You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/11/16 01:35:50 UTC
DO NOT REPLY [Bug 37518] New: -
JAASRealm can't be used to protect resources
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37518>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37518
Summary: JAASRealm can't be used to protect resources
Product: Tomcat 5
Version: 5.5.12
Platform: Other
OS/Version: Windows XP
Status: NEW
Keywords: PatchAvailable
Severity: major
Priority: P2
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: jack.yu@fmr.com
In 5.5.12, the hasRole method in JAASRealm has been removed. Instead, it uses
RealmBase's hasRole methd.
In RealmBase's hasRole method, it the principal is not GenericPrincipal, it
will return false.
But in Request.getUserPrincipal method, there also a change, if userPrincipal
is GenericPrincipal, it returns userPrincipal.
Which means the framework use getUserPrincipal, and call JAASRealm(RealmBase)'s
hasRole should always fail.
Suggest to make the following change:
in JAASRealm.java, add roleSet private instance variable, then in
createPrincipal method, just after roles.add(principal.getName());,
add "roleSet.add(principal);"
then add hasRole method like following:
public boolean hasRole(Principal principal, String role) {
if (principal == null) {
return false;
}
Iterator it = roleSet.iterator();
while (it.hasNext()) {
Principal p = (Principal)it.next();
if (p.equals(principal)) {
return true;
}
}
return super.hasRole(principal, role);
}
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org