You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2022/11/17 10:23:42 UTC

[tomcat] branch 9.0.x updated: Improve the behavior of the credential handler attribute

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new b588093154 Improve the behavior of the credential handler attribute
b588093154 is described below

commit b588093154b40343ffff75b23ffc8394da356af7
Author: remm <re...@apache.org>
AuthorDate: Thu Nov 17 11:14:56 2022 +0100

    Improve the behavior of the credential handler attribute
    
    This will now set a Servlet context attribute if a Realm is used by the
    Context. Also CombinedRealm get a credential handler that will produce
    results by asking the nested realms.
---
 java/org/apache/catalina/core/StandardContext.java |  9 ++++--
 java/org/apache/catalina/realm/CombinedRealm.java  | 35 ++++++++++++++++++++++
 webapps/docs/changelog.xml                         |  5 ++++
 3 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java
index 3d86ee343f..f1cbf86aa9 100644
--- a/java/org/apache/catalina/core/StandardContext.java
+++ b/java/org/apache/catalina/core/StandardContext.java
@@ -5101,23 +5101,26 @@ public class StandardContext extends ContainerBase
                 getLogger();
 
                 Realm realm = getRealmInternal();
-                if(null != realm) {
+                if (null != realm) {
                     if (realm instanceof Lifecycle) {
                         ((Lifecycle) realm).start();
                     }
+                }
 
+                realm = getRealm();
+                if (null != realm) {
                     // Place the CredentialHandler into the ServletContext so
                     // applications can have access to it. Wrap it in a "safe"
                     // handler so application's can't modify it.
                     CredentialHandler safeHandler = new CredentialHandler() {
                         @Override
                         public boolean matches(String inputCredentials, String storedCredentials) {
-                            return getRealmInternal().getCredentialHandler().matches(inputCredentials, storedCredentials);
+                            return getRealm().getCredentialHandler().matches(inputCredentials, storedCredentials);
                         }
 
                         @Override
                         public String mutate(String inputCredentials) {
-                            return getRealmInternal().getCredentialHandler().mutate(inputCredentials);
+                            return getRealm().getCredentialHandler().mutate(inputCredentials);
                         }
                     };
                     context.setAttribute(Globals.CREDENTIAL_HANDLER, safeHandler);
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java
index 573441f79c..eaf46cecd1 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -253,6 +253,12 @@ public class CombinedRealm extends RealmBase {
                 }
             }
         }
+
+        if (getCredentialHandler() == null) {
+            // Set a credential handler that will ask the nested realms so that it can
+            // be set by the context in the attributes, it won't be used directly
+            super.setCredentialHandler(new CombinedRealmCredentialHandler());
+        }
         super.startInternal();
     }
 
@@ -469,4 +475,33 @@ public class CombinedRealm extends RealmBase {
         log.warn(sm.getString("combinedRealm.setCredentialHandler"));
         super.setCredentialHandler(credentialHandler);
     }
+
+    private class CombinedRealmCredentialHandler implements CredentialHandler {
+
+        @Override
+        public boolean matches(String inputCredentials,
+                String storedCredentials) {
+            for (Realm realm : realms) {
+                if (realm.getCredentialHandler().matches(inputCredentials, storedCredentials)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        @Override
+        public String mutate(String inputCredentials) {
+            if (realms.isEmpty()) {
+                return null;
+            }
+            for (Realm realm : realms) {
+                String mutatedCredentials = realm.getCredentialHandler().mutate(inputCredentials);
+                if (mutatedCredentials != null) {
+                    return mutatedCredentials;
+                }
+            }
+            return null;
+       }
+
+    }
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 10e83b3e75..8e39b4240c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -114,6 +114,11 @@
         <code>HttpServletRequest.getTrailerFields()</code> and with the Servlet
         API provided by the Jakarta EE project. (markt)
       </fix>
+      <fix>
+        Improve the behavior of the credential handler attribute that is set in
+        the Servlet context so that it actually reflects what is used during
+        authentication. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org