You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/12/09 14:32:10 UTC

DO NOT REPLY [Bug 37852] New: - Security constraint where role name defined as any ("*") deny access at all

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37852>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37852

           Summary: Security constraint where role name defined as any ("*")
                    deny access at all
           Product: Tomcat 5
           Version: 5.5.14
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: maxoid@mail.ru


Class org.apache.catalina.realm.RealmBase, lines from 735:
            
            if (constraint.getAllRoles() && !denyfromall)
                status = true;

            if (log.isDebugEnabled())
                log.debug("  Checking roles " + principal);

            if (roles.length == 0) {
                if(constraint.getAuthConstraint()) {
                    if( log.isDebugEnabled() )
                        log.debug("No roles ");
                    status = false; // No listed roles means no access at all
                    denyfromall = true;
                } else {
                    if(log.isDebugEnabled())
                        log.debug("Passing all access");
                    return (true);
                }
            } else if (principal == null) {
                if (log.isDebugEnabled())
                    log.debug("  No user authenticated, cannot grant access");
                status = false;
            } else if(!denyfromall) {

                for (int j = 0; j < roles.length; j++) {
                    if (hasRole(principal, roles[j]))
                        status = true;
                    if( log.isDebugEnabled() )
                        log.debug( "No role found:  " + roles[j]);
                }
            }

must be

            if (constraint.getAllRoles() && !denyfromall)
                status = true;

            else {

            if (log.isDebugEnabled())
                log.debug("  Checking roles " + principal);

            if (roles.length == 0) {
                if(constraint.getAuthConstraint()) {
                    if( log.isDebugEnabled() )
                        log.debug("No roles ");
                    status = false; // No listed roles means no access at all
                    denyfromall = true;
                } else {
                    if(log.isDebugEnabled())
                        log.debug("Passing all access");
                    return (true);
                }
            } else if (principal == null) {
                if (log.isDebugEnabled())
                    log.debug("  No user authenticated, cannot grant access");
                status = false;
            } else if(!denyfromall) {

                for (int j = 0; j < roles.length; j++) {
                    if (hasRole(principal, roles[j]))
                        status = true;
                    if( log.isDebugEnabled() )
                        log.debug( "No role found:  " + roles[j]);
                }
            }
            }

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org