You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mi...@apache.org on 2019/08/05 19:36:28 UTC
[tomcat] 01/01: BZ 63636: Context#findRoleMapping() never called in
RealmBase#hasRole()
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch BZ-63636/tomcat-9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 738380b40daaf310f8e706695937f3e771fac652
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Mon Aug 5 21:32:58 2019 +0200
BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
---
java/org/apache/catalina/realm/RealmBase.java | 9 +++++
test/org/apache/catalina/realm/TestRealmBase.java | 43 +++++++++++++++++++++++
webapps/docs/changelog.xml | 4 +++
3 files changed, 56 insertions(+)
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
index c779c34..dbeeaa3 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -928,6 +928,15 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
}
}
+ // Check for a role alias/mapping defined on context level
+ if (getContainer() instanceof Context) {
+ Context context = (Context) getContainer();
+ String realRole = context.findRoleMapping(role);
+ if (realRole != null) {
+ role = realRole;
+ }
+ }
+
// Should be overridden in JAASRealm - to avoid pretty inefficient conversions
if (principal == null || role == null) {
return false;
diff --git a/test/org/apache/catalina/realm/TestRealmBase.java b/test/org/apache/catalina/realm/TestRealmBase.java
index 7ef9191..b4d35fb 100644
--- a/test/org/apache/catalina/realm/TestRealmBase.java
+++ b/test/org/apache/catalina/realm/TestRealmBase.java
@@ -19,7 +19,9 @@ package org.apache.catalina.realm;
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import javax.servlet.ServletSecurityElement;
import javax.servlet.annotation.ServletSecurity;
@@ -789,4 +791,45 @@ public class TestRealmBase {
Assert.assertFalse(mapRealm.hasResourcePermission(
request, response, constraintsDelete, null));
}
+
+ @Test
+ public void testRoleMapping() throws Exception {
+ Context context = new TesterContext() {
+ private Map<String, String> roleMapping = new HashMap<>();
+
+ public void addRoleMapping(String role, String link) {
+ roleMapping.put(role, link);
+ }
+
+ @Override
+ public String findRoleMapping(String role) {
+ return roleMapping.get(role);
+ }
+ };
+
+ context.addRoleMapping(ROLE2, "very-complex-role-name");
+ // We won't map ROLE3 to "another-very-complex-role-name" to make it fail
+ // intentionally
+
+ TesterMapRealm realm = new TesterMapRealm();
+ MessageDigestCredentialHandler ch = new MessageDigestCredentialHandler();
+ ch.setAlgorithm("SHA");
+ realm.setCredentialHandler(ch);
+ realm.setContainer(context);
+ realm.start();
+
+ realm.addUser(USER1, PWD_SHA);
+ realm.addUserRole(USER1, ROLE1);
+ realm.addUserRole(USER1, "very-complex-role-name");
+ realm.addUserRole(USER1, "another-very-complex-role-name");
+
+ Principal p = realm.authenticate(USER1, PWD);
+
+ Assert.assertNotNull(p);
+ Assert.assertEquals(USER1, p.getName());
+ Assert.assertTrue(realm.hasRole(null, p, ROLE1));
+ Assert.assertTrue(realm.hasRole(null, p, ROLE2));
+ Assert.assertTrue(realm.hasRole(null, p, "very-complex-role-name"));
+ Assert.assertFalse(realm.hasRole(null, p, ROLE3));
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6414088..c56fbfb 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -47,6 +47,10 @@
<section name="Tomcat 9.0.23 (markt)" rtext="in development">
<subsection name="Catalina">
<changelog>
+ <fix>
+ <bug>63636</bug>: <code>Context.findRoleMapping()</code> never called
+ in <code>RealmBase#hasRole()</code>. (michaelo)
+ </fix>
<update>
<bug>63627</bug>: Implement more fine-grained handling in
<code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org