DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=30814>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30814 Management of the principal in the function org.apache.catalina.security.SecurityUtil.execute() Summary: Management of the principal in the function org.apache.catalina.security.SecurityUtil.execute() Product: Tomcat 5 Version: 5.0.27 Platform: All OS/Version: All Status: NEW Severity: Major Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Hi, I found that the function org.apache.catalina.security.SecurityUtil.execute does not cover all the cases (oh yes, the last modifications are mine): - if the parameter principal is null and the session is not, the new subject is created without any principal (this happened when filters are used). When this function is called next time with the principal which is not null, that principal is not added to the subject, function is executed without that principal; - if subject in the session contains the principals different from the one passed as the parameter to the function, the new principal is not added to the subject in the session. I have one question: why the principal is passed to this function and not the subject? I propose to change the function execute() to: private static void execute(final Method method, final Object targetObject, final Object[] targetArguments, Principal principal) throws java.lang.Exception{ try{ Subject subject = null; PrivilegedExceptionAction pea = new PrivilegedExceptionAction(){ public Object run() throws Exception{ method.invoke(targetObject, targetArguments); return null; } }; // The first argument is always the request object if (targetArguments != null && targetArguments[0] instanceof HttpServletRequest){ HttpServletRequest request = (HttpServletRequest)targetArguments[0]; HttpSession session = request.getSession(false); if (session != null){ subject = (Subject)session.getAttribute(Globals.SUBJECT_ATTR); } if(principal != null) { if (subject == null){ // Create the new Subject subject = new Subject(); subject.getPrincipals().add(principal); } else { // Add the new Principal to the Subject if needed if (!subject.getPrincipals().contains(principal)) subject.getPrincipals().add(principal); } if ((session != null) && (subject != null)) { // add the subject to the session session.setAttribute(Globals.SUBJECT_ATTR, subject); } } } Subject.doAsPrivileged(subject, pea, null); } catch( PrivilegedActionException pe) { Throwable e = ((InvocationTargetException)pe.getException()) .getTargetException(); if (log.isDebugEnabled()){ log.debug(sm.getString("SecurityUtil.doAsPrivilege"), e); } if (e instanceof UnavailableException) throw (UnavailableException) e; else if (e instanceof ServletException) throw (ServletException) e; else if (e instanceof IOException) throw (IOException) e; else if (e instanceof RuntimeException) throw (RuntimeException) e; else throw new ServletException(e.getMessage(), e); } } --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
