You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2006/01/02 16:46:08 UTC

svn commit: r365363 - in /tomcat/container/tc5.5.x: catalina/src/share/org/apache/catalina/realm/RealmBase.java webapps/docs/changelog.xml

Author: markt
Date: Mon Jan  2 07:46:04 2006
New Revision: 365363

URL: http://svn.apache.org/viewcvs?rev=365363&view=rev
Log:
Fix bug 15570. Magic role of * was interpreted as all authenticated
users rather than as all roles defined in web.xml
Ported from TC4.

Modified:
    tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java
    tomcat/container/tc5.5.x/webapps/docs/changelog.xml

Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java
URL: http://svn.apache.org/viewcvs/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java?rev=365363&r1=365362&r2=365363&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java (original)
+++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java Mon Jan  2 07:46:04 2006
@@ -728,12 +728,17 @@
         boolean denyfromall = false;
         for(int i=0; i < constraints.length; i++) {
             SecurityConstraint constraint = constraints[i];
-            String roles[] = constraint.findAuthRoles();
+
+            String roles[];
+            if (constraint.getAllRoles()) {
+                // * means all roles defined in web.xml
+                roles = request.getContext().findSecurityRoles();
+            } else {
+                roles = constraint.findAuthRoles();
+            }
+
             if (roles == null)
                 roles = new String[0];
-
-            if (constraint.getAllRoles() && !denyfromall)
-                status = true;
 
             if (log.isDebugEnabled())
                 log.debug("  Checking roles " + principal);

Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewcvs/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=365363&r1=365362&r2=365363&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Mon Jan  2 07:46:04 2006
@@ -31,11 +31,18 @@
        <bug>37934</bug>: Don't ask for authentication if deny-from-all is in effect. (billbarker)
       </fix>
       <fix>
+        <bug>15570</bug>: auth-constraint of * was interpretted as all
+        authenticated users rather than as all roles defined in web.xml. (markt)
+      </fix>
+      <fix>
        Remove leftover static logger which was used to log application level messages in
        ApplicationContextFacade (remm)
       </fix>
       <fix>
         <bug>38012</bug>: Where a CGI script sets a response code, use it. (markt)
+      </fix>
+      <fix>
+        <bug>37854</bug>: Extension-List checking was too strict. (markt)
       </fix>
     </changelog>
   </subsection>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org