.getConnection()) { +// Note: Only the DNs need attribute value escaping AddRequest addBase = new AddRequest( "dn: dc=example,dc=com", "objectClass: top", @@ -159,7 +161,7 @@ public class TestJNDIRealmIntegration { "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", -"cn: t\\;", +"cn: t;", "sn: Tsemicolon", "userPassword: test"); result = conn.processOperation(addUserTestSemicolon); @@ -170,7 +172,7 @@ public class TestJNDIRealmIntegration { "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", -"cn: t\\*", +"cn: t*", "sn: Tasterisk", "userPassword: test"); result = conn.processOperation(addUserTestAsterisk); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 05/10: Expand tests and fix an issue in escaping for group search
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 4e86b4ea0d1a9b00fa93971c31b93ad1bd49c7fe Author: Mark Thomas AuthorDate: Tue Apr 13 12:11:35 2021 +0100 Expand tests and fix an issue in escaping for group search --- java/org/apache/catalina/realm/JNDIRealm.java | 9 +++- .../catalina/realm/TestJNDIRealmIntegration.java | 26 ++ 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index a1e9bc7..d6976c7 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1855,7 +1855,11 @@ public class JNDIRealm extends RealmBase { return null; } +// This is returned from the directory so will be attribute value +// escaped if required String dn = user.getDN(); +// This is the name the user provided to the authentication process so +// it will not be escaped String username = user.getUserName(); String userRoleId = user.getUserRoleId(); @@ -1888,7 +1892,10 @@ public class JNDIRealm extends RealmBase { } // Set up parameters for an appropriate search -String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), username, userRoleId }); +String filter = connection.roleFormat.format(new String[] { +doFilterEscaping(dn), +doFilterEscaping(doAttributeValueEscaping(username)), +userRoleId }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index ef0cc35..3d9969e 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -46,24 +46,29 @@ public class TestJNDIRealmIntegration { private static final String USER_PATTERN = "cn={0},ou=people,dc=example,dc=com"; private static final String USER_SEARCH = "cn={0}"; private static final String USER_BASE = "ou=people,dc=example,dc=com"; +private static final String ROLE_SEARCH_A = "member={0}"; +private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com"; private static InMemoryDirectoryServer ldapServer; @Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); -addUsers(USER_PATTERN, null, null, parameterSets); -addUsers(null, USER_SEARCH, USER_BASE, parameterSets); +for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B }) { +addUsers(USER_PATTERN, null, null, roleSearch, parameterSets); +addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets); +} return parameterSets; } -private static void addUsers(String userPattern, String userSearch, String userBase, List parameterSets) { -parameterSets.add(new Object[] { userPattern, userSearch, userBase, +private static void addUsers(String userPattern, String userSearch, String userBase, String roleSearch, +List parameterSets) { +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "test", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t;", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t*", "test", new String[] {"TestGroup"} }); } @@ -75,10 +80,12 @@ public class TestJNDIRealmIntegration { @Parameter(2) public String realmConfigUserBase; @Parameter(3) -public String username; +public String realmConfigRoleSearch; @Parameter(4) -public String credentials; +public String username; @Parameter(5) +public String credentials; +@Parameter(6) public String[] groups; @Test @@ -90,9 +97,10 @@ public class TestJNDIRealmIntegration { realm.setUserPattern(realmConfigUserPattern); realm.setUserSearch(realmConfigUserSearch); realm.setUserBase(realmConfigUserBase); +realm.setUserRoleAttribute("cn"); realm.setRoleName("cn"); realm.setRoleBase("ou=people,dc=example,dc=com"); -
[tomcat] 04/10: Expand tests and fix escaping issue when searching for users by filter
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit c9f21a2a7908c7c4ecd4f9bb495d3ee36a2bd822 Author: Mark Thomas AuthorDate: Tue Apr 13 11:43:51 2021 +0100 Expand tests and fix escaping issue when searching for users by filter --- java/org/apache/catalina/realm/JNDIRealm.java | 6 ++- .../catalina/realm/TestJNDIRealmIntegration.java | 52 +- 2 files changed, 47 insertions(+), 11 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 1b74c2b..a1e9bc7 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1593,7 +1593,9 @@ public class JNDIRealm extends RealmBase { } // Form the search filter -String filter = connection.userSearchFormat.format(new String[] { username }); +// Escape in case username contains a character with special meaning in +// a search filter. +String filter = connection.userSearchFormat.format(new String[] { doFilterEscaping(username) }); // Set up the search controls SearchControls constraints = new SearchControls(); @@ -1761,6 +1763,8 @@ public class JNDIRealm extends RealmBase { return false; } +// This is returned from the directory so will be attribute value +// escaped if required String dn = user.getDN(); if (dn == null) { return false; diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index ca45053..ef0cc35 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -43,24 +43,42 @@ import com.unboundid.ldap.sdk.ResultCode; @RunWith(Parameterized.class) public class TestJNDIRealmIntegration { +private static final String USER_PATTERN = "cn={0},ou=people,dc=example,dc=com"; +private static final String USER_SEARCH = "cn={0}"; +private static final String USER_BASE = "ou=people,dc=example,dc=com"; + private static InMemoryDirectoryServer ldapServer; -@Parameterized.Parameters(name = "{index}: in[{0}], out[{1}]") +@Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); +addUsers(USER_PATTERN, null, null, parameterSets); +addUsers(null, USER_SEARCH, USER_BASE, parameterSets); +return parameterSets; +} -parameterSets.add(new Object[] { "test", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { "t;", "test", new String[] {"TestGroup"} }); -return parameterSets; +private static void addUsers(String userPattern, String userSearch, String userBase, List parameterSets) { +parameterSets.add(new Object[] { userPattern, userSearch, userBase, +"test", "test", new String[] {"TestGroup"} }); +parameterSets.add(new Object[] { userPattern, userSearch, userBase, +"t;", "test", new String[] {"TestGroup"} }); +parameterSets.add(new Object[] { userPattern, userSearch, userBase, +"t*", "test", new String[] {"TestGroup"} }); } @Parameter(0) -public String username; +public String realmConfigUserPattern; @Parameter(1) -public String credentials; +public String realmConfigUserSearch; @Parameter(2) +public String realmConfigUserBase; +@Parameter(3) +public String username; +@Parameter(4) +public String credentials; +@Parameter(5) public String[] groups; @Test @@ -69,7 +87,9 @@ public class TestJNDIRealmIntegration { realm.containerLog = LogFactory.getLog(TestJNDIRealmIntegration.class); realm.setConnectionURL("ldap://localhost:; + ldapServer.getListenPort()); -realm.setUserPattern("cn={0},ou=people,dc=example,dc=com"); +realm.setUserPattern(realmConfigUserPattern); +realm.setUserSearch(realmConfigUserSearch); +realm.setUserBase(realmConfigUserBase); realm.setRoleName("cn"); realm.setRoleBase("ou=people,dc=example,dc=com"); realm.setRoleSearch("member={0}"); @@ -131,19 +151,31 @@ public class TestJNDIRealmIntegration { "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", -"cn: test", -"sn: Test", +"cn: t\\;", +"sn: Tsemicolon", "userPassword: test"); result = conn.processOperation(addUserTestSemicolon); Assert.assertEquals(ResultCode.SUCCESS,
[tomcat] 01/10: Start to expand JNDIRealm unit tests
