| Summary: | Security constraint where role name defined as any ("*") deny access at all | ||
|---|---|---|---|
| Product: | Tomcat 5 | Reporter: | casper <maxoid> |
| Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 5.5.14 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | other | ||
(In reply to comment #0) It's better to test for AllRoles into top-level 'if'. (do not skip checks for null principal) Should be: Class org.apache.catalina.realm.RealmBase, lines from 735: if (constraint.getAllRoles() && !denyfromall) status = true; if (log.isDebugEnabled()) log.debug(" Checking roles " + principal); if (roles.length == 0 && !constraint.getAllRoles()) { The second patch has been applied to the SVN trunk, and will appear in 5.5.15. Thanks much! (In reply to comment #2) > The second patch has been applied to the SVN trunk, and will appear in 5.5.15. Hmm, I've installed 5.5.15 on a SLES9 with Sun JDK 1.5.0_06-b05, but i still have the problem described in the headline. I'm no Tomcat hacker (for now;-) so I cannot provide a patch here. I cannot find the "second" patch applied in the sources or do i miss something? with v 5.5.17, I cannot get a configuration like the one described in Bug 39364 to work either (it worked nicely with ~5.5.4) see also Bug 37044 This issue has been fixed in SVN as per Bill's comment above. There appears to be some confusion between this issue and the fix for bug 15570 which corrected the way the special * role was handled. Questions regarding this should be directed to the users list. It doesn't look fixed to me. I'm getting 403 errors with Tomcat 5.5.17 in an app that works just fine with Tomcat 5.5.9. it cause of this change http://issues.apache.org/bugzilla/show_bug.cgi?id=15570 if you use *, you still need to define all the roles in web.xml, * refers to the roles in web.xml, not the ones specified in the security realm |
Class org.apache.catalina.realm.RealmBase, lines from 735: if (constraint.getAllRoles() && !denyfromall) status = true; if (log.isDebugEnabled()) log.debug(" Checking roles " + principal); if (roles.length == 0) { if(constraint.getAuthConstraint()) { if( log.isDebugEnabled() ) log.debug("No roles "); status = false; // No listed roles means no access at all denyfromall = true; } else { if(log.isDebugEnabled()) log.debug("Passing all access"); return (true); } } else if (principal == null) { if (log.isDebugEnabled()) log.debug(" No user authenticated, cannot grant access"); status = false; } else if(!denyfromall) { for (int j = 0; j < roles.length; j++) { if (hasRole(principal, roles[j])) status = true; if( log.isDebugEnabled() ) log.debug( "No role found: " + roles[j]); } } must be if (constraint.getAllRoles() && !denyfromall) status = true; else { if (log.isDebugEnabled()) log.debug(" Checking roles " + principal); if (roles.length == 0) { if(constraint.getAuthConstraint()) { if( log.isDebugEnabled() ) log.debug("No roles "); status = false; // No listed roles means no access at all denyfromall = true; } else { if(log.isDebugEnabled()) log.debug("Passing all access"); return (true); } } else if (principal == null) { if (log.isDebugEnabled()) log.debug(" No user authenticated, cannot grant access"); status = false; } else if(!denyfromall) { for (int j = 0; j < roles.length; j++) { if (hasRole(principal, roles[j])) status = true; if( log.isDebugEnabled() ) log.debug( "No role found: " + roles[j]); } } }