From f66716a41e5773d7c39957bade91177804edf9c1 Mon Sep 17 00:00:00 2001 From: "srinivas.krishnan@oracle.com" Date: Wed, 15 Mar 2017 06:18:25 +0000 Subject: [PATCH 1/2] ODCS: (IDCINTER-72) Forward port bug 23745407 git-svn-id: https://svn.java.net/svn/glassfish~svn/trunk/main@64795 6f3ba3e3-413c-0410-a8aa-90bee3ab43b5 --- .../security/auth/realm/ldap/LDAPRealm.java | 79 ++++++++++++------- 1 file changed, 50 insertions(+), 29 deletions(-) diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java index 6488f6ac5d6..9d7821ed95f 100644 --- a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java +++ b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java @@ -65,6 +65,9 @@ import com.sun.enterprise.security.auth.realm.IASRealm; import java.lang.StringBuffer; import java.util.regex.Matcher; +import javax.naming.directory.Attributes; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; import org.glassfish.internal.api.RelativePathResolver; import org.jvnet.hk2.annotations.Service; import sun.security.x509.X500Name; @@ -128,6 +131,8 @@ public final class LDAPRealm extends IASRealm public static final String PARAM_GRPDN="group-base-dn"; public static final String PARAM_GRP_SEARCH_FILTER="group-search-filter"; public static final String PARAM_GRP_TARGET="group-target"; + public static final String PARAM_DYNAMIC_GRP_FILTER="dynamic-group-search-filter"; + public static final String PARAM_DYNAMIC_GRP_TARGET="dynamic-group-target"; public static final String PARAM_MODE="mode"; public static final String PARAM_JNDICF="jndiCtxFactory"; public static final String PARAM_POOLSIZE="pool-size"; @@ -149,6 +154,7 @@ public final class LDAPRealm extends IASRealm private static final String GRP_SEARCH_FILTER_DEFAULT= "uniquemember="+SUBST_SUBJECT_DN; private static final String GRP_TARGET_DEFAULT="cn"; + private static final String DYNAMIC_GRP_TARGET_DEFAULT="ismemberof";//"memberOf"; private static final String MODE_DEFAULT=MODE_FIND_BIND; private static final String JNDICF_DEFAULT= "com.sun.jndi.ldap.LdapCtxFactory"; @@ -234,10 +240,18 @@ public synchronized void init(Properties props) PARAM_GRP_SEARCH_FILTER, GRP_SEARCH_FILTER_DEFAULT); this.setProperty(PARAM_GRP_SEARCH_FILTER, grpSearchFilter); + String dynGrpSearchFilter = props.getProperty( + PARAM_DYNAMIC_GRP_FILTER, SEARCH_FILTER_DEFAULT); + this.setProperty(PARAM_DYNAMIC_GRP_FILTER, dynGrpSearchFilter); + String grpTarget = props.getProperty( PARAM_GRP_TARGET, GRP_TARGET_DEFAULT); this.setProperty(PARAM_GRP_TARGET, grpTarget); + String dynGrpTarget = props.getProperty( + PARAM_DYNAMIC_GRP_TARGET, DYNAMIC_GRP_TARGET_DEFAULT); + this.setProperty(PARAM_DYNAMIC_GRP_TARGET, dynGrpTarget); + String objectFactory = props.getProperty( DYNAMIC_GROUP_FACTORY_OBJECT_PROPERTY, DYNAMIC_GROUP_OBJECT_FACTORY); this.setProperty(DYNAMIC_GROUP_FACTORY_OBJECT_PROPERTY, objectFactory); @@ -363,6 +377,9 @@ private List getGroups(String userDN) { //no authentication has happened through the realm. DirContext ctx = null; String srcFilter = null; + + String dynFilter = null; + String dynMember = getProperty(PARAM_DYNAMIC_GRP_TARGET); try { ctx = new InitialDirContext(getLdapBindProps()); @@ -385,16 +402,20 @@ private List getGroups(String userDN) { } StringBuffer sb = new StringBuffer(getProperty(PARAM_GRP_SEARCH_FILTER)); + StringBuffer dynSb = new StringBuffer(getProperty(PARAM_DYNAMIC_GRP_FILTER)); substitute(sb, SUBST_SUBJECT_NAME, _username); substitute(sb, SUBST_SUBJECT_DN, userDN); + substitute(dynSb, SUBST_SUBJECT_NAME, _username); + substitute(dynSb, SUBST_SUBJECT_DN, userDN); srcFilter = sb.toString(); + dynFilter = dynSb.toString(); List groupsList = new ArrayList(); groupsList.addAll(groupSearch(ctx, getProperty(PARAM_GRPDN), srcFilter, getProperty(PARAM_GRP_TARGET))); // search filter is constructed internally as // as a groupofURLS - groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), getProperty(PARAM_GRP_TARGET), - userDN)); + groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), dynMember, + dynFilter, getProperty(PARAM_GRP_TARGET))); return groupsList; } catch (Exception e) { _logger.log(Level.WARNING, "ldaprealm.groupsearcherror",e); @@ -489,6 +510,9 @@ public String[] findAndBind(String _username, char[] _password) DirContext ctx = null; String srcFilter = null; String[] grpList = null; + + String dynFilter = null; + String dynMember = getProperty(PARAM_DYNAMIC_GRP_TARGET); try { ctx = new InitialDirContext(getLdapBindProps()); String realUserDN = userSearch(ctx, getProperty(PARAM_USERDN), userid); @@ -505,16 +529,21 @@ public String[] findAndBind(String _username, char[] _password) // search groups using above connection, substituting %d (and %s) sb = new StringBuffer(getProperty(PARAM_GRP_SEARCH_FILTER)); + StringBuffer dynSb = new StringBuffer(getProperty(PARAM_DYNAMIC_GRP_FILTER)); + substitute(sb, SUBST_SUBJECT_NAME, _username); substitute(sb, SUBST_SUBJECT_DN, realUserDN); + substitute(dynSb, SUBST_SUBJECT_NAME, _username); + substitute(dynSb, SUBST_SUBJECT_DN, realUserDN); srcFilter = sb.toString(); + dynFilter = dynSb.toString(); ArrayList groupsList = new ArrayList(); groupsList.addAll(groupSearch(ctx, getProperty(PARAM_GRPDN), srcFilter, getProperty(PARAM_GRP_TARGET))); // search filter is constructed internally as // as a groupofURLS - groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), getProperty(PARAM_GRP_TARGET), - realUserDN)); + groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), dynMember, + dynFilter, getProperty(PARAM_GRP_TARGET))); grpList = new String[groupsList.size()]; groupsList.toArray(grpList); } catch (Exception e) { @@ -647,45 +676,37 @@ private boolean bindAsUser(String bindDN, char[] password) * */ private List dynamicGroupSearch(DirContext ctx, String baseDN, - String target, String userDN) + String memberOfAttr, String filter, String target) throws NamingException { List groupList = new ArrayList(); - String filter = DYNAMIC_GROUP_FILTER; - String[] targets = new String[] { target, "memberUrl" }; - + String[] targets = new String[] { memberOfAttr }; + try { SearchControls ctls = new SearchControls(); ctls.setReturningAttributes(targets); ctls.setSearchScope(SearchControls.SUBTREE_SCOPE); - ctls.setReturningObjFlag(true); + //Set this to false to avoid objects and hence exposing ldap object + //injection. + ctls.setReturningObjFlag(false); NamingEnumeration e = ctx.search(baseDN, filter, ctls); while(e.hasMore()) { SearchResult res = (SearchResult)e.next(); - Object searchedObject = res.getObject(); - - - if (searchedObject instanceof GroupOfURLs){ // dynamic group - - GroupOfURLs gurls = (GroupOfURLs) searchedObject; - Principal x500principal = new X500Principal(userDN); - if (gurls.isMember(x500principal)) { - - Attribute grpAttr = res.getAttributes().get(target); - int sz = grpAttr.size(); - for (int i=0; i Date: Tue, 28 Mar 2017 09:23:31 +0000 Subject: [PATCH 2/2] Missed copyright header year change. IDCINTER-71,72,73 git-svn-id: https://svn.java.net/svn/glassfish~svn/trunk/main@64880 6f3ba3e3-413c-0410-a8aa-90bee3ab43b5 --- .../common/src/main/resources/security/securityAttrs.inc | 2 +- nucleus/admin/template/src/main/resources/config/server.policy | 2 +- .../com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java | 2 +- nucleus/security/core/src/main/resources/config/server.policy | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/appserver/admingui/common/src/main/resources/security/securityAttrs.inc b/appserver/admingui/common/src/main/resources/security/securityAttrs.inc index f2986b21030..735182ec4c4 100644 --- a/appserver/admingui/common/src/main/resources/security/securityAttrs.inc +++ b/appserver/admingui/common/src/main/resources/security/securityAttrs.inc @@ -2,7 +2,7 @@ DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. - Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved. + Copyright (c) 1997-2017 Oracle and/or its affiliates. All rights reserved. The contents of this file are subject to the terms of either the GNU General Public License Version 2 only ("GPL") or the Common Development diff --git a/nucleus/admin/template/src/main/resources/config/server.policy b/nucleus/admin/template/src/main/resources/config/server.policy index ef082267520..2279fd64dfc 100644 --- a/nucleus/admin/template/src/main/resources/config/server.policy +++ b/nucleus/admin/template/src/main/resources/config/server.policy @@ -1,7 +1,7 @@ /* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * - * Copyright (c) 2013-2014 Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013-2017 Oracle and/or its affiliates. All rights reserved. * * The contents of this file are subject to the terms of either the GNU * General Public License Version 2 only ("GPL") or the Common Development diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java index 9d7821ed95f..7fe6ecdfd78 100644 --- a/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java +++ b/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/LDAPRealm.java @@ -1,7 +1,7 @@ /* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * - * Copyright (c) 1997-2014 Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997-2017 Oracle and/or its affiliates. All rights reserved. * * The contents of this file are subject to the terms of either the GNU * General Public License Version 2 only ("GPL") or the Common Development diff --git a/nucleus/security/core/src/main/resources/config/server.policy b/nucleus/security/core/src/main/resources/config/server.policy index ed0f28635ae..742829df035 100644 --- a/nucleus/security/core/src/main/resources/config/server.policy +++ b/nucleus/security/core/src/main/resources/config/server.policy @@ -1,7 +1,7 @@ /* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * - * Copyright (c) 2004-2014 Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004-2017 Oracle and/or its affiliates. All rights reserved. * * The contents of this file are subject to the terms of either the GNU * General Public License Version 2 only ("GPL") or the Common Development