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit a1d06d540e74ee9a7eda27d97da33bc92ed2cbf4 Author: Mark Thomas AuthorDate: Tue Apr 13 10:13:12 2021 +0100 Start to expand JNDIRealm unit tests --- build.properties.default | 9 ++ build.xml | 9 ++ .../catalina/realm/TestJNDIRealmIntegration.java | 144 + webapps/docs/changelog.xml | 8 ++ 4 files changed, 170 insertions(+) diff --git a/build.properties.default b/build.properties.default index 922064c..616ef3d 100644 --- a/build.properties.default +++ b/build.properties.default @@ -254,6 +254,15 @@ objenesis.home=${base.path}/objenesis-${objenesis.version} objenesis.jar=${objenesis.home}/objenesis-${objenesis.version}.jar objenesis.loc=${base-maven.loc}/org/objenesis/objenesis/${objenesis.version}/objenesis-${objenesis.version}.jar +# - UnboundID, used by unit tests, version 5.1.4 or later - +unboundid.version=5.1.4 +unboundid.checksum.enabled=true +unboundid.checksum.algorithm=SHA-512 +unboundid.checksum.value=04cf7f59eddebdd5b51e5be55021f9d9c667cca6101eac954e7a8d5b51f4c23372cd8f041640157f082435a166b75d85e79252b516130ede7d966dae6d3eae67 +unboundid.home=${base.path}/unboundid-${unboundid.version} +unboundid.jar=${unboundid.home}/unboundid-ldapsdk-${unboundid.version}.jar +unboundid.loc=${base-maven.loc}/com/unboundid/unboundid-ldapsdk/${unboundid.version}/unboundid-ldapsdk-${unboundid.version}.jar + # - Checkstyle, version 6.16 or later - # Checkstyle 7 requires Java 8 # Therefore, use checkstyle-backport-jre6 diff --git a/build.xml b/build.xml index 3368c10..fffa5c1 100644 --- a/build.xml +++ b/build.xml @@ -2905,6 +2905,15 @@ skip.installer property in build.properties" /> + + + + + + + + + http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.realm; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameter; + +import org.apache.juli.logging.LogFactory; + +import com.unboundid.ldap.listener.InMemoryDirectoryServer; +import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; +import com.unboundid.ldap.sdk.AddRequest; +import com.unboundid.ldap.sdk.LDAPConnection; +import com.unboundid.ldap.sdk.LDAPResult; +import com.unboundid.ldap.sdk.ResultCode; + +@RunWith(Parameterized.class) +public class TestJNDIRealmIntegration { + +private static InMemoryDirectoryServer ldapServer; + +@Parameterized.Parameters(name = "{index}: in[{0}], out[{1}]") +public static Collection parameters() { +List parameterSets = new ArrayList<>(); + +parameterSets.add(new Object[] { "test", "test", new String[] {"TestGroup"} }); + +return parameterSets; +} + + +@Parameter(0) +public String username; +@Parameter(1) +public String credentials; +@Parameter(2) +public String[] groups; + +@Test +public void testAuthenication() throws Exception { +JNDIRealm realm = new JNDIRealm(); +realm.containerLog = LogFactory.getLog(TestJNDIRealmIntegration.class); + +realm.setConnectionURL("ldap://localhost:; + ldapServer.getListenPort()); +realm.setUserPattern("cn={0},ou=people,dc=example,dc=com"); +realm.setRoleName("cn"); +realm.setRoleBase("ou=people,dc=example,dc=com"); +realm.setRoleSearch("member={0}"); + +GenericPrincipal p = (GenericPrincipal) realm.authenticate(username, credentials); + +Assert.assertNotNull(p); +Assert.assertEquals(username, p.name); + +Set actualGroups = new HashSet<>(Arrays.asList(p.getRoles())); +Set expectedGroups = new HashSet<>(Arrays.asList(groups)); + +Assert.assertEquals(expectedGroups.size(), actualGroups.size()); +Set tmp = new HashSet<>(); +tmp.addAll(expectedGroups); +tmp.removeAll(actualGroups); +Assert.assertEquals(0, tmp.size()); +} + + +@BeforeClass +public static void createLDAP() throws Exception { +InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=example,dc=com"); +
[tomcat] branch 8.5.x updated (cb10b3f -> 999a22d)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from cb10b3f Corrected instructions to reduce unit tests verbosity new a1d06d5 Start to expand JNDIRealm unit tests new 24dfb30 Add attribute value escaping to support user names containing ';' new 0a272b0 Rename for clarity new c9f21a2 Expand tests and fix escaping issue when searching for users by filter new 4e86b4e Expand tests and fix an issue in escaping for group search new 79580e7 Expand tests and fix escaping issue in userRoleAttribute filter new d340767 Expanded tests to cover nested roles and fix escaping issues in search new 6a9129a Expand testing to cover substitution in roleBase. Fix bugs. new ad22db6 Expand tests to cover escaping of substituted roleBaes values new 999a22d Update changelog The 10 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: build.properties.default | 9 + build.xml | 9 + java/org/apache/catalina/realm/JNDIRealm.java | 141 ++- .../realm/TestJNDIRealmAttributeValueEscape.java | 86 +++ .../catalina/realm/TestJNDIRealmIntegration.java | 263 + webapps/docs/changelog.xml | 12 + 6 files changed, 510 insertions(+), 10 deletions(-) create mode 100644 test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java create mode 100644 test/org/apache/catalina/realm/TestJNDIRealmIntegration.java - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 05/10: Expand tests and fix an issue in escaping for group search
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 91ecdc61ce3420054c04114baaaf1c1e0cbd5d56 Author: Mark Thomas AuthorDate: Tue Apr 13 12:11:35 2021 +0100 Expand tests and fix an issue in escaping for group search --- java/org/apache/catalina/realm/JNDIRealm.java | 9 +++- .../catalina/realm/TestJNDIRealmIntegration.java | 26 ++ 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index c0debd1..0d5a78e 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1847,7 +1847,11 @@ public class JNDIRealm extends RealmBase { return null; } +// This is returned from the directory so will be attribute value +// escaped if required String dn = user.getDN(); +// This is the name the user provided to the authentication process so +// it will not be escaped String username = user.getUserName(); String userRoleId = user.getUserRoleId(); @@ -1880,7 +1884,10 @@ public class JNDIRealm extends RealmBase { } // Set up parameters for an appropriate search -String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), username, userRoleId }); +String filter = connection.roleFormat.format(new String[] { +doFilterEscaping(dn), +doFilterEscaping(doAttributeValueEscaping(username)), +userRoleId }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index ef0cc35..3d9969e 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -46,24 +46,29 @@ public class TestJNDIRealmIntegration { private static final String USER_PATTERN = "cn={0},ou=people,dc=example,dc=com"; private static final String USER_SEARCH = "cn={0}"; private static final String USER_BASE = "ou=people,dc=example,dc=com"; +private static final String ROLE_SEARCH_A = "member={0}"; +private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com"; private static InMemoryDirectoryServer ldapServer; @Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); -addUsers(USER_PATTERN, null, null, parameterSets); -addUsers(null, USER_SEARCH, USER_BASE, parameterSets); +for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B }) { +addUsers(USER_PATTERN, null, null, roleSearch, parameterSets); +addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets); +} return parameterSets; } -private static void addUsers(String userPattern, String userSearch, String userBase, List parameterSets) { -parameterSets.add(new Object[] { userPattern, userSearch, userBase, +private static void addUsers(String userPattern, String userSearch, String userBase, String roleSearch, +List parameterSets) { +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "test", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t;", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t*", "test", new String[] {"TestGroup"} }); } @@ -75,10 +80,12 @@ public class TestJNDIRealmIntegration { @Parameter(2) public String realmConfigUserBase; @Parameter(3) -public String username; +public String realmConfigRoleSearch; @Parameter(4) -public String credentials; +public String username; @Parameter(5) +public String credentials; +@Parameter(6) public String[] groups; @Test @@ -90,9 +97,10 @@ public class TestJNDIRealmIntegration { realm.setUserPattern(realmConfigUserPattern); realm.setUserSearch(realmConfigUserSearch); realm.setUserBase(realmConfigUserBase); +realm.setUserRoleAttribute("cn"); realm.setRoleName("cn"); realm.setRoleBase("ou=people,dc=example,dc=com"); -
[tomcat] 08/10: Expand testing to cover substitution in roleBase. Fix bugs.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 329932012d3a9b95fde0b18618416e659ecffdc0 Author: Mark Thomas AuthorDate: Tue Apr 13 14:47:07 2021 +0100 Expand testing to cover substitution in roleBase. Fix bugs. The code incorrectly referred to the original roleBase rather than the local version that includes the substituted value(s). --- java/org/apache/catalina/realm/JNDIRealm.java | 4 +- .../catalina/realm/TestJNDIRealmIntegration.java | 56 +- 2 files changed, 46 insertions(+), 14 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 1c11f8c..908d8ae 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1927,7 +1927,7 @@ public class JNDIRealm extends RealmBase { if (attrs == null) { continue; } -String dname = getDistinguishedName(connection.context, roleBase, result); +String dname = getDistinguishedName(connection.context, base, result); String name = getAttributeValue(roleName, attrs); if (name != null && dname != null) { groupMap.put(dname, name); @@ -1974,7 +1974,7 @@ public class JNDIRealm extends RealmBase { " and filter " + filter); } -results = searchAsUser(connection.context, user, roleBase, filter, controls, isRoleSearchAsUser()); +results = searchAsUser(connection.context, user, base, filter, controls, isRoleSearchAsUser()); try { while (results.hasMore()) { diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index cf47369..d019fc0 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -49,29 +49,32 @@ public class TestJNDIRealmIntegration { private static final String ROLE_SEARCH_A = "member={0}"; private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com"; private static final String ROLE_SEARCH_C = "member=cn={2},ou=people,dc=example,dc=com"; +private static final String ROLE_BASE = "ou=people,dc=example,dc=com"; private static InMemoryDirectoryServer ldapServer; -@Parameterized.Parameters(name = "{index}: user[{4}], pwd[{5}]") +@Parameterized.Parameters(name = "{index}: user[{5}], pwd[{6}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { -addUsers(USER_PATTERN, null, null, roleSearch, parameterSets); -addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets); +addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, parameterSets); +addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, parameterSets); } +parameterSets.add(new Object[] { "cn={0},ou=sub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, +"{3},ou=people,dc=example,dc=com", "testsub", "test", new String[] {"TestGroup4"} }); return parameterSets; } private static void addUsers(String userPattern, String userSearch, String userBase, String roleSearch, -List parameterSets) { -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +String roleBase, List parameterSets) { +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "test", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "t;", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "t*", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "t=", "test", new String[] {"TestGroup*3"} }); } @@ -85,10 +88,12 @@ public class TestJNDIRealmIntegration { @Parameter(3) public String realmConfigRoleSearch; @Parameter(4) -public String username; +public String
