You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2012/08/31 00:55:20 UTC
svn commit: r1379206 -
/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
Author: markt
Date: Thu Aug 30 22:55:20 2012
New Revision: 1379206
URL: http://svn.apache.org/viewvc?rev=1379206&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53801
Overlapping URL patterns were sometimes merged incorrectly in security constraints leading to incorrect 401 responses. Note: it was possible for access to be denied when it should have been granted but it was not possible for access to be granted when it should have been denied.
Modified:
tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
Modified: tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1379206&r1=1379205&r2=1379206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Thu Aug 30 22:55:20 2012
@@ -629,14 +629,15 @@ public abstract class RealmBase extends
}
}
if(matched) {
- found = true;
if(length > longest) {
+ found = false;
if(results != null) {
results.clear();
}
longest = length;
}
if(collection[j].findMethod(method)) {
+ found = true;
if(results == null) {
results = new ArrayList<>();
}
@@ -760,7 +761,7 @@ public abstract class RealmBase extends
*/
private SecurityConstraint [] resultsToArray(
ArrayList<SecurityConstraint> results) {
- if(results == null) {
+ if(results == null || results.size() == 0) {
return null;
}
SecurityConstraint [] array = new SecurityConstraint[results.size()];
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1379206 - /tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
Posted by Mark Thomas <ma...@apache.org>.
On 31/08/2012 12:05, Konstantin Kolinko wrote:
> 2012/8/31 <ma...@apache.org>:
>> Author: markt
>> Date: Thu Aug 30 22:55:20 2012
>> New Revision: 1379206
>>
>> URL: http://svn.apache.org/viewvc?rev=1379206&view=rev
>> Log:
>> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53801
>> Overlapping URL patterns were sometimes merged incorrectly in security constraints leading to incorrect 401 responses. Note: it was possible for access to be denied when it should have been granted but it was not possible for access to be granted when it should have been denied.
>>
>> Modified:
>> tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1379206&r1=1379205&r2=1379206&view=diff
>> ==============================================================================
>> --- tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Thu Aug 30 22:55:20 2012
>> @@ -629,14 +629,15 @@ public abstract class RealmBase extends
>> }
>> }
>> if(matched) {
>> - found = true;
>> if(length > longest) {
>> + found = false;
>> if(results != null) {
>> results.clear();
>> }
>> longest = length;
>> }
>> if(collection[j].findMethod(method)) {
>> + found = true;
>> if(results == null) {
>> results = new ArrayList<>();
>> }
>
> There are several loops over constraints, with
> [[[
> if(found) {
> return resultsToArray(results);
> }
> ]]]
> between them, and only one of such loops is fixed by this commit.
Correct. Only in one loop is there the possibility that a previously
found constraint will be removed. The bug was that the found flag was
not reset in this case and an empty set of constraints returned rather
than null.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1379206 - /tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/8/31 <ma...@apache.org>:
> Author: markt
> Date: Thu Aug 30 22:55:20 2012
> New Revision: 1379206
>
> URL: http://svn.apache.org/viewvc?rev=1379206&view=rev
> Log:
> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53801
> Overlapping URL patterns were sometimes merged incorrectly in security constraints leading to incorrect 401 responses. Note: it was possible for access to be denied when it should have been granted but it was not possible for access to be granted when it should have been denied.
>
> Modified:
> tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
>
> Modified: tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1379206&r1=1379205&r2=1379206&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Thu Aug 30 22:55:20 2012
> @@ -629,14 +629,15 @@ public abstract class RealmBase extends
> }
> }
> if(matched) {
> - found = true;
> if(length > longest) {
> + found = false;
> if(results != null) {
> results.clear();
> }
> longest = length;
> }
> if(collection[j].findMethod(method)) {
> + found = true;
> if(results == null) {
> results = new ArrayList<>();
> }
There are several loops over constraints, with
[[[
if(found) {
return resultsToArray(results);
}
]]]
between them, and only one of such loops is fixed by this commit.
It seems inconsistent. (Though with lack of comments there, I have to
investigate more to be certain).
> @@ -760,7 +761,7 @@ public abstract class RealmBase extends
> */
> private SecurityConstraint [] resultsToArray(
> ArrayList<SecurityConstraint> results) {
> - if(results == null) {
> + if(results == null || results.size() == 0) {
> return null;
> }
> SecurityConstraint [] array = new SecurityConstraint[results.size()];
>
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org