You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by jl...@apache.org on 2018/12/14 15:55:48 UTC
[3/6] tomee git commit: TOMEE-2357 now if at least 1 role is valid
from the security context, , successfull access is granted
TOMEE-2357 now if at least 1 role is valid from the security context, , successfull access is granted
Project: http://git-wip-us.apache.org/repos/asf/tomee/repo
Commit: http://git-wip-us.apache.org/repos/asf/tomee/commit/d9563f82
Tree: http://git-wip-us.apache.org/repos/asf/tomee/tree/d9563f82
Diff: http://git-wip-us.apache.org/repos/asf/tomee/diff/d9563f82
Branch: refs/heads/master
Commit: d9563f82ca7852995f31dacf04956d84120ac65c
Parents: 2c1ee1f
Author: CesarHernandezGt <cf...@gmail.com>
Authored: Thu Dec 13 20:53:05 2018 -0600
Committer: CesarHernandezGt <cf...@gmail.com>
Committed: Thu Dec 13 20:53:05 2018 -0600
----------------------------------------------------------------------
.../jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tomee/blob/d9563f82/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java
----------------------------------------------------------------------
diff --git a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java
index f604e6b..ad067d3 100644
--- a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java
+++ b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/jaxrs/MPJWTSecurityAnnotationsInterceptor.java
@@ -39,14 +39,19 @@ public class MPJWTSecurityAnnotationsInterceptor implements ContainerRequestFilt
}
final Set<String> roles = rolesAllowed.get(resourceInfo.getResourceMethod());
+
if (roles != null && !roles.isEmpty()) {
final SecurityContext securityContext = requestContext.getSecurityContext();
+ Boolean hasAtLeasOneValidRole = false;
for (String role : roles) {
- if (!securityContext.isUserInRole(role)) {
- forbidden(requestContext);
+ if (securityContext.isUserInRole(role)) {
+ hasAtLeasOneValidRole = true;
break;
}
}
+ if (!hasAtLeasOneValidRole) {
+ forbidden(requestContext);
+ }
}
}