diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index ec36187bbf48..cdb9f9e387c4 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -1847,7 +1847,11 @@ protected List getRoles(JNDIConnection connection, User user) throws Nam return null; } + // This is returned from the directory so will be attribute value + // escaped if required String dn = user.getDN(); + // This is the name the user provided to the authentication process so + // it will not be escaped String username = user.getUserName(); String userRoleId = user.getUserRoleId(); @@ -1880,7 +1884,10 @@ protected List getRoles(JNDIConnection connection, User user) throws Nam } // Set up parameters for an appropriate search - String filter = connection.roleFormat.format(new String[] { doFilterEscaping(dn), username, userRoleId }); + String filter = connection.roleFormat.format(new String[] { + doFilterEscaping(dn), + doFilterEscaping(doAttributeValueEscaping(username)), + userRoleId }); SearchControls controls = new SearchControls(); if (roleSubtree) { controls.setSearchScope(SearchControls.SUBTREE_SCOPE); diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java index ef0cc35b74c7..3d9969e17480 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java +++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java @@ -46,24 +46,29 @@ public class TestJNDIRealmIntegration { private static final String USER_PATTERN = "cn={0},ou=people,dc=example,dc=com"; private static final String USER_SEARCH = "cn={0}"; private static final String USER_BASE = "ou=people,dc=example,dc=com"; + private static final String ROLE_SEARCH_A = "member={0}"; + private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com"; private static InMemoryDirectoryServer ldapServer; @Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]") public static Collection parameters() { List parameterSets = new ArrayList<>(); - addUsers(USER_PATTERN, null, null, parameterSets); - addUsers(null, USER_SEARCH, USER_BASE, parameterSets); + for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B }) { + addUsers(USER_PATTERN, null, null, roleSearch, parameterSets); + addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets); + } return parameterSets; } - private static void addUsers(String userPattern, String userSearch, String userBase, List parameterSets) { - parameterSets.add(new Object[] { userPattern, userSearch, userBase, + private static void addUsers(String userPattern, String userSearch, String userBase, String roleSearch, + List parameterSets) { + parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "test", "test", new String[] {"TestGroup"} }); - parameterSets.add(new Object[] { userPattern, userSearch, userBase, + parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t;", "test", new String[] {"TestGroup"} }); - parameterSets.add(new Object[] { userPattern, userSearch, userBase, + parameterSets.add(new Object[] { userPattern, userSearch, userBase, roleSearch, "t*", "test", new String[] {"TestGroup"} }); } @@ -75,10 +80,12 @@ private static void addUsers(String userPattern, String userSearch, String userB @Parameter(2) public String realmConfigUserBase; @Parameter(3) - public String username; + public String realmConfigRoleSearch; @Parameter(4) - public String credentials; + public String username; @Parameter(5) + public String credentials; + @Parameter(6) public String[] groups; @Test @@ -90,9 +97,10 @@ public void testAuthenication() throws Exception { realm.setUserPattern(realmConfigUserPattern); realm.setUserSearch(realmConfigUserSearch); realm.setUserBase(realmConfigUserBase); + realm.setUserRoleAttribute("cn"); realm.setRoleName("cn"); realm.setRoleBase("ou=people,dc=example,dc=com"); - realm.setRoleSearch("member={0}"); + realm.setRoleSearch(realmConfigRoleSearch); GenericPrincipal p = (GenericPrincipal) realm.authenticate(username, credentials);