当对象名称中包含单引号或双引号时，如何为Java ldap搜索api构造搜索过滤器

Question

I have an object, cn=abc"and'def in the directory. I am using the Java search API:

public LDAPSearchResults search(java.lang.String base,
    int scope,
    java.lang.String filter,
    java.lang.String[] attrs,
    boolean typesOnly,
    LDAPSearchConstraints cons)
    throws LDAPException

I tried giving the search filter as abc"and'def and also as abc\\"and\\'def . Both return:

Bad search filter

Please help me as to how to construct the search filter when the object name has single or double quote in it.

Answer 1

The entire LDAP search filter must be a valid UTF-8 string. There five (5) values that, should they appear in a search filter, must be escaped using a backslash \\ and the two-digit hexadecimal code for the character being escaped. The values that must be escaped are * , ( , ) , \\ , and the null byte 0 ; therefore the " and the ' are legal and valid characters in the search filter. In a language like Java that encloses a string literal between " characters, the " character appearing as part of string literal must be escaped.

In one example, you list the filter with a backslash \\ character in the filter. A backslash must be escaped in the filter using a backslash and the hexadecimal code for backslash, for example, "(cn=abc\\5c\\"and'def)'" . In the other example, you list as the filter "(cn=abc"and'def)" which is in fact a legal search filter - ignoring the fact that the inner " is not escaped as it must be for compilation.

By way of example, I created an object in a directory at my localhost listening on port 1389 with prefix or naming context dc=example,dc=com using the following LDIF:

dn: cn=abc"and'def,dc=example,dc=com
objectClass: top
objectClass: person
cn: abc"and'def
sn: whatever

I wrote a Java class to search for the entry, throwing an assertion error if it should not be found:

import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.ldap.sdk.SearchResult;

public final class BSFilter {
  public static void main(String... args) {
    try {
      Filter searchFilter =
        Filter.create("cn=abc\"and'def");
      LDAPConnection connection =
        new LDAPConnection("localhost",1389);
      SearchResult searchResult =
        connection.search("dc=example,dc=com",SearchScope.ONE,
                          searchFilter,"1.1");
      assert(searchResult.getSearchEntries().size() == 0);
    } catch(LDAPException lex) {
      lex.printStackTrace();
      return;
    }
  }
}

This class compiles and throws an assertion error as expected because the entry for which it searches does in fact exist. See RFC 4515 for information regarding the search filter. The LDAPSDK used is the excellent SDK from UnboundID. Notice that the " character is escaped in the filter so that the class will compile, but that has nothing to do with the filter text itself.

Answer 2

Use the force of the filter to handle escaping for your. Something like:

"(&(objectClass=user)(cn={0}))"

Answer 3

I use JNDI and one of the search() overloads that take a `filterArgs' argument. Does all the escaping required for you.