tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util SecurityTools.java
Date Thu, 16 Nov 2000 23:52:14 GMT
craigmcc    00/11/16 15:52:14

  Modified:    src/share/org/apache/tomcat/request Tag: tomcat_32
                        JDBCRealm.java
               src/share/org/apache/tomcat/util Tag: tomcat_32
                        SecurityTools.java
  Log:
  Avoid "index out of bound" exceptions in the following scenarios:
  * JDBCRealm is configured, user is authenticated successfully,
    user has no defined roles, debug output is enabled
  * JDBCRealm is configured, user is authenticated successfully,
    security constraint has no defined roles, debug output is enabled
  * Null is passed as an argument to either SecurityTools.haveRole() method.
  
  PR: BugRat Bug Report #372
  Submitted by:	Tero Piirainen <tero.piirainen@legosoft.net>
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.9.2.2   +12 -2     jakarta-tomcat/src/share/org/apache/tomcat/request/JDBCRealm.java
  
  Index: JDBCRealm.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/JDBCRealm.java,v
  retrieving revision 1.9.2.1
  retrieving revision 1.9.2.2
  diff -u -r1.9.2.1 -r1.9.2.2
  --- JDBCRealm.java	2000/10/17 23:36:24	1.9.2.1
  +++ JDBCRealm.java	2000/11/16 23:52:13	1.9.2.2
  @@ -509,12 +509,22 @@
   	userRoles = getUserRoles( user );
   	req.setUserRoles( userRoles );
   
  -        if( debug > 0 ) log( "Auth ok, first role=" + userRoles[0] );
  +        if( debug > 0 ) {
  +            if ((userRoles != null) && (userRoles.length > 0))
  +                log( "Auth ok, first role=" + userRoles[0] );
  +            else
  +                log( "Auth ok, user has no roles");
  +        }
   
           if( SecurityTools.haveRole( userRoles, roles ))
               return 0;
   
  -        if( debug > 0 ) log( "UnAuthorized " + roles[0] );
  +        if( debug > 0 ) {
  +            if ((roles != null) && (roles.length > 0))
  +                log( "UnAuthorized " + roles[0] );
  +            else
  +                log( "UnAuthorized - no roles specified");
  +        }
   	return 401; //HttpServletResponse.SC_UNAUTHORIZED
           // XXX check transport
       }
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.5.2.1   +5 -1      jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/SecurityTools.java
  
  Index: SecurityTools.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/SecurityTools.java,v
  retrieving revision 1.5
  retrieving revision 1.5.2.1
  diff -u -r1.5 -r1.5.2.1
  --- SecurityTools.java	2000/06/23 02:16:30	1.5
  +++ SecurityTools.java	2000/11/16 23:52:14	1.5.2.1
  @@ -192,6 +192,8 @@
       }
   
       public static boolean haveRole( String userRoles[], String requiredRoles[] ) {
  +        if ((userRoles == null) || (requiredRoles == null))
  +            return false;
   	for( int i=0; i< userRoles.length; i ++ ) {
   	    if( haveRole( userRoles[i], requiredRoles )) return true;
   	}
  @@ -199,8 +201,10 @@
       }
   
       public static boolean haveRole( String element, String set[] ) {
  +        if ((element == null) || (set == null))
  +            return false;
   	for( int i=0; i< set.length; i ++ ) {
  -	    if( element!=null && element.equals( set[i] ))
  +	    if( element.equals( set[i] ))
   		return true;
   	}
   	return false;
  
  
  

Mime
View raw message