nacho 01/04/17 03:43:58
Modified: src/share/org/apache/tomcat/request Tag: tomcat_32
SimpleRealm.java JDBCRealm.java
src/share/org/apache/tomcat/core Tag: tomcat_32
RequestImpl.java
Log:
* Security problems with getUserPrincipal,
a not authenticated request got the roles
from the last succesful auth ..
* security-role-ref no correctly honored
Submitted by : Thom Park (tpar at borland.com)
Revision Changes Path
No revision
No revision
1.5.2.2 +1 -0
jakarta-tomcat/src/share/org/apache/tomcat/request/Attic/SimpleRealm.java
Index: SimpleRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/Attic/SimpleRealm.java,v
retrieving revision 1.5.2.1
retrieving revision 1.5.2.2
diff -u -r1.5.2.1 -r1.5.2.2
--- SimpleRealm.java 2000/10/17 23:36:24 1.5.2.1
+++ SimpleRealm.java 2001/04/17 10:43:41 1.5.2.2
@@ -133,6 +133,7 @@
if( memoryRealm.checkPassword( user, password ) ) {
if( debug > 0 ) log( "Auth ok, user=" + user );
req.setRemoteUser( user );
+ req.setUserPrincipal(new SimplePrincipal(user));
Context ctx = req.getContext();
if (ctx != null)
req.setAuthType(ctx.getAuthMethod());
1.9.2.9 +1 -0
jakarta-tomcat/src/share/org/apache/tomcat/request/Attic/JDBCRealm.java
Index: JDBCRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/Attic/JDBCRealm.java,v
retrieving revision 1.9.2.8
retrieving revision 1.9.2.9
diff -u -r1.9.2.8 -r1.9.2.9
--- JDBCRealm.java 2001/02/23 22:07:55 1.9.2.8
+++ JDBCRealm.java 2001/04/17 10:43:43 1.9.2.9
@@ -453,6 +453,7 @@
if ( authenticate( user, password ) ) {
if( debug > 0 ) log( "Auth ok, user=" + user );
req.setRemoteUser( user );
+ req.setUserPrincipal(new SimplePrincipal(user));
Context ctx = req.getContext();
if (ctx != null)
req.setAuthType(ctx.getAuthMethod());
No revision
No revision
1.52.2.8 +28 -11
jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/RequestImpl.java
Index: RequestImpl.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Attic/RequestImpl.java,v
retrieving revision 1.52.2.7
retrieving revision 1.52.2.8
diff -u -r1.52.2.7 -r1.52.2.8
--- RequestImpl.java 2001/03/15 19:00:37 1.52.2.7
+++ RequestImpl.java 2001/04/17 10:43:52 1.52.2.8
@@ -357,9 +357,6 @@
*/
public Principal getUserPrincipal() {
if( getRemoteUser() == null ) return null;
- if( principal == null ) {
- principal=new SimplePrincipal( getRemoteUser() );
- }
return principal;
}
@@ -380,15 +377,35 @@
}
public boolean isUserInRole(String role) {
- // if (userRoles != null) {
- // if( SecurityTools.haveRole( role, userRoles ))
- // return true;
- // }
- String checkRoles[]=new String[1];
- checkRoles[0]=role;
- int status=contextM.doAuthorize(this, response, checkRoles);
- return status==0;
+
+ String checkRoles[]=new String[1];
+
+ // get the servletWrapper...
+ if ( handler != null ) {
+ // lookup the alias
+ String mappedRole = handler.getSecurityRole(role);
+ if ( mappedRole != null ) {
+ // use translated role
+ checkRoles[0] = mappedRole;
+ } else {
+ /* XXX
+ * no alias found - technically we should return false however
+ * to maintain backwards compatability with earlier tomcat's
+ * preserver the existing behavior and do a lookup
+ * using the actual rolename passed to us
+ */
+ checkRoles[0] = role;
+ }
+ } else {
+ /* XXX servletWrapper is null -
+ * this shouldn't happen but setup for the lookup anyway
+ */
+ checkRoles[0] = role;
+ }
+ int status=contextM.doAuthorize(this, response, checkRoles);
+ return status==0;
}
+
public String getServletPath() {
return servletPath;
