You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/11/16 01:35:50 UTC

DO NOT REPLY [Bug 37518] New: - JAASRealm can't be used to protect resources

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37518>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37518

           Summary: JAASRealm can't be used to protect resources
           Product: Tomcat 5
           Version: 5.5.12
          Platform: Other
        OS/Version: Windows XP
            Status: NEW
          Keywords: PatchAvailable
          Severity: major
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: jack.yu@fmr.com


In 5.5.12, the hasRole method in JAASRealm has been removed. Instead, it uses 
RealmBase's hasRole methd. 

In RealmBase's hasRole method, it the principal is not GenericPrincipal, it 
will return false.

But in Request.getUserPrincipal method, there also a change, if userPrincipal 
is GenericPrincipal, it returns userPrincipal. 

Which means the framework use getUserPrincipal, and call JAASRealm(RealmBase)'s 
hasRole should always fail.


Suggest to make the following change:
in JAASRealm.java, add roleSet private instance variable, then in 
createPrincipal method, just after roles.add(principal.getName());,
add "roleSet.add(principal);"

then add hasRole method like following:

public boolean hasRole(Principal principal, String role) {
    if (principal == null) {
         return false;
    }
    Iterator it = roleSet.iterator();
    while (it.hasNext()) {
        Principal p = (Principal)it.next();
        if (p.equals(principal)) {
            return true;
        }
    }
    return super.hasRole(principal, role);
}

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org