Example #1
0
  @SuppressWarnings("unchecked")
  void jndiInJEE() throws NamingException {
    @SuppressWarnings("rawtypes")
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.fscontext.RefFSContextFactory");

    InitialContext context = new InitialContext(env);

    DataSource ds = (DataSource) context.lookup("java:comp/env/jdbc/AccountDS");

    NamingEnumeration<Binding> bindings = context.listBindings("java:comp/env/jdbc");

    while (bindings.hasMore()) {
      Binding bd = (Binding) bindings.next();
      System.out.println("Name = " + bd.getName() + ", Object = " + bd.getObject());
    }

    context.bind("java:comp/env/jdbc/AccountDS", ds);

    // Directory search

    InitialDirContext dirContext = new InitialDirContext();

    SearchControls control = new SearchControls();

    ds = (DataSource) dirContext.search("java:comp/env/jdbc/AccountDS", "(ver=1.1)", control);

    // Or...

    BasicAttributes attrs = new BasicAttributes();
    attrs.put(new BasicAttribute("ver", "1.1"));

    ds = (DataSource) dirContext.search("java:comp/env/jdbc/AccountDS", attrs);
  }
Example #2
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    response.setContentType("text/html");

    String param = request.getHeader("vector");
    if (param == null) param = "";

    String bar;

    // Simple ? condition that assigns constant to bar on true condition
    int num = 106;

    bar = (7 * 18) + num > 200 ? "This_should_always_happen" : param;

    org.owasp.benchmark.helpers.LDAPManager ads = new org.owasp.benchmark.helpers.LDAPManager();
    try {
      response.setContentType("text/html");
      String base = "ou=users,ou=system";
      javax.naming.directory.SearchControls sc = new javax.naming.directory.SearchControls();
      sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE);
      String filter = "(&(objectclass=person))(|(uid=" + bar + ")(street={0}))";
      Object[] filters = new Object[] {"The streetz 4 Ms bar"};

      javax.naming.directory.DirContext ctx = ads.getDirContext();
      javax.naming.directory.InitialDirContext idc = (javax.naming.directory.InitialDirContext) ctx;
      javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
          idc.search(base, filter, filters, sc);
      while (results.hasMore()) {
        javax.naming.directory.SearchResult sr =
            (javax.naming.directory.SearchResult) results.next();
        javax.naming.directory.Attributes attrs = sr.getAttributes();

        javax.naming.directory.Attribute attr = attrs.get("uid");
        javax.naming.directory.Attribute attr2 = attrs.get("street");
        if (attr != null) {
          response
              .getWriter()
              .write(
                  "LDAP query results:<br>"
                      + " Record found with name "
                      + attr.get()
                      + "<br>"
                      + "Address: "
                      + attr2.get()
                      + "<br>");
          System.out.println("record found " + attr.get());
        }
      }
    } catch (javax.naming.NamingException e) {
      throw new ServletException(e);
    } finally {
      try {
        ads.closeDirContext();
      } catch (Exception e) {
        throw new ServletException(e);
      }
    }
  }
  @Test(groups = "unit")
  public void should_return_same_address_when_no_entry_found() throws Exception {
    InitialDirContext mock = mock(InitialDirContext.class);
    when(mock.getAttributes(anyString(), any(String[].class))).thenReturn(new BasicAttributes());
    EC2MultiRegionAddressTranslater translater = new EC2MultiRegionAddressTranslater(mock);

    InetSocketAddress address = new InetSocketAddress("192.0.2.5", 9042);
    assertThat(translater.translate(address)).isEqualTo(address);
  }
  @Test(groups = "unit")
  public void should_return_same_address_when_exception_encountered() throws Exception {
    InitialDirContext mock = mock(InitialDirContext.class);
    when(mock.getAttributes(anyString(), any(String[].class)))
        .thenThrow(new NamingException("Problem resolving address (not really)."));
    EC2MultiRegionAddressTranslater translater = new EC2MultiRegionAddressTranslater(mock);

    InetSocketAddress address = new InetSocketAddress("192.0.2.5", 9042);
    assertThat(translater.translate(address)).isEqualTo(address);
  }
Example #5
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    response.setContentType("text/html");

