You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@locus.apache.org on 2000/04/06 08:00:45 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request SecurityCheck.java
craigmcc 00/04/05 23:00:45
Modified: src/share/org/apache/tomcat/core RequestImpl.java
src/share/org/apache/tomcat/request SecurityCheck.java
Log:
Corrections and validations for BASIC authentication support:
- Properly parse comma-delimited role names in conf/tomcat-users.conf.
- Properly authenticate on every request (just because the browser
sends an Authentication header doesn't mean we should trust it).
- Validate correct user + correct password + correct role grants access.
- Validate correct user + incorrect password denies access.
- Validate correct user + correct password + incorrect role denies access.
Please help me pound on this code to make sure it works before final
release of Tomcat 3.1!
Revision Changes Path
1.26 +4 -17 jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java
Index: RequestImpl.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- RequestImpl.java 2000/03/31 18:22:34 1.25
+++ RequestImpl.java 2000/04/06 06:00:44 1.26
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java,v 1.25 2000/03/31 18:22:34 craigmcc Exp $
- * $Revision: 1.25 $
- * $Date: 2000/03/31 18:22:34 $
+ * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java,v 1.26 2000/04/06 06:00:44 craigmcc Exp $
+ * $Revision: 1.26 $
+ * $Date: 2000/04/06 06:00:44 $
*
* ====================================================================
*
@@ -285,20 +285,7 @@
}
public String getRemoteUser() {
- if( remoteUser!=null)
- return remoteUser;
-
- // Using the Servlet 2.2 semantics ...
- // return request.getRemoteUser();
- java.security.Principal p = getUserPrincipal();
-
- if (p != null) {
- return p.getName();
- }
-
- return null;
-
- //return remoteUser;
+ return remoteUser;
}
public boolean isSecure() {
1.12 +9 -2 jakarta-tomcat/src/share/org/apache/tomcat/request/SecurityCheck.java
Index: SecurityCheck.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/SecurityCheck.java,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- SecurityCheck.java 2000/03/31 15:50:10 1.11
+++ SecurityCheck.java 2000/04/06 06:00:45 1.12
@@ -135,7 +135,7 @@
new SimpleRequestSecurityProviderImpl(roles);
ctx.setRequestSecurityProvider(rsp);
}
-
+
if( req.getRemoteUser() != null) return 0; // already authenticated
String authMethod=ctx.getAuthMethod();
@@ -315,7 +315,14 @@
public void addUser(String name, String pass, String groups ) {
if( debug > 0 ) ctx.log( "Add user " + name + " " + pass + " " + groups );
passwords.put( name, pass );
- addRole( groups, name );
+ groups += ",";
+ while (true) {
+ int comma = groups.indexOf(",");
+ if (comma < 0)
+ break;
+ addRole( groups.substring(0, comma).trim(), name);
+ groups = groups.substring(comma + 1);
+ }
}
public void addRole( String role, String user ) {