| Author |
Topic: Special Characters in Filter -- RFC-2254 |
|
SteveHB
member
offline  |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
 |
|
|
| Special Characters in Filter -- RFC-2254 |
Special Characters defined in RFC 2254:
http://www.ietf.org/rfc/rfc2254.txt
If a value should contain any of the following characters
Character ASCII value
---------------------------
* 0x2a
( 0x28
) 0x29
\ 0x5c
NUL 0x00
the character must be encoded as the backslash '\' character (ASCII
0x5c) followed by the two hexadecimal digits representing the ASCII
value of the encoded character. The case of the two hexadecimal
digits is not significant.
This simple escaping mechanism eliminates filter-parsing ambiguities
and allows any filter that can be represented in LDAP to be
represented as a NUL-terminated string. Other characters besides the
ones listed above may be escaped using this mechanism, for example,
non-printing characters.
For example, the filter checking whether the "cn" attribute contained
a value with the character "*" anywhere in it would be represented as
"(cn=*\2a*)".
Note that although both the substring and present productions in the
grammar above can produce the "attr=*" construct, this construct is
used only to denote a presence filter.
|
|
|
|
|
|
|
SteveHB
member
offline  |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| Example of Special Characters '(' and ')' |
(o=Parens R Us \28for all your parenthetical needs\29)
This example shows the use of the escaping mechanism to represent parenthesis characters.
|
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| Example of Special Character '*' |
(cn=*\2A*)
This example shows how to represent a "*" in a value, preventing it from being nterpreted as a substring indicator.
|
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| Example of Special Character '\' |
(filename=C:\5cMyFile)
This example illustrates the escaping of the backslash character.
|
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
| Example of binary data |
(bin=\00\00\00\04)
This example shows a filter searching for the four-byte value 0x00000004, illustrating the use of the escaping mechanism to represent arbitrary data, including NUL characters.
|
|
|
|
|
|
|
SteveHB
member
offline |
| |
| posts: |
113 |
| joined: |
05/31/2006 |
| from: |
Mountain View, CA |
|
|
|
|
|
|
(sn=Lu\c4\8di\c4\87)
This example illustrates the use of the escaping mechanism to represent various non-ASCII UTF-8 characters.
|
|
|
|
|
|
|
JNDI
member
offline |
| |
| posts: |
19 |
| joined: |
05/18/2007 |
| from: |
GA |
|
|
|
|
|
| 3 Ways to input filter in JDNI for special characters |
The following is a sample of JNDI doing filter search.
public static void main(String[] args)
{
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://myServer.mycompany.com:389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "user");
env.put(Context.SECURITY_CREDENTIALS, "password");
DirContext ctx = null;
try {
ctx = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
String base_dn = "dc=example,dc=com";
String filter = "(objectclass=*)";
NamingEnumeration enu = ctx.search(base_dn,filter,ctls);
while(enu.hasMore()){
SearchResult sr = (SearchResult)enu.next();
System.out.println("rdn='" +sr.getName()+"'");
}
}catch(NamingException e){
e.printStackTrace();
}finally{
try{
ctx.close();
}catch(Exception e){
}
}
}
For an user in directory server with surename (sn) being 'Leé', the actual format in the storage is:
The exactly matching filter to bring out the user can be written in three different ways:
1) Simlply type in the special character if your keyboard allows:
String filter = "(sn=Leé)";
2) Type in the unicode of the special character:
String filter = "(sn=Le\u00E9)";
3) Type in the UTF-8 string representation of the escaped special character as in the RFC 2254:
String filter = "(sn=Le\C3\A9)";
|
|
|
|
|
|
|
JNDI
member
offline |
| |
| posts: |
19 |
| joined: |
05/18/2007 |
| from: |
GA |
|
|
|
|
|
| Equal sign '=' must be treated as special character for JNDI Compare to work |
[JNDI DOC]:
The LDAP "compare" operation allows a client to ask the server whether the named entry has an attribute/value pair. This allows the server to keep certain attribute/value pairs secret (i.e., not exposed for general "search" access) while still allowing the client limited use of them. Some servers might use this feature for passwords, for example, although it is insecure for the client to pass clear-text passwords in the "compare" operation itself.
To accomplish this in the JNDI, use suitably constrained arguments for the following methods:
search(Name name, String filter, SearchControls ctls)
First, the filter must be of the form "(name=value)". You cannot use wildcards. Second, the search scope must be SearchControls.OBJECT_SCOPE. Finally, you must request that no attributes be returned. If these criteria are not met, then these methods will use an LDAP "search" operation instead of an LDAP "compare" operation. See the Context Search Methods section for information on how to avoid a common error when constructing and using string filters.
Here's an example that causes an LDAP "compare" operation to be used.
// Value of the attribute
String filter = "(<name>=<value>)";
// Set up the search controls
SearchControls ctls = new SearchControls();
ctls.setReturningAttributes(new String[0]); // Return no attrs
ctls.setSearchScope(SearchControls.OBJECT_SCOPE); // Search object only
// Invoke search method that will use the LDAP "compare" operation
NamingEnumeration answer = ctx.search("<base_dn>", filter, ctls);
If the compare is successful, the resulting enumeration will contain a single item whose name is the empty name and which contains no attributes.
Notice that the <value> may contain characters ('*','(',')','\','NULL') which are special for filter based on RFC-2254. The equal sign '=' is not defined there, but it MUST treated as special char.
For example:
String filter = "(uniqueMember=CN\\3Dgroup,DC\\3Dexample,DC\\3Dcom)";
is going to trigger "compare" operation.
The unescaped equal sign:
String filter = "(uniqueMember=CN=group,DC=example,DC=com)";
is going to trigger "search" operation, which is wrong.
By the way:
String filter = "(attr_not_exist=CN\\3Dgroup,DC\\3Dexample,DC\\3Dcom)";
is going to trigger "compare" operation which returns javax.naming.directory.NoSuchAttributeException.
String filter = "(attr_not_exist=CN=group,DC=example,DC=com)";
is going to trigger "search" operation which returns empty result set without any error.
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 08/17/2006 01:50:27 PM
Edit
Quote
Report
Profile
Reply