You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bi...@apache.org on 2005/11/22 06:18:10 UTC
svn commit: r348091 -
/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Author: billbarker
Date: Mon Nov 21 21:18:05 2005
New Revision: 348091
URL: http://svn.apache.org/viewcvs?rev=348091&view=rev
Log:
Fix for a couple of (mostly silly) edge-cases in testing auth.
If any security-contraint doesn't have a auth-constraint, then we pass.
Otherwise, if any security-constraint has an <auth-constraint />, then deny access to everyone.
Otherwise, much as before (e.g. allow to the first constraint that allows it).
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java
URL: http://svn.apache.org/viewcvs/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java?rev=348091&r1=348090&r2=348091&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java (original)
+++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java Mon Nov 21 21:18:05 2005
@@ -724,26 +724,26 @@
// Which user principal have we already authenticated?
Principal principal = request.getPrincipal();
+ boolean status = false;
+ boolean denyfromall = false;
for(int i=0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String roles[] = constraint.findAuthRoles();
if (roles == null)
roles = new String[0];
- if (constraint.getAllRoles())
- return (true);
+ if (constraint.getAllRoles() && !denyfromall)
+ status = true;
if (log.isDebugEnabled())
log.debug(" Checking roles " + principal);
if (roles.length == 0) {
if(constraint.getAuthConstraint()) {
- response.sendError
- (HttpServletResponse.SC_FORBIDDEN,
- sm.getString("realmBase.forbidden"));
if( log.isDebugEnabled() )
log.debug("No roles ");
- return (false); // No listed roles means no access at all
+ status = false; // No listed roles means no access at all
+ denyfromall = true;
} else {
if(log.isDebugEnabled())
log.debug("Passing all access");
@@ -752,25 +752,24 @@
} else if (principal == null) {
if (log.isDebugEnabled())
log.debug(" No user authenticated, cannot grant access");
- response.sendError
- (HttpServletResponse.SC_FORBIDDEN,
- sm.getString("realmBase.notAuthenticated"));
- return (false);
- }
-
+ status = false;
+ } else if(!denyfromall) {
- for (int j = 0; j < roles.length; j++) {
- if (hasRole(principal, roles[j]))
- return (true);
- if( log.isDebugEnabled() )
- log.debug( "No role found: " + roles[j]);
+ for (int j = 0; j < roles.length; j++) {
+ if (hasRole(principal, roles[j]))
+ status = true;
+ if( log.isDebugEnabled() )
+ log.debug( "No role found: " + roles[j]);
+ }
}
}
// Return a "Forbidden" message denying access to this resource
- response.sendError
- (HttpServletResponse.SC_FORBIDDEN,
- sm.getString("realmBase.forbidden"));
- return (false);
+ if(!status) {
+ response.sendError
+ (HttpServletResponse.SC_FORBIDDEN,
+ sm.getString("realmBase.forbidden"));
+ }
+ return status;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org