craigmcc 00/11/16 15:52:14
Modified: src/share/org/apache/tomcat/request Tag: tomcat_32
JDBCRealm.java
src/share/org/apache/tomcat/util Tag: tomcat_32
SecurityTools.java
Log:
Avoid "index out of bound" exceptions in the following scenarios:
* JDBCRealm is configured, user is authenticated successfully,
user has no defined roles, debug output is enabled
* JDBCRealm is configured, user is authenticated successfully,
security constraint has no defined roles, debug output is enabled
* Null is passed as an argument to either SecurityTools.haveRole() method.
PR: BugRat Bug Report #372
Submitted by: Tero Piirainen <[EMAIL PROTECTED]>
Revision Changes Path
No revision
No revision
1.9.2.2 +12 -2
jakarta-tomcat/src/share/org/apache/tomcat/request/JDBCRealm.java
Index: JDBCRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/JDBCRealm.java,v
retrieving revision 1.9.2.1
retrieving revision 1.9.2.2
diff -u -r1.9.2.1 -r1.9.2.2
--- JDBCRealm.java 2000/10/17 23:36:24 1.9.2.1
+++ JDBCRealm.java 2000/11/16 23:52:13 1.9.2.2
@@ -509,12 +509,22 @@
userRoles = getUserRoles( user );
req.setUserRoles( userRoles );
- if( debug > 0 ) log( "Auth ok, first role=" + userRoles[0] );
+ if( debug > 0 ) {
+ if ((userRoles != null) && (userRoles.length > 0))
+ log( "Auth ok, first role=" + userRoles[0] );
+ else
+ log( "Auth ok, user has no roles");
+ }
if( SecurityTools.haveRole( userRoles, roles ))
return 0;
- if( debug > 0 ) log( "UnAuthorized " + roles[0] );
+ if( debug > 0 ) {
+ if ((roles != null) && (roles.length > 0))
+ log( "UnAuthorized " + roles[0] );
+ else
+ log( "UnAuthorized - no roles specified");
+ }
return 401; //HttpServletResponse.SC_UNAUTHORIZED
// XXX check transport
}
No revision
No revision
1.5.2.1 +5 -1
jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/SecurityTools.java
Index: SecurityTools.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/SecurityTools.java,v
retrieving revision 1.5
retrieving revision 1.5.2.1
diff -u -r1.5 -r1.5.2.1
--- SecurityTools.java 2000/06/23 02:16:30 1.5
+++ SecurityTools.java 2000/11/16 23:52:14 1.5.2.1
@@ -192,6 +192,8 @@
}
public static boolean haveRole( String userRoles[], String requiredRoles[] ) {
+ if ((userRoles == null) || (requiredRoles == null))
+ return false;
for( int i=0; i< userRoles.length; i ++ ) {
if( haveRole( userRoles[i], requiredRoles )) return true;
}
@@ -199,8 +201,10 @@
}
public static boolean haveRole( String element, String set[] ) {
+ if ((element == null) || (set == null))
+ return false;
for( int i=0; i< set.length; i ++ ) {
- if( element!=null && element.equals( set[i] ))
+ if( element.equals( set[i] ))
return true;
}
return false;
