Bug 26487 - JNDIRealm not working - using incorrect filter
Summary: JNDIRealm not working - using incorrect filter
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina:Modules (show other bugs)
Version: 5.0.18
Hardware: PC All
: P3 blocker (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
: 26834 26888 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-01-28 10:02 UTC by Jimmi Dyson
Modified: 2004-11-16 19:05 UTC (History)
2 users (show)


Attachments
Simple fix in JNDIRealm for this problem against 5.x source (823 bytes, patch)
2004-02-05 23:54 UTC, Jeff Tulley 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jimmi Dyson 2004-01-28 10:02:51 UTC 
When using the JNDIRealm, no role checking succeeds. Looking at the debug, this 
is due to an incorrect search filter being created, prepending and appending 
invalid characters (\28 and \29) to the filter. The server.xml works fine on 
previous versions. This occurs on both Windows and Linux. Log output:

2004-01-27 14:48:02 JNDIRealm[Catalina]: Username tomcat successfully 
authenticated
2004-01-27 14:48:02 JNDIRealm[Catalina]:   getRoles(uid=tomcat,dc=test,dc=com)
2004-01-27 14:48:02 JNDIRealm[Catalina]:   Searching role base 'dc=test,dc=com' 
for attribute 'cn'
2004-01-27 14:48:02 JNDIRealm[Catalina]:   With filter expression 
'\28uniqueMember=uid=tomcat,dc=test,dc=com\29'
Comment 1 Jeff Tulley 2004-01-30 16:48:39 UTC 
I'll look at this and see if it has to do with my recent patch for an encoding 
issue.  Could you please post your realm tag from server.xml, exactly as it 
appears?
Comment 2 Jimmi Dyson 2004-01-31 11:22:01 UTC 
Here's my server.xml:

<Server port="8005" shutdown="SHUTDOWN">
  <Service name="Catalina">
    <Connector port="8080" />

    <!-- This is here for compatibility only, not required -->
    <Connector port="8009" protocol="AJP/1.3" />

    <Engine name="Catalina" defaultHost="localhost">
      <Logger className="org.apache.catalina.logger.FileLogger" />

      <Realm	className="org.apache.catalina.realm.JNDIRealm"
                connectionURL="ldap://lldapv.ldn.bzwint.com:389"
      		debug="99" 
      		roleBase="ou=intranet,dc=barcapint,dc=com"
      		roleName="cn" 
      		roleSearch="(uniqueMember={0})" 
      		roleSubtree="true" 
      		userBase="ou=intranet,dc=barcapint,dc=com" 
      		userSearch="uid={0}" 
      		userSubtree="true"
    	/>

      <Host name="localhost" appBase="webapps" />
    </Engine>
  </Service>
</Server>
Comment 3 Jeff Tulley 2004-02-05 23:52:27 UTC 
Ahh, I see the problem.  I did the RFC 2254 encoding on the whole search string 
we were using, whereas it should only be done on the DN that the user enters, 
so you would go from a DN of  "some(Strange)Username" to a role search string 
of (uniqueMember=some\28Strange\29Username), not 
\28uniqueMember=some\28Strange\29Username\29
I'll post the simple patch to make the encoding more focused.
Comment 4 Jeff Tulley 2004-02-05 23:54:35 UTC 
Created attachment 10244 [details]
Simple fix in JNDIRealm for this problem against 5.x source
Comment 5 Jeff Tulley 2004-02-06 00:08:12 UTC 
If somebody could commit this to Tomcat 5, and back port it (very very simple 
in this case since the JNDIRealm code is nearly identical in the two branches) 
to Tomcat 4, I would be much obliged.  Thanks.
Comment 6 Tim Funk 2004-02-06 01:51:21 UTC 
Patch applied to tomcat 4.1 and tomcat 5. Thanks Jeff!
Comment 7 Remy Maucherat 2004-02-10 17:59:15 UTC 
*** Bug 26834 has been marked as a duplicate of this bug. ***
Comment 8 Remy Maucherat 2004-02-12 13:30:37 UTC 
*** Bug 26888 has been marked as a duplicate of this bug. ***
Comment 9 Remy Maucherat 2004-04-28 11:21:56 UTC 
*** Bug 26834 has been marked as a duplicate of this bug. ***