Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 80292 invoked by uid 500); 6 Apr 2000 06:00:46 -0000 Delivered-To: apmail-jakarta-tomcat-cvs@apache.org Received: (qmail 80288 invoked by uid 1059); 6 Apr 2000 06:00:45 -0000 Date: 6 Apr 2000 06:00:45 -0000 Message-ID: <20000406060045.80287.qmail@locus.apache.org> From: craigmcc@locus.apache.org To: jakarta-tomcat-cvs@apache.org Subject: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request SecurityCheck.java craigmcc 00/04/05 23:00:45 Modified: src/share/org/apache/tomcat/core RequestImpl.java src/share/org/apache/tomcat/request SecurityCheck.java Log: Corrections and validations for BASIC authentication support: - Properly parse comma-delimited role names in conf/tomcat-users.conf. - Properly authenticate on every request (just because the browser sends an Authentication header doesn't mean we should trust it). - Validate correct user + correct password + correct role grants access. - Validate correct user + incorrect password denies access. - Validate correct user + correct password + incorrect role denies access. Please help me pound on this code to make sure it works before final release of Tomcat 3.1! Revision Changes Path 1.26 +4 -17 jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java Index: RequestImpl.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java,v retrieving revision 1.25 retrieving revision 1.26 diff -u -r1.25 -r1.26 --- RequestImpl.java 2000/03/31 18:22:34 1.25 +++ RequestImpl.java 2000/04/06 06:00:44 1.26 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java,v 1.25 2000/03/31 18:22:34 craigmcc Exp $ - * $Revision: 1.25 $ - * $Date: 2000/03/31 18:22:34 $ + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java,v 1.26 2000/04/06 06:00:44 craigmcc Exp $ + * $Revision: 1.26 $ + * $Date: 2000/04/06 06:00:44 $ * * ==================================================================== * @@ -285,20 +285,7 @@ } public String getRemoteUser() { - if( remoteUser!=null) - return remoteUser; - - // Using the Servlet 2.2 semantics ... - // return request.getRemoteUser(); - java.security.Principal p = getUserPrincipal(); - - if (p != null) { - return p.getName(); - } - - return null; - - //return remoteUser; + return remoteUser; } public boolean isSecure() { 1.12 +9 -2 jakarta-tomcat/src/share/org/apache/tomcat/request/SecurityCheck.java Index: SecurityCheck.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/SecurityCheck.java,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- SecurityCheck.java 2000/03/31 15:50:10 1.11 +++ SecurityCheck.java 2000/04/06 06:00:45 1.12 @@ -135,7 +135,7 @@ new SimpleRequestSecurityProviderImpl(roles); ctx.setRequestSecurityProvider(rsp); } - + if( req.getRemoteUser() != null) return 0; // already authenticated String authMethod=ctx.getAuthMethod(); @@ -315,7 +315,14 @@ public void addUser(String name, String pass, String groups ) { if( debug > 0 ) ctx.log( "Add user " + name + " " + pass + " " + groups ); passwords.put( name, pass ); - addRole( groups, name ); + groups += ","; + while (true) { + int comma = groups.indexOf(","); + if (comma < 0) + break; + addRole( groups.substring(0, comma).trim(), name); + groups = groups.substring(comma + 1); + } } public void addRole( String role, String user ) {