[tomcat] 06/10: Expand tests and fix escaping issue in userRoleAttribute filter
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit e50067486cf86564175ca0cfdcbf7d209c6df862 Author: Mark Thomas AuthorDate: Tue Apr 13 12:20:06 2021 +0100 Expand tests and fix escaping issue in userRoleAttribute filter --- java/org/apache/catalina/realm/JNDIRealm.java| 6 -- test/org/apache/catalina/realm/TestJNDIRealmIntegration.java | 8 +--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 0d5a78e..3e494c1 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1883,11 +1883,13 @@ public class JNDIRealm extends RealmBase { return list; } -// Set up parameters for an appropriate search +// Set up parameters for an appropriate search filter +// The dn is already attribute value escaped but the others are not +// This is a filter so all input will require filter escaping String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), doFilterEscaping(doAttributeValueEscaping(username)), -userRoleId }); +doFilterEscaping(doAttributeValueEscaping(userRoleId)) }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index 3d9969e..8302e47 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -48,13 +48,14 @@ public class TestJNDIRealmIntegration { private static final String USER_BASE = "ou=people,dc=example,dc=com"; private static final String ROLE_SEARCH_A = "member={0}"; private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com"; +private static final String ROLE_SEARCH_C = "member=cn={2},ou=people,dc=example,dc=com"; private static InMemoryDirectoryServer ldapServer; @Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); -for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B }) { +for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { addUsers(USER_PATTERN, null, null, roleSearch, parameterSets); addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets); } @@ -128,6 +129,7 @@ public class TestJNDIRealmIntegration { try (LDAPConnection conn = ldapServer.getConnection()) { +// Note: Only the DNs need attribute value escaping AddRequest addBase = new AddRequest( "dn: dc=example,dc=com", "objectClass: top", @@ -159,7 +161,7 @@ public class TestJNDIRealmIntegration { "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", -"cn: t\\;", +"cn: t;", "sn: Tsemicolon", "userPassword: test"); result = conn.processOperation(addUserTestSemicolon); @@ -170,7 +172,7 @@ public class TestJNDIRealmIntegration { "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", -"cn: t\\*", +"cn: t*", "sn: Tasterisk", "userPassword: test"); result = conn.processOperation(addUserTestAsterisk); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/10: Add attribute value escaping to support user names containing '; '
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit c4df8d44a959a937d507d15e5b1ca35c3dbc41eb Author: Mark Thomas AuthorDate: Tue Apr 13 11:12:02 2021 +0100 Add attribute value escaping to support user names containing ';' --- java/org/apache/catalina/realm/JNDIRealm.java | 79 +++- .../realm/TestJNDIRealmAttributeValueEscape.java | 86 ++ .../catalina/realm/TestJNDIRealmIntegration.java | 15 +++- 3 files changed, 177 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index d94ed7f..1e81d89 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1541,8 +1541,11 @@ public class JNDIRealm extends RealmBase { return null; } -// Form the dn from the user pattern -String dn = connection.userPatternFormatArray[curUserPattern].format(new String[] { username }); +// Form the DistinguishedName from the user pattern. +// Escape in case username contains a character with special meaning in +// an attribute value. +String dn = connection.userPatternFormatArray[curUserPattern].format( +new String[] { doAttributeValueEscaping(username) }); try { user = getUserByPattern(connection.context, username, attrIds, dn); @@ -2824,6 +2827,78 @@ public class JNDIRealm extends RealmBase { } +/** + * Implements the necessary escaping to represent an attribute value as a + * String as per RFC 4514. + * + * @param input The original attribute value + * @return The string representation of the attribute value + */ +protected String doAttributeValueEscaping(String input) { +int len = input.length(); +StringBuilder result = new StringBuilder(); + +for (int i = 0; i < len; i++) { +char c = input.charAt(i); +switch (c) { +case ' ': { +if (i == 0 || i == (len -1)) { +result.append("\\20"); +} else { +result.append(c); +} +break; +} +case '#': { +if (i == 0 ) { +result.append("\\23"); +} else { +result.append(c); +} +break; +} +case '\"': { +result.append("\\22"); +break; +} +case '+': { +result.append("\\2B"); +break; +} +case ',': { +result.append("\\2C"); +break; +} +case ';': { +result.append("\\3B"); +break; +} +case '<': { +result.append("\\3C"); +break; +} +case '>': { +result.append("\\3E"); +break; +} +case '\\': { +result.append("\\5C"); +break; +} +case '\u': { +result.append("\\00"); +break; +} +default: +result.append(c); +} + +} + +return result.toString(); +} + + protected static String convertToHexEscape(String input) { if (input.indexOf('\\') == -1) { // No escaping present. Return original. diff --git a/test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java b/test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java new file mode 100644 index 000..677bcc5 --- /dev/null +++ b/test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java @@ -0,0 +1,86 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific
[tomcat] 07/10: Expanded tests to cover nested roles and fix escaping issues in search
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit b5585a9e5d4fec020cc5ebadb82f899fae22bc43 Author: Mark Thomas AuthorDate: Tue Apr 13 12:54:24 2021 +0100 Expanded tests to cover nested roles and fix escaping issues in search --- java/org/apache/catalina/realm/JNDIRealm.java | 9 -- .../catalina/realm/TestJNDIRealmIntegration.java | 34 +- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 3e494c1..1c11f8c 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1961,8 +1961,13 @@ public class JNDIRealm extends RealmBase { Map newThisRound = new HashMap<>(); // Stores the groups we find in this iteration for (Entry group : newGroups.entrySet()) { -filter = connection.roleFormat.format(new String[] { doFilterEscaping(group.getKey()), -group.getValue(), group.getValue() }); +// Group key is already value escaped if required +// Group value is not value escaped +// Everything needs to be filter escaped +filter = connection.roleFormat.format(new String[] { +doFilterEscaping(group.getKey()), + doFilterEscaping(doAttributeValueEscaping(group.getValue())), + doFilterEscaping(doAttributeValueEscaping(group.getValue())) }); if (containerLog.isTraceEnabled()) { containerLog.trace("Perform a nested group search with base "+ roleBase + diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index 8302e47..cf47369 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -52,7 +52,7 @@ public class TestJNDIRealmIntegration { private static InMemoryDirectoryServer ldapServer; -@Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") +@Parameterized.Parameters(name = "{index}: user[{4}], pwd[{5}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { @@ -71,6 +71,8 @@ public class TestJNDIRealmIntegration { "t;", "test", new String[] {"TestGroup"} }); parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t*", "test", new String[] {"TestGroup"} }); +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +"t=", "test", new String[] {"TestGroup*3"} }); } @@ -102,6 +104,7 @@ public class TestJNDIRealmIntegration { realm.setRoleName("cn"); realm.setRoleBase("ou=people,dc=example,dc=com"); realm.setRoleSearch(realmConfigRoleSearch); +realm.setRoleNested(true); GenericPrincipal p = (GenericPrincipal) realm.authenticate(username, credentials); @@ -178,6 +181,17 @@ public class TestJNDIRealmIntegration { result = conn.processOperation(addUserTestAsterisk); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); +AddRequest addUserTestEquals = new AddRequest( +"dn: cn=t\\=,ou=people,dc=example,dc=com", +"objectClass: top", +"objectClass: person", +"objectClass: organizationalPerson", +"cn: t=", +"sn: Tequals", +"userPassword: test"); +result = conn.processOperation(addUserTestEquals); +Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); + AddRequest addGroupTest = new AddRequest( "dn: cn=TestGroup,ou=people,dc=example,dc=com", "objectClass: top", @@ -188,6 +202,24 @@ public class TestJNDIRealmIntegration { "member: cn=t\\*,ou=people,dc=example,dc=com"); result = conn.processOperation(addGroupTest); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); + +AddRequest addGroupTest2 = new AddRequest( +"dn: cn=Test\\Group*3,ou=people,dc=example,dc=com", +"objectClass: top", +"objectClass: groupOfNames", +"cn: Test>Group*3", +"member: cn=Test\\
