37518 – JAASRealm can't be used to protect resources

Bug 37518 - JAASRealm can't be used to protect resources

Summary: JAASRealm can't be used to protect resources

Status:	RESOLVED DUPLICATE of bug 37044

Alias:	None

Product:	Tomcat 5
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	5.5.12
Hardware:	Other Windows XP

Importance:	P2 major (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:	PatchAvailable

Depends on:
Blocks:

Reported:	2005-11-16 01:35 UTC by Jack Yu
Modified:	2005-11-15 16:38 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jack Yu 2005-11-16 01:35:49 UTC

In 5.5.12, the hasRole method in JAASRealm has been removed. Instead, it uses 
RealmBase's hasRole methd. 

In RealmBase's hasRole method, it the principal is not GenericPrincipal, it 
will return false.

But in Request.getUserPrincipal method, there also a change, if userPrincipal 
is GenericPrincipal, it returns userPrincipal. 

Which means the framework use getUserPrincipal, and call JAASRealm(RealmBase)'s 
hasRole should always fail.


Suggest to make the following change:
in JAASRealm.java, add roleSet private instance variable, then in 
createPrincipal method, just after roles.add(principal.getName());,
add "roleSet.add(principal);"

then add hasRole method like following:

public boolean hasRole(Principal principal, String role) {
    if (principal == null) {
         return false;
    }
    Iterator it = roleSet.iterator();
    while (it.hasNext()) {
        Principal p = (Principal)it.next();
        if (p.equals(principal)) {
            return true;
        }
    }
    return super.hasRole(principal, role);
}

Comment 1 Remy Maucherat 2005-11-16 01:38:42 UTC


*** This bug has been marked as a duplicate of 37044 ***