    String param = request.getParameter("vector");
    if (param == null) param = "";

    String bar = doSomething(param);

    org.owasp.benchmark.helpers.LDAPManager ads = new org.owasp.benchmark.helpers.LDAPManager();
    try {
      response.setContentType("text/html");
      String base = "ou=users,ou=system";
      javax.naming.directory.SearchControls sc = new javax.naming.directory.SearchControls();
      sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE);
      String filter = "(&(objectclass=person)(uid=" + bar + "))";

      javax.naming.directory.DirContext ctx = ads.getDirContext();
      javax.naming.directory.InitialDirContext idc = (javax.naming.directory.InitialDirContext) ctx;
      javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
          idc.search(base, filter, sc);

      while (results.hasMore()) {
        javax.naming.directory.SearchResult sr =
            (javax.naming.directory.SearchResult) results.next();
        javax.naming.directory.Attributes attrs = sr.getAttributes();

        javax.naming.directory.Attribute attr = attrs.get("uid");
        javax.naming.directory.Attribute attr2 = attrs.get("street");
        if (attr != null) {
          response
              .getWriter()
              .write(
                  "LDAP query results:<br>"
                      + " Record found with name "
                      + attr.get()
                      + "<br>"
                      + "Address: "
                      + attr2.get()
                      + "<br>");
          System.out.println("record found " + attr.get());
        }
      }
    } catch (javax.naming.NamingException e) {
      throw new ServletException(e);
    } finally {
      try {
        ads.closeDirContext();
      } catch (Exception e) {
        throw new ServletException(e);
      }
    }
  } // end doPost
  @Test(groups = "unit")
  public void should_return_new_address_when_match_found() throws Exception {
    InetSocketAddress expectedAddress = new InetSocketAddress("54.32.55.66", 9042);

    InitialDirContext mock = mock(InitialDirContext.class);
    when(mock.getAttributes("5.2.0.192.in-addr.arpa", new String[] {"PTR"}))
        .thenReturn(new BasicAttributes("PTR", expectedAddress.getHostName()));
    EC2MultiRegionAddressTranslater translater = new EC2MultiRegionAddressTranslater(mock);

    InetSocketAddress address = new InetSocketAddress("192.0.2.5", 9042);
    assertThat(translater.translate(address)).isEqualTo(expectedAddress);
  }
Example #7
0
 @SuppressWarnings({"rawtypes", "unchecked"})
 private static String[] resolveSRV(String resolve) {
   try {
     Hashtable hash = new Hashtable();
     hash.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
     hash.put("java.naming.provider.url", "dns:");
     InitialDirContext idc = new InitialDirContext(hash);
     Attributes att = idc.getAttributes("_minecraft._tcp." + resolve, new String[] {"SRV"});
     String[] cts = att.get("srv").get().toString().split(" ", 4);
     return new String[] {cts[3], cts[2]};
   } catch (Throwable e) {
     return new String[] {resolve, Integer.toString(25565)};
   }
 }
 public static void closeDirectoryContext(InitialDirContext initialDirContext) {
   try {
     initialDirContext.close();
   } catch (NamingException e) {
     LOGGER.warn("Could not close InitialDirContext correctly!", e);
   }
 }
Example #9
0
 /**
  * Returns a server's address and port for the specified hostname, looking up the SRV record if
  * possible
  */
 private static String[] getServerAddress(String p_78863_0_) {
   try {
     String var1 = "com.sun.jndi.dns.DnsContextFactory";
     Class.forName("com.sun.jndi.dns.DnsContextFactory");
     Hashtable var2 = new Hashtable();
     var2.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
     var2.put("java.naming.provider.url", "dns:");
     var2.put("com.sun.jndi.dns.timeout.retries", "1");
     InitialDirContext var3 = new InitialDirContext(var2);
     Attributes var4 = var3.getAttributes("_minecraft._tcp." + p_78863_0_, new String[] {"SRV"});
     String[] var5 = var4.get("srv").get().toString().split(" ", 4);
     return new String[] {var5[3], var5[2]};
   } catch (Throwable var6) {
     return new String[] {p_78863_0_, Integer.toString(25565)};
   }
 }
Example #10
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    String param = request.getHeader("foo");