[tomcat] 04/10: Expand tests and fix escaping issue when searching for users by filter
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit c6b6e1015ae44c936971b6bf8bce70987935b92e Author: Mark Thomas AuthorDate: Tue Apr 13 11:43:51 2021 +0100 Expand tests and fix escaping issue when searching for users by filter --- java/org/apache/catalina/realm/JNDIRealm.java | 6 ++- .../catalina/realm/TestJNDIRealmIntegration.java | 52 +- 2 files changed, 47 insertions(+), 11 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 3bba372..c0debd1 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1585,7 +1585,9 @@ public class JNDIRealm extends RealmBase { } // Form the search filter -String filter = connection.userSearchFormat.format(new String[] { username }); +// Escape in case username contains a character with special meaning in +// a search filter. +String filter = connection.userSearchFormat.format(new String[] { doFilterEscaping(username) }); // Set up the search controls SearchControls constraints = new SearchControls(); @@ -1753,6 +1755,8 @@ public class JNDIRealm extends RealmBase { return false; } +// This is returned from the directory so will be attribute value +// escaped if required String dn = user.getDN(); if (dn == null) { return false; diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index ca45053..ef0cc35 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -43,24 +43,42 @@ import com.unboundid.ldap.sdk.ResultCode; @RunWith(Parameterized.class) public class TestJNDIRealmIntegration { +private static final String USER_PATTERN = "cn={0},ou=people,dc=example,dc=com"; +private static final String USER_SEARCH = "cn={0}"; +private static final String USER_BASE = "ou=people,dc=example,dc=com"; + private static InMemoryDirectoryServer ldapServer; -@Parameterized.Parameters(name = "{index}: in[{0}], out[{1}]") +@Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); +addUsers(USER_PATTERN, null, null, parameterSets); +addUsers(null, USER_SEARCH, USER_BASE, parameterSets); +return parameterSets; +} -parameterSets.add(new Object[] { "test", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { "t;", "test", new String[] {"TestGroup"} }); -return parameterSets; +private static void addUsers(String userPattern, String userSearch, String userBase, List parameterSets) { +parameterSets.add(new Object[] { userPattern, userSearch, userBase, +"test", "test", new String[] {"TestGroup"} }); +parameterSets.add(new Object[] { userPattern, userSearch, userBase, +"t;", "test", new String[] {"TestGroup"} }); +parameterSets.add(new Object[] { userPattern, userSearch, userBase, +"t*", "test", new String[] {"TestGroup"} }); } @Parameter(0) -public String username; +public String realmConfigUserPattern; @Parameter(1) -public String credentials; +public String realmConfigUserSearch; @Parameter(2) +public String realmConfigUserBase; +@Parameter(3) +public String username; +@Parameter(4) +public String credentials; +@Parameter(5) public String[] groups; @Test @@ -69,7 +87,9 @@ public class TestJNDIRealmIntegration { realm.containerLog = LogFactory.getLog(TestJNDIRealmIntegration.class); realm.setConnectionURL("ldap://localhost:; + ldapServer.getListenPort()); -realm.setUserPattern("cn={0},ou=people,dc=example,dc=com"); +realm.setUserPattern(realmConfigUserPattern); +realm.setUserSearch(realmConfigUserSearch); +realm.setUserBase(realmConfigUserBase); realm.setRoleName("cn"); realm.setRoleBase("ou=people,dc=example,dc=com"); realm.setRoleSearch("member={0}"); @@ -131,19 +151,31 @@ public class TestJNDIRealmIntegration { "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", -"cn: test", -"sn: Test", +"cn: t\\;", +"sn: Tsemicolon", "userPassword: test"); result = conn.processOperation(addUserTestSemicolon); Assert.assertEquals(ResultCode.SUCCESS,
[tomcat] 09/10: Expand tests to cover escaping of substituted roleBaes values
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 3ce84512ed8783577d9945df28da5a033465b945 Author: Mark Thomas AuthorDate: Tue Apr 13 15:19:31 2021 +0100 Expand tests to cover escaping of substituted roleBaes values While the UnboundedID LDAP SDK doesn't appear to have a preference some servers (Windows AD, OpenLDAP) do appear to. --- java/org/apache/catalina/realm/JNDIRealm.java| 4 +++- test/org/apache/catalina/realm/TestJNDIRealmIntegration.java | 10 +- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 908d8ae..5648201 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1904,7 +1904,9 @@ public class JNDIRealm extends RealmBase { Name name = np.parse(dn); String nameParts[] = new String[name.size()]; for (int i = 0; i < name.size(); i++) { -nameParts[i] = name.get(i); +// May have been returned with \ escaping rather than +// \. Make sure it is \. +nameParts[i] = convertToHexEscape(name.get(i)); } base = connection.roleBaseFormat.format(nameParts); } else { diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index d019fc0..cd69267 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -60,7 +60,7 @@ public class TestJNDIRealmIntegration { addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, parameterSets); addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, parameterSets); } -parameterSets.add(new Object[] { "cn={0},ou=sub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, +parameterSets.add(new Object[] { "cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, "{3},ou=people,dc=example,dc=com", "testsub", "test", new String[] {"TestGroup4"} }); return parameterSets; } @@ -227,14 +227,14 @@ public class TestJNDIRealmIntegration { Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); AddRequest addPeopleSub = new AddRequest( -"dn: ou=sub,ou=people,dc=example,dc=com", +"dn: ou=s\\;ub,ou=people,dc=example,dc=com", "objectClass: top", "objectClass: organizationalUnit"); result = conn.processOperation(addPeopleSub); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); AddRequest addUserTestSub = new AddRequest( -"dn: cn=testsub,ou=sub,ou=people,dc=example,dc=com", +"dn: cn=testsub,ou=s\\;ub,ou=people,dc=example,dc=com", "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", @@ -245,11 +245,11 @@ public class TestJNDIRealmIntegration { Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); AddRequest addGroupTest4 = new AddRequest( -"dn: cn=TestGroup4,ou=sub,ou=people,dc=example,dc=com", +"dn: cn=TestGroup4,ou=s\\;ub,ou=people,dc=example,dc=com", "objectClass: top", "objectClass: groupOfNames", "cn: TestGroup4", -"member: cn=testsub,ou=sub,ou=people,dc=example,dc=com"); +"member: cn=testsub,ou=s\\;ub,ou=people,dc=example,dc=com"); result = conn.processOperation(addGroupTest4); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/10: Start to expand JNDIRealm unit tests
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 2a13dd88639e92a04543585f2a9d9542e0d89f2c Author: Mark Thomas AuthorDate: Tue Apr 13 10:13:12 2021 +0100 Start to expand JNDIRealm unit tests --- build.properties.default | 9 ++ build.xml | 9 ++ .../catalina/realm/TestJNDIRealmIntegration.java | 144 + webapps/docs/changelog.xml | 4 + 4 files changed, 166 insertions(+) diff --git a/build.properties.default b/build.properties.default index 94b5663..77622d8 100644 --- a/build.properties.default +++ b/build.properties.default @@ -250,6 +250,15 @@ objenesis.home=${base.path}/objenesis-${objenesis.version} objenesis.jar=${objenesis.home}/objenesis-${objenesis.version}.jar objenesis.loc=${base-maven.loc}/org/objenesis/objenesis/${objenesis.version}/objenesis-${objenesis.version}.jar +# - UnboundID, used by unit tests, version 5.1.4 or later - +unboundid.version=5.1.4 +unboundid.checksum.enabled=true +unboundid.checksum.algorithm=SHA-512 +unboundid.checksum.value=04cf7f59eddebdd5b51e5be55021f9d9c667cca6101eac954e7a8d5b51f4c23372cd8f041640157f082435a166b75d85e79252b516130ede7d966dae6d3eae67 +unboundid.home=${base.path}/unboundid-${unboundid.version} +unboundid.jar=${unboundid.home}/unboundid-ldapsdk-${unboundid.version}.jar +unboundid.loc=${base-maven.loc}/com/unboundid/unboundid-ldapsdk/${unboundid.version}/unboundid-ldapsdk-${unboundid.version}.jar + # - Checkstyle, version 6.16 or later - checkstyle.version=8.22 