You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by jl...@apache.org on 2018/12/14 15:55:48 UTC

[3/6] tomee git commit: TOMEE-2357 now if at least 1 role is valid from the security context, , successfull access is granted

TOMEE-2357 now if at least 1 role is valid from the security context, , successfull access is granted


Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/d9563f82
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/d9563f82
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/d9563f82

Branch: refs/heads/master
Commit: d9563f82ca7852995f31dacf04956d84120ac65c
Parents: 2c1ee1f
Author: CesarHernandezGt <cf...@gmail.com>
Authored: Thu Dec 13 20:53:05 2018 -0600
Committer: CesarHernandezGt <cf...@gmail.com>
Committed: Thu Dec 13 20:53:05 2018 -0600

----------------------------------------------------------------------
 .../jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java      | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/tomee/blob/d9563f82/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java
----------------------------------------------------------------------
diff --git a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java
index f604e6b..ad067d3 100644
--- a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java
+++ b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java
@@ -39,14 +39,19 @@ public class MPJWTSecurityAnnotationsInterceptor implements ContainerRequestFilt
         }
 
         final Set<String> roles = rolesAllowed.get(resourceInfo.getResourceMethod());
+
         if (roles != null && !roles.isEmpty()) {
             final SecurityContext securityContext = requestContext.getSecurityContext();
+            Boolean hasAtLeasOneValidRole = false;
             for (String role : roles) {
-                if (!securityContext.isUserInRole(role)) {
-                    forbidden(requestContext);
+                if (securityContext.isUserInRole(role)) {
+                    hasAtLeasOneValidRole = true;
                     break;
                 }
             }
+            if (!hasAtLeasOneValidRole) {
+                forbidden(requestContext);
+            }
         }
 
     }