Problem:
JNDIRealm fails with javax.naming.InvalidNameException: Invalid name:
"uid=TestUser,ou=Test/QA,o=Development"
or any other DN with a slash character.
Background and cause:
A slash character is a perfectly valid character in LDAP object names or
class LdapName.
It even doesn't have to be escaped, in contrast to '+' or '\' for example.
The problem is caused only in Java and Tomcat because of JNDI.
In JNDI directory names are of class CompositeName with seperator '/' and
Ldap directory names are of class LdapName with seperator ','.
The JNDIRealm uses only InitialDirContext instead of InitialLdapContext
and it uses only Name instead of LdapName. But ctx.getNameParser("")
returns an LdapNameParser and parser.parse() returns LdapNames.
So LdapNames and CompositeNames become mangled.
Original Code from JNDIRealm in getUserBySearch():
// Get the entry's distinguished name
NameParser parser = context.getNameParser("");
Name contextName = parser.parse(context.getNameInNamespace());
Name baseName = parser.parse(userBase);
Name entryName = parser.parse(result.getName()); // BUG:
InvalidNameException throw if slash is parsed
Name name = contextName.addAll(baseName);
name = name.addAll(entryName);
String dn = name.toString();
My quick (and ugly) fix:
//Get the entry's distinguished name
NameParser parser = ctx.getNameParser("");
Name contextName = parser.parse(ctx.getNameInNamespace
());
Name baseName = parser.parse(searchbase);
String rdn = sr.getName();
// delete surrunding double quotes if any
int rdnEnd = rdn.length()-1;
if (rdnEnd>0) {
if (rdn.charAt(0) == '"' && rdn.charAt(rdnEnd) ==
'"') {
rdn = rdn.substring(1,rdnEnd);
}
}
Name entryName = parser.parse(rdn);
Name name = contextName.addAll(baseName);
name = name.addAll(entryName);
String dn = name.toString();
Explanation:
If there is one or more slash characters in the getName() string, then the
whole string is embedded in
double quotes. I simply delete them and everything works. If I use
Alternative:
If I use
rdn = (string) LdapName.unescapeAttributeValue(rdn);
instead, it doesn't work, because the escape character '\' in front of
',' or '+' is deleted too which causes other exceptions.
I didn't dare to introduce any of the javax.naming.ldap.*; Classes which
might provide
for more elegant solutions but tried to solve it with the
javax.naming.directory.*; classes.
With Java 5 it definitly gets more elegant because then we don't have only
LdapName
and String but also RDNs which are relative distinguished names. They are
the equivalent to
components of CompsiteNames and don't fiddle with slashes.
Frerk Meyer
EDEKA Aktiengesellschaft
GB Datenverarbeitung
Frerk Meyer
CC Web Technologien
New-York-Ring 6
22297 Hamburg
Tel: 040/6377 - 3272
Fax: 040/6377 - 41268
mailto:[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