checkstyle.checksum.enabled=true diff --git a/build.xml b/build.xml index 15d27fb..b186186 100644 --- a/build.xml +++ b/build.xml @@ -3243,6 +3243,15 @@ skip.installer property in build.properties" /> + + + + + + + + + http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.realm; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameter; + +import org.apache.juli.logging.LogFactory; + +import com.unboundid.ldap.listener.InMemoryDirectoryServer; +import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; +import com.unboundid.ldap.sdk.AddRequest; +import com.unboundid.ldap.sdk.LDAPConnection; +import com.unboundid.ldap.sdk.LDAPResult; +import com.unboundid.ldap.sdk.ResultCode; + +@RunWith(Parameterized.class) +public class TestJNDIRealmIntegration { + +private static InMemoryDirectoryServer ldapServer; + +@Parameterized.Parameters(name = "{index}: in[{0}], out[{1}]") +public static Collection parameters() { +List parameterSets = new ArrayList<>(); + +parameterSets.add(new Object[] { "test", "test", new String[] {"TestGroup"} }); + +return parameterSets; +} + + +@Parameter(0) +public String username; +@Parameter(1) +public String credentials; +@Parameter(2) +public String[] groups; + +@Test +public void testAuthenication() throws Exception { +JNDIRealm realm = new JNDIRealm(); +realm.containerLog = LogFactory.getLog(TestJNDIRealmIntegration.class); + +realm.setConnectionURL("ldap://localhost:; + ldapServer.getListenPort()); +realm.setUserPattern("cn={0},ou=people,dc=example,dc=com"); +realm.setRoleName("cn"); +realm.setRoleBase("ou=people,dc=example,dc=com"); +realm.setRoleSearch("member={0}"); + +GenericPrincipal p = (GenericPrincipal) realm.authenticate(username, credentials); + +Assert.assertNotNull(p); +Assert.assertEquals(username, p.name); + +Set actualGroups = new HashSet<>(Arrays.asList(p.getRoles())); +Set expectedGroups = new HashSet<>(Arrays.asList(groups)); + +Assert.assertEquals(expectedGroups.size(), actualGroups.size()); +Set tmp = new HashSet<>(); +tmp.addAll(expectedGroups); +tmp.removeAll(actualGroups); +Assert.assertEquals(0, tmp.size()); +} + + +@BeforeClass +public static void createLDAP() throws Exception { +InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=example,dc=com"); +
[tomcat] 10/10: Update changelog
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 07d770fd5f8f1cc3ea3b493c96cd50baac52001b Author: Mark Thomas AuthorDate: Tue Apr 13 15:19:37 2021 +0100 Update changelog --- webapps/docs/changelog.xml | 4 1 file changed, 4 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 623a694..4472321 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -114,6 +114,10 @@ Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt) + +65224: Ensure the correct escaping of attribute values and +search filters in the JNDIRealm. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 03/10: Rename for clarity
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 749f3cc192c68c34f2375509aea087be45fc4434 Author: Mark Thomas AuthorDate: Tue Apr 13 11:35:07 2021 +0100 Rename for clarity --- java/org/apache/catalina/realm/JNDIRealm.java | 30 +-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 1e81d89..3bba372 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1876,7 +1876,7 @@ public class JNDIRealm extends RealmBase { } // Set up parameters for an appropriate search -String filter = connection.roleFormat.format(new String[] { doRFC2254Encoding(dn), username, userRoleId }); +String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), username, userRoleId }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); @@ -1948,7 +1948,7 @@ public class JNDIRealm extends RealmBase { Map newThisRound = new HashMap<>(); // Stores the groups we find in this iteration for (Entry group : newGroups.entrySet()) { -filter = connection.roleFormat.format(new String[] { doRFC2254Encoding(group.getKey()), +filter = connection.roleFormat.format(new String[] { doFilterEscaping(group.getKey()), group.getValue(), group.getValue() }); if (containerLog.isTraceEnabled()) { @@ -2739,10 +2739,36 @@ public class JNDIRealm extends RealmBase { * ) - \29 * \ - \5c * \0 - \00 + * * @param inString string to escape according to RFC 2254 guidelines + * * @return String the escaped/encoded result + * + * @deprecated Will be removed in Tomcat 10.1.x onwards */ +@Deprecated protected String doRFC2254Encoding(String inString) { +return doFilterEscaping(inString); +} + + +/** + * Given an LDAP search string, returns the string with certain characters + * escaped according to RFC 2254 guidelines. + * The character mapping is as follows: + * char - Replacement + *--- + * * - \2a + * ( - \28 + * ) - \29 + * \ - \5c + * \0 - \00 + * + * @param inString string to escape according to RFC 2254 guidelines + * + * @return String the escaped/encoded result + */ +protected String doFilterEscaping(String inString) { StringBuilder buf = new StringBuilder(inString.length()); for (int i = 0; i < inString.length(); i++) { char c = inString.charAt(i); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated (fba2bf9 -> 07d770f)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from fba2bf9 Corrected instructions to reduce unit tests verbosity new 2a13dd8 Start to expand JNDIRealm unit tests new c4df8d4 Add attribute value escaping to support user names containing ';' new 749f3cc Rename for clarity new c6b6e10 Expand tests and fix escaping issue when searching for users by filter new 91ecdc6 Expand tests and fix an issue in escaping for group search new e500674 Expand tests and fix escaping issue in userRoleAttribute filter new b5585a9 Expanded tests to cover nested roles and fix escaping issues in search new 3299320 Expand testing to cover substitution in roleBase. Fix bugs. new 3ce8451 Expand tests to cover escaping of substituted roleBaes values new 07d770f Update changelog The 10 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: build.properties.default | 9 + build.xml | 9 + java/org/apache/catalina/realm/JNDIRealm.java | 141 ++- .../realm/TestJNDIRealmAttributeValueEscape.java | 86 +++ .../catalina/realm/TestJNDIRealmIntegration.java | 263 + webapps/docs/changelog.xml | 8 + 6 files changed, 506 insertions(+), 10 deletions(-) create mode 100644 test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java create mode 100644 test/org/apache/catalina/realm/TestJNDIRealmIntegration.java - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 03/10: Rename for clarity
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 4e61e1d625a4a64d6b775e3a03c77a0b100d56d7 Author: Mark Thomas AuthorDate: Tue Apr 13 11:35:07 2021 +0100 Rename for clarity --- java/org/apache/catalina/realm/JNDIRealm.java | 30 +-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index dc10675..c16c7b7 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1876,7 +1876,7 @@ public class JNDIRealm extends RealmBase { } // Set up parameters for an appropriate search -String filter = connection.roleFormat.format(new String[] { doRFC2254Encoding(dn), username, userRoleId }); +String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), username, userRoleId }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); @@ -1948,7 +1948,7 @@ public class JNDIRealm extends RealmBase { Map newThisRound = new HashMap<>(); // Stores the groups we find in this iteration for (Entry group : newGroups.entrySet()) { -filter = connection.roleFormat.format(new String[] { doRFC2254Encoding(group.getKey()), +filter = connection.roleFormat.format(new String[] { doFilterEscaping(group.getKey()), group.getValue(), group.getValue() }); if (containerLog.isTraceEnabled()) { @@ -2738,10 +2738,36 @@ public class JNDIRealm extends RealmBase { * ) - \29 * \ - \5c * \0 - \00 + * * @param inString string to escape according to RFC 2254 guidelines + * * @return String the escaped/encoded result + * + * @deprecated Will be removed in Tomcat 10.1.x onwards */ +@Deprecated protected String doRFC2254Encoding(String inString) { +return doFilterEscaping(inString); +} + + +/** + * Given an LDAP search string, returns the string with certain characters + * escaped according to RFC 2254 guidelines. + * The character mapping is as follows: + * char - Replacement + *--- + * * - \2a + * ( - \28 + * ) - \29 + * \ - \5c + * \0 - \00 + * + * @param inString string to escape according to RFC 2254 guidelines + * + * @return String the escaped/encoded result + */ +protected String doFilterEscaping(String inString) { StringBuilder buf = new StringBuilder(inString.length()); for (int i = 0; i < inString.length(); i++) { char c = inString.charAt(i); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 10/10: Update changelog
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit b201511dfb4f74faa5ebd21248a269bbbd9b21b4 Author: Mark Thomas AuthorDate: Tue Apr 13 15:19:37 2021 +0100 Update changelog --- webapps/docs/changelog.xml | 4 1 file changed, 4 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 646bdab..e898958 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -110,6 +110,10 @@ Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt) + +65224: Ensure the correct escaping of attribute values and +search filters in the JNDIRealm. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/10: Start to expand JNDIRealm unit tests
