You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2021/06/01 10:05:07 UTC
[tomcat] branch main updated: Simplify roles handling in user
database realm
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new bfca3f8 Simplify roles handling in user database realm
bfca3f8 is described below
commit bfca3f8a0360dfaa1f90a01bcf3cb8b035b1dba7
Author: remm <re...@apache.org>
AuthorDate: Tue Jun 1 12:04:38 2021 +0200
Simplify roles handling in user database realm
Remove undocumented live updating of roles, which is inconsistent with
the other realms and likely impractical.
Submitted by Carsten Klein.
---
.../apache/catalina/realm/UserDatabaseRealm.java | 84 ++--------------------
webapps/docs/changelog.xml | 12 ++++
2 files changed, 16 insertions(+), 80 deletions(-)
diff --git a/java/org/apache/catalina/realm/UserDatabaseRealm.java b/java/org/apache/catalina/realm/UserDatabaseRealm.java
index f30c24a..67d83ca 100644
--- a/java/org/apache/catalina/realm/UserDatabaseRealm.java
+++ b/java/org/apache/catalina/realm/UserDatabaseRealm.java
@@ -18,8 +18,9 @@ package org.apache.catalina.realm;
import java.security.Principal;
import java.util.ArrayList;
+import java.util.HashSet;
import java.util.Iterator;
-import java.util.List;
+import java.util.Set;
import javax.naming.Context;
@@ -28,7 +29,6 @@ import org.apache.catalina.LifecycleException;
import org.apache.catalina.Role;
import org.apache.catalina.User;
import org.apache.catalina.UserDatabase;
-import org.apache.catalina.Wrapper;
import org.apache.naming.ContextBindings;
import org.apache.tomcat.util.ExceptionUtils;
@@ -112,69 +112,6 @@ public class UserDatabaseRealm extends RealmBase {
}
- // --------------------------------------------------------- Public Methods
-
- /**
- * Return <code>true</code> if the specified Principal has the specified
- * security role, within the context of this Realm; otherwise return
- * <code>false</code>. This implementation returns <code>true</code> if the
- * <code>User</code> has the role, or if any <code>Group</code> that the
- * <code>User</code> is a member of has the role.
- *
- * @param principal Principal for whom the role is to be checked
- * @param role Security role to be checked
- */
- @Override
- public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
-
- UserDatabase database = getUserDatabase();
- if (database == null) {
- return false;
- }
-
- // Check for a role alias defined in a <security-role-ref> element
- if (wrapper != null) {
- String realRole = wrapper.findSecurityReference(role);
- if (realRole != null) {
- role = realRole;
- }
- }
- if (principal instanceof GenericPrincipal) {
- GenericPrincipal gp = (GenericPrincipal) principal;
- if (gp.getUserPrincipal() instanceof UserDatabasePrincipal) {
- principal = database.findUser(gp.getName());
- }
- }
- if (!(principal instanceof User)) {
- // Play nice with SSO and mixed Realms
- // No need to pass the wrapper here because role mapping has been
- // performed already a few lines above
- return super.hasRole(null, principal, role);
- }
- if ("*".equals(role)) {
- return true;
- } else if (role == null) {
- return false;
- }
- User user = (User) principal;
- Role dbrole = database.findRole(role);
- if (dbrole == null) {
- return false;
- }
- if (user.isInRole(dbrole)) {
- return true;
- }
- Iterator<Group> groups = user.getGroups();
- while (groups.hasNext()) {
- Group group = groups.next();
- if (group.isInRole(dbrole)) {
- return true;
- }
- }
- return false;
- }
-
-
// ------------------------------------------------------ Protected Methods
@Override
@@ -221,7 +158,7 @@ public class UserDatabaseRealm extends RealmBase {
return null;
}
- List<String> roles = new ArrayList<>();
+ Set<String> roles = new HashSet<>();
Iterator<Role> uroles = user.getRoles();
while (uroles.hasNext()) {
Role role = uroles.next();
@@ -236,8 +173,7 @@ public class UserDatabaseRealm extends RealmBase {
roles.add(role.getName());
}
}
- return new GenericPrincipal(username, roles,
- new UserDatabasePrincipal(username));
+ return new GenericPrincipal(username, new ArrayList<String>(roles));
}
@@ -306,16 +242,4 @@ public class UserDatabaseRealm extends RealmBase {
// Release reference to our user database
database = null;
}
-
-
- private static class UserDatabasePrincipal implements Principal {
- private final String name;
- private UserDatabasePrincipal(String name) {
- this.name = name;
- }
- @Override
- public String getName() {
- return name;
- }
- }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8e39a2a..3145d04 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -160,6 +160,18 @@
AprLifecycleListener does not show dev version suffix for libtcnative
and libapr. (michaelo)
</fix>
+ <update>
+ <pr>420</pr>: Remove class <code>UserDatabasePrincipal</code> and the
+ <code>hasRole</code> override from class <code>UserDatabaseRealm</code>
+ in order to make the Realm work with cached roles only during a user's
+ login (according to the documentation). Submitted by Carsten Klein.
+ (remm)
+ </update>
+ <fix>
+ Ignore duplicates when collecting the effective roles list from Roles and
+ Groups in <code>UserDatabaseRealm.getPrincipal(String)</code>. Submitted
+ by Carsten Klein. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org