    String bar = new Test().doSomething(param);

    try {
      javax.naming.directory.InitialDirContext idc =
          org.owasp.benchmark.helpers.Utils.getInitialDirContext();
      idc.search("name", bar, new javax.naming.directory.SearchControls());
    } catch (javax.naming.NamingException e) {
      throw new ServletException(e);
    }
  } // end doPost
  public Object provide(String url, String username, String password, boolean promiscuous)
      throws NamingException {
    InitialDirContext context =
        new InitialDirContext(getProperties(url, username, password, promiscuous));

    SearchControls searchCtls = new SearchControls();
    // Specify the search scope
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

    // specify the LDAP search filter
    String searchFilter = "(objectClass=user)";

    // initialize counter to total the results

    // Search for objects using the filter
    NamingEnumeration<SearchResult> answer = context.search(username, searchFilter, searchCtls);
    return (answer.next());
  }
Example #12
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = doSomething(param);

    try {
      javax.naming.directory.InitialDirContext idc =
          org.owasp.benchmark.helpers.Utils.getInitialDirContext();
      Object[] filterArgs = {"a", "b"};
      idc.search("name", bar, filterArgs, new javax.naming.directory.SearchControls());
    } catch (javax.naming.NamingException e) {
      throw new ServletException(e);
    }
  } // end doPost
Example #13
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    String param = "";
    java.util.Enumeration<String> headers = request.getHeaders("foo");
    if (headers.hasMoreElements()) {
      param = headers.nextElement(); // just grab first element
    }

    String bar = new Test().doSomething(param);

    try {
      javax.naming.directory.InitialDirContext idc =
          org.owasp.benchmark.helpers.Utils.getInitialDirContext();
      idc.search("name", bar, new javax.naming.directory.SearchControls());
    } catch (javax.naming.NamingException e) {
      throw new ServletException(e);
    }
  } // end doPost
Example #14
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    java.util.Map<String, String[]> map = request.getParameterMap();
    String param = "";
    if (!map.isEmpty()) {
      param = map.get("foo")[0];
    }

    String bar = new Test().doSomething(param);

    try {
      javax.naming.directory.InitialDirContext idc =
          org.owasp.benchmark.helpers.Utils.getInitialDirContext();
      idc.search("name", bar, new javax.naming.directory.SearchControls());
    } catch (javax.naming.NamingException e) {
      throw new ServletException(e);
    }
  } // end doPost
Example #15
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    javax.servlet.http.Cookie[] cookies = request.getCookies();

    String param = null;
    boolean foundit = false;
    if (cookies != null) {
      for (javax.servlet.http.Cookie cookie : cookies) {
        if (cookie.getName().equals("foo")) {
          param = cookie.getValue();
          foundit = true;
        }
      }
      if (!foundit) {
        // no cookie found in collection
        param = "";
      }
    } else {
      // no cookies
      param = "";
    }

    String bar;

    // Simple if statement that assigns constant to bar on true condition
    int i = 86;
    if ((7 * 42) - i > 200) bar = "This_should_always_happen";
    else bar = param;

    try {
      javax.naming.directory.InitialDirContext idc =
          org.owasp.benchmark.helpers.Utils.getInitialDirContext();
      idc.search("name", bar, new javax.naming.directory.SearchControls());
    } catch (javax.naming.NamingException e) {
      throw new ServletException(e);
    }
  }
Example #16
0
  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    org.owasp.benchmark.helpers.SeparateClassRequest scr =
        new org.owasp.benchmark.helpers.SeparateClassRequest(request);
    String param = scr.getTheParameter("foo");