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit fa4d19c0c6ea28eae41c29ed5b16a2ccbd7e9ba1 Author: Mark Thomas AuthorDate: Tue Apr 13 10:13:12 2021 +0100 Start to expand JNDIRealm unit tests --- build.properties.default | 9 ++ build.xml | 9 ++ .../catalina/realm/TestJNDIRealmIntegration.java | 144 + webapps/docs/changelog.xml | 8 ++ 4 files changed, 170 insertions(+) diff --git a/build.properties.default b/build.properties.default index fd8d153..2c3323a 100644 --- a/build.properties.default +++ b/build.properties.default @@ -250,6 +250,15 @@ objenesis.home=${base.path}/objenesis-${objenesis.version} objenesis.jar=${objenesis.home}/objenesis-${objenesis.version}.jar objenesis.loc=${base-maven.loc}/org/objenesis/objenesis/${objenesis.version}/objenesis-${objenesis.version}.jar +# - UnboundID, used by unit tests, version 5.1.4 or later - +unboundid.version=5.1.4 +unboundid.checksum.enabled=true +unboundid.checksum.algorithm=SHA-512 +unboundid.checksum.value=04cf7f59eddebdd5b51e5be55021f9d9c667cca6101eac954e7a8d5b51f4c23372cd8f041640157f082435a166b75d85e79252b516130ede7d966dae6d3eae67 +unboundid.home=${base.path}/unboundid-${unboundid.version} +unboundid.jar=${unboundid.home}/unboundid-ldapsdk-${unboundid.version}.jar +unboundid.loc=${base-maven.loc}/com/unboundid/unboundid-ldapsdk/${unboundid.version}/unboundid-ldapsdk-${unboundid.version}.jar + # - Checkstyle, version 6.16 or later - checkstyle.version=8.22 checkstyle.checksum.enabled=true diff --git a/build.xml b/build.xml index 38aeaf2..835cc36 100644 --- a/build.xml +++ b/build.xml @@ -3271,6 +3271,15 @@ skip.installer property in build.properties" /> + + + + + + + + + http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.realm; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameter; + +import org.apache.juli.logging.LogFactory; + +import com.unboundid.ldap.listener.InMemoryDirectoryServer; +import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; +import com.unboundid.ldap.sdk.AddRequest; +import com.unboundid.ldap.sdk.LDAPConnection; +import com.unboundid.ldap.sdk.LDAPResult; +import com.unboundid.ldap.sdk.ResultCode; + +@RunWith(Parameterized.class) +public class TestJNDIRealmIntegration { + +private static InMemoryDirectoryServer ldapServer; + +@Parameterized.Parameters(name = "{index}: in[{0}], out[{1}]") +public static Collection parameters() { +List parameterSets = new ArrayList<>(); + +parameterSets.add(new Object[] { "test", "test", new String[] {"TestGroup"} }); + +return parameterSets; +} + + +@Parameter(0) +public String username; +@Parameter(1) +public String credentials; +@Parameter(2) +public String[] groups; + +@Test +public void testAuthenication() throws Exception { +JNDIRealm realm = new JNDIRealm(); +realm.containerLog = LogFactory.getLog(TestJNDIRealmIntegration.class); + +realm.setConnectionURL("ldap://localhost:; + ldapServer.getListenPort()); +realm.setUserPattern("cn={0},ou=people,dc=example,dc=com"); +realm.setRoleName("cn"); +realm.setRoleBase("ou=people,dc=example,dc=com"); +realm.setRoleSearch("member={0}"); + +GenericPrincipal p = (GenericPrincipal) realm.authenticate(username, credentials); + +Assert.assertNotNull(p); +Assert.assertEquals(username, p.name); + +Set actualGroups = new HashSet<>(Arrays.asList(p.getRoles())); +Set expectedGroups = new HashSet<>(Arrays.asList(groups)); + +Assert.assertEquals(expectedGroups.size(), actualGroups.size()); +Set tmp = new HashSet<>(); +tmp.addAll(expectedGroups); +tmp.removeAll(actualGroups); +Assert.assertEquals(0, tmp.size()); +} + + +@BeforeClass +public static void createLDAP() throws Exception { +InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=example,dc=com"); +
[tomcat] 09/10: Expand tests to cover escaping of substituted roleBaes values
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit eeb7351219bd8803c0053e1e80444664a7cf5b51 Author: Mark Thomas AuthorDate: Tue Apr 13 15:19:31 2021 +0100 Expand tests to cover escaping of substituted roleBaes values While the UnboundedID LDAP SDK doesn't appear to have a preference some servers (Windows AD, OpenLDAP) do appear to. --- java/org/apache/catalina/realm/JNDIRealm.java| 4 +++- test/org/apache/catalina/realm/TestJNDIRealmIntegration.java | 10 +- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 43e9ca8..04768e8 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1904,7 +1904,9 @@ public class JNDIRealm extends RealmBase { Name name = np.parse(dn); String nameParts[] = new String[name.size()]; for (int i = 0; i < name.size(); i++) { -nameParts[i] = name.get(i); +// May have been returned with \ escaping rather than +// \. Make sure it is \. +nameParts[i] = convertToHexEscape(name.get(i)); } base = connection.roleBaseFormat.format(nameParts); } else { diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index d019fc0..cd69267 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -60,7 +60,7 @@ public class TestJNDIRealmIntegration { addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, parameterSets); addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, parameterSets); } -parameterSets.add(new Object[] { "cn={0},ou=sub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, +parameterSets.add(new Object[] { "cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, "{3},ou=people,dc=example,dc=com", "testsub", "test", new String[] {"TestGroup4"} }); return parameterSets; } @@ -227,14 +227,14 @@ public class TestJNDIRealmIntegration { Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); AddRequest addPeopleSub = new AddRequest( -"dn: ou=sub,ou=people,dc=example,dc=com", +"dn: ou=s\\;ub,ou=people,dc=example,dc=com", "objectClass: top", "objectClass: organizationalUnit"); result = conn.processOperation(addPeopleSub); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); AddRequest addUserTestSub = new AddRequest( -"dn: cn=testsub,ou=sub,ou=people,dc=example,dc=com", +"dn: cn=testsub,ou=s\\;ub,ou=people,dc=example,dc=com", "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", @@ -245,11 +245,11 @@ public class TestJNDIRealmIntegration { Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); AddRequest addGroupTest4 = new AddRequest( -"dn: cn=TestGroup4,ou=sub,ou=people,dc=example,dc=com", +"dn: cn=TestGroup4,ou=s\\;ub,ou=people,dc=example,dc=com", "objectClass: top", "objectClass: groupOfNames", "cn: TestGroup4", -"member: cn=testsub,ou=sub,ou=people,dc=example,dc=com"); +"member: cn=testsub,ou=s\\;ub,ou=people,dc=example,dc=com"); result = conn.processOperation(addGroupTest4); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/10: Add attribute value escaping to support user names containing '; '
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit f4d9bdef53ec009b7717620d890465fa273721a6 Author: Mark Thomas AuthorDate: Tue Apr 13 11:12:02 2021 +0100 Add attribute value escaping to support user names containing ';' --- java/org/apache/catalina/realm/JNDIRealm.java | 79 +++- .../realm/TestJNDIRealmAttributeValueEscape.java | 86 ++ .../catalina/realm/TestJNDIRealmIntegration.java | 15 +++- 3 files changed, 177 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index cda0603..dc10675 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1541,8 +1541,11 @@ public class JNDIRealm extends RealmBase { return null; } -// Form the dn from the user pattern -String dn = connection.userPatternFormatArray[curUserPattern].format(new String[] { username }); +// Form the DistinguishedName from the user pattern. +// Escape in case username contains a character with special meaning in +// an attribute value. +String dn = connection.userPatternFormatArray[curUserPattern].format( +new String[] { doAttributeValueEscaping(username) }); try { user = getUserByPattern(connection.context, username, attrIds, dn); @@ -2823,6 +2826,78 @@ public class JNDIRealm extends RealmBase { } +/** + * Implements the necessary escaping to represent an attribute value as a + * String as per RFC 4514. + * + * @param input The original attribute value + * @return The string representation of the attribute value + */ +protected String doAttributeValueEscaping(String input) { +int len = input.length(); +StringBuilder result = new StringBuilder(); + +for (int i = 0; i < len; i++) { +char c = input.charAt(i); +switch (c) { +case ' ': { +if (i == 0 || i == (len -1)) { +result.append("\\20"); +} else { +result.append(c); +} +break; +} +case '#': { +if (i == 0 ) { +result.append("\\23"); +} else { +result.append(c); +} +break; +} +case '\"': { +result.append("\\22"); +break; +} +case '+': { +result.append("\\2B"); +break; +} +case ',': { +result.append("\\2C"); +break; +} +case ';': { +result.append("\\3B"); +break; +} +case '<': { +result.append("\\3C"); +break; +} +case '>': { +result.append("\\3E"); +break; +} +case '\\': { +result.append("\\5C"); +break; +} +case '\u': { +result.append("\\00"); +break; +} +default: +result.append(c); +} + +} + +return result.toString(); +} + + protected static String convertToHexEscape(String input) { if (input.indexOf('\\') == -1) { // No escaping present. Return original. diff --git a/test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java b/test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java new file mode 100644 index 000..677bcc5 --- /dev/null +++ b/test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java @@ -0,0 +1,86 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific
[tomcat] 05/10: Expand tests and fix an issue in escaping for group search
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit b930d0b3161d9ec78d5fa57f886ed2de4680518b Author: Mark Thomas AuthorDate: Tue Apr 13 12:11:35 2021 +0100 Expand tests and fix an issue in escaping for group search --- java/org/apache/catalina/realm/JNDIRealm.java | 9 +++- .../catalina/realm/TestJNDIRealmIntegration.java | 26 ++ 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index ec36187..cdb9f9e 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1847,7 +1847,11 @@ public class JNDIRealm extends RealmBase { return null; } +// This is returned from the directory so will be attribute value +// escaped if required String dn = user.getDN(); +// This is the name the user provided to the authentication process so +// it will not be escaped String username = user.getUserName(); String userRoleId = user.getUserRoleId(); @@ -1880,7 +1884,10 @@ public class JNDIRealm extends RealmBase { } // Set up parameters for an appropriate search -String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), username, userRoleId }); +String filter = connection.roleFormat.format(new String[] { +doFilterEscaping(dn), +doFilterEscaping(doAttributeValueEscaping(username)), +userRoleId }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index ef0cc35..3d9969e 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -46,24 +46,29 @@ public class TestJNDIRealmIntegration { private static final String USER_PATTERN = "cn={0},ou=people,dc=example,dc=com"; private static final String USER_SEARCH = "cn={0}"; private static final String USER_BASE = "ou=people,dc=example,dc=com"; +private static final String ROLE_SEARCH_A = "member={0}"; +private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com"; private static InMemoryDirectoryServer ldapServer; @Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); -addUsers(USER_PATTERN, null, null, parameterSets); -addUsers(null, USER_SEARCH, USER_BASE, parameterSets); +for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B }) { +addUsers(USER_PATTERN, null, null, roleSearch, parameterSets); +addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets); +} return parameterSets; } -private static void addUsers(String userPattern, String userSearch, String userBase, List parameterSets) { -parameterSets.add(new Object[] { userPattern, userSearch, userBase, +private static void addUsers(String userPattern, String userSearch, String userBase, String roleSearch, +List parameterSets) { +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "test", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t;", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t*", "test", new String[] {"TestGroup"} }); } @@ -75,10 +80,12 @@ public class TestJNDIRealmIntegration { @Parameter(2) public String realmConfigUserBase; @Parameter(3) -public String username; +public String realmConfigRoleSearch; @Parameter(4) -public String credentials; +public String username; @Parameter(5) +public String credentials; +@Parameter(6) public String[] groups; @Test @@ -90,9 +97,10 @@ public class TestJNDIRealmIntegration { realm.setUserPattern(realmConfigUserPattern); realm.setUserSearch(realmConfigUserSearch); realm.setUserBase(realmConfigUserBase); +realm.setUserRoleAttribute("cn"); realm.setRoleName("cn"); realm.setRoleBase("ou=people,dc=example,dc=com"); -
[tomcat] 07/10: Expanded tests to cover nested roles and fix escaping issues in search
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit bd4d1fbe9146dff4714130594afd668406a6a5ef Author: Mark Thomas AuthorDate: Tue Apr 13 12:54:24 2021 +0100 Expanded tests to cover nested roles and fix escaping issues in search --- java/org/apache/catalina/realm/JNDIRealm.java | 9 -- .../catalina/realm/TestJNDIRealmIntegration.java | 34 +- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 59a56d8..4f61ad6 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1961,8 +1961,13 @@ public class JNDIRealm extends RealmBase { Map newThisRound = new HashMap<>(); // Stores the groups we find in this iteration for (Entry group : newGroups.entrySet()) { -filter = connection.roleFormat.format(new String[] { doFilterEscaping(group.getKey()), -group.getValue(), group.getValue() }); +// Group key is already value escaped if required +// Group value is not value escaped +// Everything needs to be filter escaped +filter = connection.roleFormat.format(new String[] { +doFilterEscaping(group.getKey()), + doFilterEscaping(doAttributeValueEscaping(group.getValue())), + doFilterEscaping(doAttributeValueEscaping(group.getValue())) }); if (containerLog.isTraceEnabled()) { containerLog.trace("Perform a nested group search with base "+ roleBase + diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index 8302e47..cf47369 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -52,7 +52,7 @@ public class TestJNDIRealmIntegration { private static InMemoryDirectoryServer ldapServer; -@Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") +@Parameterized.Parameters(name = "{index}: user[{4}], pwd[{5}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { @@ -71,6 +71,8 @@ public class TestJNDIRealmIntegration { "t;", "test", new String[] {"TestGroup"} }); parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t*", "test", new String[] {"TestGroup"} }); +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +"t=", "test", new String[] {"TestGroup*3"} }); } @@ -102,6 +104,7 @@ public class TestJNDIRealmIntegration { realm.setRoleName("cn"); realm.setRoleBase("ou=people,dc=example,dc=com"); realm.setRoleSearch(realmConfigRoleSearch); +realm.setRoleNested(true); GenericPrincipal p = (GenericPrincipal) realm.authenticate(username, credentials); @@ -178,6 +181,17 @@ public class TestJNDIRealmIntegration { result = conn.processOperation(addUserTestAsterisk); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); +AddRequest addUserTestEquals = new AddRequest( +"dn: cn=t\\=,ou=people,dc=example,dc=com", +"objectClass: top", +"objectClass: person", +"objectClass: organizationalPerson", +"cn: t=", +"sn: Tequals", +"userPassword: test"); +result = conn.processOperation(addUserTestEquals); +Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); + AddRequest addGroupTest = new AddRequest( "dn: cn=TestGroup,ou=people,dc=example,dc=com", "objectClass: top", @@ -188,6 +202,24 @@ public class TestJNDIRealmIntegration { "member: cn=t\\*,ou=people,dc=example,dc=com"); result = conn.processOperation(addGroupTest); Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode()); + +AddRequest addGroupTest2 = new AddRequest( +"dn: cn=Test\\Group*3,ou=people,dc=example,dc=com", +"objectClass: top", +"objectClass: groupOfNames", +"cn: Test>Group*3", +"member: cn=Test\\
[tomcat] branch master updated (1db93d3 -> b201511)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 1db93d3 Update version number new fa4d19c Start to expand JNDIRealm unit tests new f4d9bde Add attribute value escaping to support user names containing ';' new 4e61e1d Rename for clarity new d5303a5 Expand tests and fix escaping issue when searching for users by filter new b930d0b Expand tests and fix an issue in escaping for group search new 17208c6 Expand tests and fix escaping issue in userRoleAttribute filter new bd4d1fb Expanded tests to cover nested roles and fix escaping issues in search new 81f16b0 Expand testing to cover substitution in roleBase. Fix bugs. new eeb7351 Expand tests to cover escaping of substituted roleBaes values new b201511 Update changelog The 10 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: build.properties.default | 9 + build.xml | 9 + java/org/apache/catalina/realm/JNDIRealm.java | 141 ++- .../realm/TestJNDIRealmAttributeValueEscape.java | 86 +++ .../catalina/realm/TestJNDIRealmIntegration.java | 263 + webapps/docs/changelog.xml | 12 + 6 files changed, 510 insertions(+), 10 deletions(-) create mode 100644 test/org/apache/catalina/realm/TestJNDIRealmAttributeValueEscape.java create mode 100644 test/org/apache/catalina/realm/TestJNDIRealmIntegration.java - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 04/10: Expand tests and fix escaping issue when searching for users by filter
