You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mi...@apache.org on 2019/08/12 21:15:02 UTC
[tomcat] branch BZ-63636/tomcat-8.5.x updated: BZ 63636:
Context#findRoleMapping() never called in
StandardWrapper#findSecurityReference()
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch BZ-63636/tomcat-8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/BZ-63636/tomcat-8.5.x by this push:
new bbd8787 BZ 63636: Context#findRoleMapping() never called in StandardWrapper#findSecurityReference()
bbd8787 is described below
commit bbd8787c42270dc03cf6af853d745f69ba77d7f7
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Mon Aug 5 21:32:58 2019 +0200
BZ 63636: Context#findRoleMapping() never called in StandardWrapper#findSecurityReference()
---
java/org/apache/catalina/core/StandardWrapper.java | 14 ++++-
java/org/apache/catalina/realm/RealmBase.java | 2 +-
.../apache/catalina/core/TestStandardWrapper.java | 67 ++++++++++++++++++++++
test/org/apache/catalina/realm/TestRealmBase.java | 2 +
webapps/docs/changelog.xml | 4 ++
5 files changed, 87 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/core/StandardWrapper.java b/java/org/apache/catalina/core/StandardWrapper.java
index a12ea42..d0dd4b2 100644
--- a/java/org/apache/catalina/core/StandardWrapper.java
+++ b/java/org/apache/catalina/core/StandardWrapper.java
@@ -922,14 +922,26 @@ public class StandardWrapper extends ContainerBase
*/
@Override
public String findSecurityReference(String name) {
+ String reference = null;
referencesLock.readLock().lock();
try {
- return references.get(name);
+ reference = references.get(name);
} finally {
referencesLock.readLock().unlock();
}
+ // If not specified on the Wrapper, check the Context
+ if (getParent() instanceof Context) {
+ Context context = (Context) getParent();
+ if (reference != null) {
+ reference = context.findRoleMapping(reference);
+ } else {
+ reference = context.findRoleMapping(name);
+ }
+ }
+
+ return reference;
}
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
index eaa49aa..dd1761c 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -922,7 +922,7 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
*/
@Override
public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
- // Check for a role alias defined in a <security-role-ref> element
+ // Check for a role alias
if (wrapper != null) {
String realRole = wrapper.findSecurityReference(role);
if (realRole != null) {
diff --git a/test/org/apache/catalina/core/TestStandardWrapper.java b/test/org/apache/catalina/core/TestStandardWrapper.java
index 30f24c1..9358345 100644
--- a/test/org/apache/catalina/core/TestStandardWrapper.java
+++ b/test/org/apache/catalina/core/TestStandardWrapper.java
@@ -18,6 +18,7 @@ package org.apache.catalina.core;
import java.io.File;
import java.io.IOException;
+import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
@@ -48,6 +49,7 @@ import org.junit.Test;
import org.apache.catalina.Context;
import org.apache.catalina.Wrapper;
import org.apache.catalina.authenticator.BasicAuthenticator;
+import org.apache.catalina.realm.MessageDigestCredentialHandler;
import org.apache.catalina.startup.TesterMapRealm;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
@@ -235,6 +237,71 @@ public class TestStandardWrapper extends TomcatBaseTest {
Assert.assertTrue(bc.toString().contains("00-OK"));
}
+ @Test
+ public void testRoleMappingInEngine() throws Exception {
+ doTestRoleMapping("engine");
+ }
+
+ @Test
+ public void testRoleMappingInHost() throws Exception {
+ doTestRoleMapping("host");
+ }
+
+ @Test
+ public void testRoleMappingInContext() throws Exception {
+ doTestRoleMapping("context");
+ }
+
+ private void doTestRoleMapping(String realmContainer)
+ throws Exception {
+ // Setup Tomcat instance
+ Tomcat tomcat = getTomcatInstance();
+
+ // No file system docBase required
+ Context ctx = tomcat.addContext("", null);
+ ctx.addRoleMapping("testRole2", "very-complex-role-name");
+ /* We won't map "testRole3" to "another-very-complex-role-name" to make
+ * it fail intentionally.
+ */
+
+ Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", TestServlet.class.getName());
+ ctx.addServletMappingDecoded("/", "servlet");
+
+ TesterMapRealm realm = new TesterMapRealm();
+ MessageDigestCredentialHandler ch = new MessageDigestCredentialHandler();
+ ch.setAlgorithm("SHA");
+ realm.setCredentialHandler(ch);
+
+ /* Attach the realm to the appropriate container, but role mapping must
+ * always succeed because it is evaluated at context level.
+ */
+ if (realmContainer.equals("engine")) {
+ tomcat.getEngine().setRealm(realm);
+ } else if (realmContainer.equals("host")) {
+ tomcat.getHost().setRealm(realm);
+ } else if (realmContainer.equals("context")) {
+ ctx.setRealm(realm);
+ } else {
+ throw new IllegalArgumentException("realmContainer is invalid");
+ }
+
+ realm.addUser("testUser", ch.mutate("testPwd"));
+ realm.addUserRole("testUser", "testRole1");
+ realm.addUserRole("testUser", "very-complex-role-name");
+ realm.addUserRole("testUser", "another-very-complex-role-name");
+
+ tomcat.start();
+
+ Principal p = realm.authenticate("testUser", "testPwd");
+
+ Assert.assertNotNull(p);
+ Assert.assertEquals("testUser", p.getName());
+ Assert.assertTrue(realm.hasRole(wrapper, p, "testRole1"));
+ Assert.assertTrue(realm.hasRole(wrapper, p, "testRole2"));
+ Assert.assertTrue(realm.hasRole(wrapper, p, "very-complex-role-name"));
+ Assert.assertFalse(realm.hasRole(wrapper, p, "testRole3"));
+ }
+
private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet)
throws Exception {
diff --git a/test/org/apache/catalina/realm/TestRealmBase.java b/test/org/apache/catalina/realm/TestRealmBase.java
index 43b5d77..a83de6a 100644
--- a/test/org/apache/catalina/realm/TestRealmBase.java
+++ b/test/org/apache/catalina/realm/TestRealmBase.java
@@ -19,7 +19,9 @@ package org.apache.catalina.realm;
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import javax.servlet.ServletSecurityElement;
import javax.servlet.annotation.ServletSecurity;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ac43803..0839a76 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -101,6 +101,10 @@
and a request does not map to any of the other deployed Contexts. Patch
provided by Jop Zinkweg. (markt)
</fix>
+ <fix>
+ <bug>63636</bug>: <code>Context.findRoleMapping()</code> never called
+ in <code>StandardWrapper.findSecurityReference()</code>. (michaelo)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org