    String bar = param;
    if (param.length() > 1) {
      StringBuilder sbxyz98541 = new StringBuilder(param);
      bar = sbxyz98541.replace(param.length() - "Z".length(), param.length(), "Z").toString();
    }

    try {
      javax.naming.directory.InitialDirContext idc =
          org.owasp.benchmark.helpers.Utils.getInitialDirContext();
      idc.search("name", bar, new javax.naming.directory.SearchControls());
    } catch (javax.naming.NamingException e) {
      throw new ServletException(e);
    }
  }
Example #17
0
  public Message list(String base) {
    // "ou=users,dc=dexels,dc=com"
    try {
      if (initialDir == null) {
        startup();
      }
      DirContext dc = (DirContext) initialDir.lookup(base);
      NamingEnumeration e = dc.list("");
      while (e.hasMore()) {
        NameClassPair o = (NameClassPair) e.next();
        logger.info("NAME: " + o.getName());
        logger.info("NAMESp: " + o.getNameInNamespace());
        //				o.getSchema("");
        logger.info("o: " + o);
      }
    } catch (NamingException e) {
      e.printStackTrace();
    }

    return null;
  }
  public void testBasic() throws Exception {
    LdapFactoryHelper helper = (LdapFactoryHelper) lookup(LdapFactoryHelper.ROLE);

    PersonLdapFactory.setHelper(helper);

    InitialDirContext context = apacheDs.getAdminContext();

    context.addToEnvironment(Context.OBJECT_FACTORIES, PersonLdapFactory.class.getName());
    context.addToEnvironment(Context.STATE_FACTORIES, PersonLdapFactory.class.getName());

    LdapName name = new LdapName("uid=trygvis,dc=test");

    // ----------------------------------------------------------------------
    //
    // ----------------------------------------------------------------------

    try {
      context.unbind(name);
    } catch (NamingException e) {
      // ignore
    }

    Person person = new Person();
    person.setName("Trygve");

    context.bind(name, person);

    Object o = context.lookup(name);

    assertEquals(Person.class, o.getClass());
    person = (Person) o;
    assertEquals("Trygve", person.getName());
    assertEquals(null, person.getDescription());

    context.close();
  }
  /**
   * Returns {@link Item} with addition information in case of user exists and authicated correctly,
   * otherwise null
   *
   * @param username username
   * @param password password
   * @return a list of UserRole or null
   */
  public boolean checkAuthWithLdap(String uid, String password) {

    /*
     * Step 3. search the entry which has the username(in our case is the uid of the entry)
     */
    // List to store the user roles
    ArrayList<String> userRoles = new ArrayList<String>();

    searchCtls.setReturningAttributes(ldapConfig.getReturnattributs());

    // Specify the search scope
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

    // Specifiy the LDAP search filter
    String searchFilter = "(&(uid=" + uid + ") )";

    NamingEnumeration<?> answer;
    try {
      answer = ctx.search(ldapConfig.getSearchbase(), searchFilter, searchCtls);
    } catch (NamingException e) {
      throw new Error("Search engine for LDAP server failed! Java exception: " + e.toString());
    }

    /*
     * Step 4. determin the dn of the found entry
     */

    try {
      if (answer.hasMore()) {

        SearchResult result = (SearchResult) answer.next();
        Attributes attrs = result.getAttributes();
        String dn = result.getNameInNamespace();

        // System.out.println(attrs.toString());

        System.out.println("dn of the entry: " + dn);

        Attribute member = attrs.get("memberOf");

        if (member == null) {
          userRoles.add("unknow_role");
        } else {
          userRoles.addAll(refineMemberInfo(member));
        }

        // System.out.println("UserRole "+i+": "+role);

        Properties env1 = new Properties();
        env1.put(Context.INITIAL_CONTEXT_FACTORY, ldapConfig.getINITIAL_CONTEXT_FACTORY());
        env1.put(Context.PROVIDER_URL, ldapConfig.getPROVIDER_URL());
        env1.put(Context.SECURITY_PRINCIPAL, dn);
        env1.put(Context.SECURITY_CREDENTIALS, password);
        /*
         * Step 5. Open one more connection to ldap with just found DN and password of user
         *
         */
        new InitialDirContext(env1); // in case of problem exception will be threw
        System.out.println("Authentication successful");
        // assign the current user roles
        this.setCurrentUserRoles(userRoles);
        return true;
      } else {
        System.out.println("Your password is wrong");
        return false;
      }
    } catch (NamingException e) {

      /*
       * Step 6. no exception - ok, otherwise user2 has entered wrong password.
       *
       */
      System.out.println("check password throws naming exeception :" + e.toString());
      System.out.println("Your Login or password is wrong");
      return false;
    }
  }