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit d5303a506c7533803d2b3bc46e6120ce673a6667 Author: Mark Thomas AuthorDate: Tue Apr 13 11:43:51 2021 +0100 Expand tests and fix escaping issue when searching for users by filter --- java/org/apache/catalina/realm/JNDIRealm.java | 6 ++- .../catalina/realm/TestJNDIRealmIntegration.java | 52 +- 2 files changed, 47 insertions(+), 11 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index c16c7b7..ec36187 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1585,7 +1585,9 @@ public class JNDIRealm extends RealmBase { } // Form the search filter -String filter = connection.userSearchFormat.format(new String[] { username }); +// Escape in case username contains a character with special meaning in +// a search filter. +String filter = connection.userSearchFormat.format(new String[] { doFilterEscaping(username) }); // Set up the search controls SearchControls constraints = new SearchControls(); @@ -1753,6 +1755,8 @@ public class JNDIRealm extends RealmBase { return false; } +// This is returned from the directory so will be attribute value +// escaped if required String dn = user.getDN(); if (dn == null) { return false; diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index ca45053..ef0cc35 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -43,24 +43,42 @@ import com.unboundid.ldap.sdk.ResultCode; @RunWith(Parameterized.class) public class TestJNDIRealmIntegration { +private static final String USER_PATTERN = "cn={0},ou=people,dc=example,dc=com"; +private static final String USER_SEARCH = "cn={0}"; +private static final String USER_BASE = "ou=people,dc=example,dc=com"; + private static InMemoryDirectoryServer ldapServer; -@Parameterized.Parameters(name = "{index}: in[{0}], out[{1}]") +@Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); +addUsers(USER_PATTERN, null, null, parameterSets); +addUsers(null, USER_SEARCH, USER_BASE, parameterSets); +return parameterSets; +} -parameterSets.add(new Object[] { "test", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { "t;", "test", new String[] {"TestGroup"} }); -return parameterSets; +private static void addUsers(String userPattern, String userSearch, String userBase, List parameterSets) { +parameterSets.add(new Object[] { userPattern, userSearch, userBase, +"test", "test", new String[] {"TestGroup"} }); +parameterSets.add(new Object[] { userPattern, userSearch, userBase, +"t;", "test", new String[] {"TestGroup"} }); +parameterSets.add(new Object[] { userPattern, userSearch, userBase, +"t*", "test", new String[] {"TestGroup"} }); } @Parameter(0) -public String username; +public String realmConfigUserPattern; @Parameter(1) -public String credentials; +public String realmConfigUserSearch; @Parameter(2) +public String realmConfigUserBase; +@Parameter(3) +public String username; +@Parameter(4) +public String credentials; +@Parameter(5) public String[] groups; @Test @@ -69,7 +87,9 @@ public class TestJNDIRealmIntegration { realm.containerLog = LogFactory.getLog(TestJNDIRealmIntegration.class); realm.setConnectionURL("ldap://localhost:; + ldapServer.getListenPort()); -realm.setUserPattern("cn={0},ou=people,dc=example,dc=com"); +realm.setUserPattern(realmConfigUserPattern); +realm.setUserSearch(realmConfigUserSearch); +realm.setUserBase(realmConfigUserBase); realm.setRoleName("cn"); realm.setRoleBase("ou=people,dc=example,dc=com"); realm.setRoleSearch("member={0}"); @@ -131,19 +151,31 @@ public class TestJNDIRealmIntegration { "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", -"cn: test", -"sn: Test", +"cn: t\\;", +"sn: Tsemicolon", "userPassword: test"); result = conn.processOperation(addUserTestSemicolon); Assert.assertEquals(ResultCode.SUCCESS,
[tomcat] 06/10: Expand tests and fix escaping issue in userRoleAttribute filter
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 17208c645d68d2af1444ee8c64f36a9b8f0ba76f Author: Mark Thomas AuthorDate: Tue Apr 13 12:20:06 2021 +0100 Expand tests and fix escaping issue in userRoleAttribute filter --- java/org/apache/catalina/realm/JNDIRealm.java| 6 -- test/org/apache/catalina/realm/TestJNDIRealmIntegration.java | 8 +--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index cdb9f9e..59a56d8 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1883,11 +1883,13 @@ public class JNDIRealm extends RealmBase { return list; } -// Set up parameters for an appropriate search +// Set up parameters for an appropriate search filter +// The dn is already attribute value escaped but the others are not +// This is a filter so all input will require filter escaping String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), doFilterEscaping(doAttributeValueEscaping(username)), -userRoleId }); +doFilterEscaping(doAttributeValueEscaping(userRoleId)) }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index 3d9969e..8302e47 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -48,13 +48,14 @@ public class TestJNDIRealmIntegration { private static final String USER_BASE = "ou=people,dc=example,dc=com"; private static final String ROLE_SEARCH_A = "member={0}"; private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com"; +private static final String ROLE_SEARCH_C = "member=cn={2},ou=people,dc=example,dc=com"; private static InMemoryDirectoryServer ldapServer; @Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); -for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B }) { +for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { addUsers(USER_PATTERN, null, null, roleSearch, parameterSets); addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets); } @@ -128,6 +129,7 @@ public class TestJNDIRealmIntegration { try (LDAPConnection conn = ldapServer.getConnection()) { +// Note: Only the DNs need attribute value escaping AddRequest addBase = new AddRequest( "dn: dc=example,dc=com", "objectClass: top", @@ -159,7 +161,7 @@ public class TestJNDIRealmIntegration { "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", -"cn: t\\;", +"cn: t;", "sn: Tsemicolon", "userPassword: test"); result = conn.processOperation(addUserTestSemicolon); @@ -170,7 +172,7 @@ public class TestJNDIRealmIntegration { "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", -"cn: t\\*", +"cn: t*", "sn: Tasterisk", "userPassword: test"); result = conn.processOperation(addUserTestAsterisk); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 08/10: Expand testing to cover substitution in roleBase. Fix bugs.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 81f16b0a7186ed02efbfac336589d6cff28d1e89 Author: Mark Thomas AuthorDate: Tue Apr 13 14:47:07 2021 +0100 Expand testing to cover substitution in roleBase. Fix bugs. The code incorrectly referred to the original roleBase rather than the local version that includes the substituted value(s). --- java/org/apache/catalina/realm/JNDIRealm.java | 4 +- .../catalina/realm/TestJNDIRealmIntegration.java | 56 +- 2 files changed, 46 insertions(+), 14 deletions(-) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 4f61ad6..43e9ca8 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1927,7 +1927,7 @@ public class JNDIRealm extends RealmBase { if (attrs == null) { continue; } -String dname = getDistinguishedName(connection.context, roleBase, result); +String dname = getDistinguishedName(connection.context, base, result); String name = getAttributeValue(roleName, attrs); if (name != null && dname != null) { groupMap.put(dname, name); @@ -1974,7 +1974,7 @@ public class JNDIRealm extends RealmBase { " and filter " + filter); } -results = searchAsUser(connection.context, user, roleBase, filter, controls, isRoleSearchAsUser()); +results = searchAsUser(connection.context, user, base, filter, controls, isRoleSearchAsUser()); try { while (results.hasMore()) { diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index cf47369..d019fc0 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -49,29 +49,32 @@ public class TestJNDIRealmIntegration { private static final String ROLE_SEARCH_A = "member={0}"; private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com"; private static final String ROLE_SEARCH_C = "member=cn={2},ou=people,dc=example,dc=com"; +private static final String ROLE_BASE = "ou=people,dc=example,dc=com"; private static InMemoryDirectoryServer ldapServer; -@Parameterized.Parameters(name = "{index}: user[{4}], pwd[{5}]") +@Parameterized.Parameters(name = "{index}: user[{5}], pwd[{6}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) { -addUsers(USER_PATTERN, null, null, roleSearch, parameterSets); -addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets); +addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, parameterSets); +addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, parameterSets); } +parameterSets.add(new Object[] { "cn={0},ou=sub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A, +"{3},ou=people,dc=example,dc=com", "testsub", "test", new String[] {"TestGroup4"} }); return parameterSets; } private static void addUsers(String userPattern, String userSearch, String userBase, String roleSearch, -List parameterSets) { -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +String roleBase, List parameterSets) { +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "test", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "t;", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "t*", "test", new String[] {"TestGroup"} }); -parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, +parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, roleBase, "t=", "test", new String[] {"TestGroup*3"} }); } @@ -85,10 +88,12 @@ public class TestJNDIRealmIntegration { @Parameter(3) public String realmConfigRoleSearch; @Parameter(4) -public String username; +public String