geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shenghao Fang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (GERONIMO-6057) HttpServletRequest.isUserInRole() returns wrong value
Date Fri, 08 Jul 2011 05:27:16 GMT
HttpServletRequest.isUserInRole() returns wrong value
-----------------------------------------------------

                 Key: GERONIMO-6057
                 URL: https://issues.apache.org/jira/browse/GERONIMO-6057
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: console, security
    Affects Versions: 3.0
         Environment: Tomcat
            Reporter: Shenghao Fang
            Assignee: Shenghao Fang


HttpServletRequest.isUserInRole("admin") always returns false in Admin Console although loginned
by 'system'. (eg. welcomeNormal.jsp:59)

I did some investigation and found that current implementation in JACCRealm.hasRole uses wrapper.getName()
to get the servlet name.

{code:title=JACCRealm.java|borderStyle=solid}
    public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
        AccessControlContext acc = ContextManager.getCurrentContext();
        String name = wrapper.getName();

        /**
         * JACC v1.0 secion B.19
         */
        if (name == null || name.equals("jsp")) {
            name = "";
        }
        try {
            acc.checkPermission(new WebRoleRefPermission(name, role));
            return true;
        } catch (AccessControlException e) {
            return false;
        }
    }
{code}

But implementation in previous version uses currentRequestWrapperName.get() to get the servlet
name.

{code:title=JACCRealm.java|borderStyle=solid}
    public boolean hasRole(Principal principal, String role) {
        AccessControlContext acc = ContextManager.getCurrentContext();
        String name = currentRequestWrapperName.get();

        /**
         * JACC v1.0 secion B.19
         */
        if (name == null || name.equals("jsp")) {
            name = "";
        }
        try {
            acc.checkPermission(new WebRoleRefPermission(name, role));
            return true;
        } catch (AccessControlException e) {
            return false;
        }
    }
{code}

currentRequestWrapperName is a ThreadLocal variable and is set by DispatchListener.beforeDispatch()

{code:title=DispatchListener|borderStyle=solid}
    private void beforeDispatch(GeronimoStandardContext webContext, ServletRequest request,
ServletResponse response) {

        BeforeAfter beforeAfter = webContext.getBeforeAfter();
        if (beforeAfter != null) {
            Stack<BeforeAfterContext> stack = currentContext.get();

            BeforeAfterContext beforeAfterContext = new BeforeAfterContext(webContext.getContextCount()
+ 2);

            String wrapperName = getWrapperName(request, webContext);
            beforeAfterContext.contexts[webContext.getContextCount()] = JACCRealm.setRequestWrapperName(wrapperName);

            beforeAfterContext.contexts[webContext.getContextCount() + 1] = PolicyContext.getContextID();
            PolicyContext.setContextID(webContext.getPolicyContextId());

            beforeAfter.before(beforeAfterContext, request, response, BeforeAfter.DISPATCHED);

            stack.push(beforeAfterContext);
        }
    }

    private String getWrapperName(ServletRequest request, GeronimoStandardContext webContext)
{

        MappingData mappingData = new MappingData();
        Mapper mapper = webContext.getMapper();
        MessageBytes mb = MessageBytes.newInstance();

        String dispatchPath = (String) request.getAttribute(Globals.DISPATCHER_REQUEST_PATH_ATTR);
        mb.setString(webContext.getName() + dispatchPath);

        try {
            mapper.map(mb, mappingData);
            StandardWrapper wrapper = (StandardWrapper) mappingData.wrapper;
            return wrapper.getName();
        } catch (Exception e) {
            log.error(e.getMessage(), e);
        }

        return null;
    }

} 
{code}

It looks to me that wrapper.getName() returns the name of the initial servlet instead of the
current servlet.

I thought using currentRequestWrapperName.get() leads to the right behavior.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message