ALF-9920: Prevent multiple invalid password checks to the same LDAP account in multiple subsystems (use a static Set of checked environments)

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@32685 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/repo/security/authentication/ldap/LDAPInitialDirContextFactoryImpl.java

@@ -20,8 +20,10 @@ package org.alfresco.repo.security.authentication.ldap;
 
 import java.io.IOException;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.Map;
+import java.util.Set;
 
 import javax.naming.AuthenticationNotSupportedException;
 import javax.naming.Context;
@@ -49,6 +51,9 @@ public class LDAPInitialDirContextFactoryImpl implements LDAPInitialDirContextFa
 {
     private static final Log logger = LogFactory.getLog(LDAPInitialDirContextFactoryImpl.class);
 
+    private static Set<Map<String, String>> checkedEnvs = Collections.synchronizedSet(new HashSet<Map<String, String>>(
+            11));
+
     private Map<String, String> defaultEnvironment = Collections.<String, String> emptyMap();
     private Map<String, String> authenticatedEnvironment = Collections.<String, String> emptyMap();
 
@@ -381,27 +386,34 @@ public class LDAPInitialDirContextFactoryImpl implements LDAPInitialDirContextFa
             env.putAll(authenticatedEnvironment);
             env.put(Context.SECURITY_PRINCIPAL, principal);
             env.put(Context.SECURITY_CREDENTIALS, "sdasdasdasdasd123123123");
-            try
+            if (!checkedEnvs.contains(env))
             {
 
-                new InitialDirContext(env);
+                try
-
+                {
-                throw new AuthenticationException(
+    
-                        "The ldap server at "
+                    new InitialDirContext(env);
-                                + env.get(Context.PROVIDER_URL)
+    
-                                + " falls back to use anonymous bind for a known principal if  invalid security credentials are presented. This is not supported.");
+                    throw new AuthenticationException(
-            }
+                            "The ldap server at "
-            catch (javax.naming.AuthenticationException ax)
+                                    + env.get(Context.PROVIDER_URL)
-            {
+                                    + " falls back to use anonymous bind for a known principal if  invalid security credentials are presented. This is not supported.");
-                logger.info("LDAP server does not fall back to anonymous bind for known principal and invalid credentials at " + env.get(Context.PROVIDER_URL));
+                }
-            }
+                catch (javax.naming.AuthenticationException ax)
-            catch (AuthenticationNotSupportedException e)
+                {
-            {
+                    logger.info("LDAP server does not fall back to anonymous bind for known principal and invalid credentials at " + env.get(Context.PROVIDER_URL));
-                logger.info("LDAP server does not support the required authentication mechanism");
+                }
-            }
+                catch (AuthenticationNotSupportedException e)
-            catch (NamingException nx)
+                {
-            {
+                    logger.info("LDAP server does not support the required authentication mechanism");
-                // already done
+                }
+                catch (NamingException nx)
+                {
+                    // already done
+                }
+                // Record this environment as checked so that we don't check it again on further restarts / other subsystem
+                // instances
+                checkedEnvs.add(env);
             }
         }
     }