tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thom Park" <>
Subject *proposed Fix to security-role problem*
Date Thu, 14 Dec 2000 18:11:59 GMT
Dear All,

I'm not sure where to post this but I'd like someone to take a look at
the following code and consider it for inclusion as
a fix to a problem with security-roles in tomcat 3.2.

The problem:
According to the 2.2 spec. A servlet defintion may define aliases for
security-roles (called security-role-refs) such that the underlying
security role
may be changed without needing to modify / recompile any servlets that
refer to the alias. The servlet code uses the alias name for the role
instead of the actual rolename. In Tomcat 3.2 the method isUserInRole()
is broken and doesn't translate the alias and instead tries to apply the
passed rolename directly to the rolelist defined in the xxxRealm.

The following code is a  first pass at fixing it. I'm not a committer
and am unsure how to submit code (I'm not well versed in the various
patching tools) so I"m providing the code fragment here - it isn't too
long: I would be grateful if someone could review this and comment.



-------- cut here

    public boolean isUserInRole(String role) {

     String checkRoles[]=new String[1];

        // get the servletWrapper...
        if ( handler != null ) {
          // lookup the alias
          String mappedRole = handler.getSecurityRole(role);
          if ( mappedRole != null ) {
            // use translated role
            checkRoles[0] = mappedRole;
          else {
               * no alias found - technically we should return false
however to maintain backwards
               * compatability with earlier tomcat's preserver the
existing behavior and do a lookup
               * using the actual rolename passed to us
            checkRoles[0] = role;
        else {
           // servletWrapper is null - this shouldn't happen but setup
for the lookup anyway
          checkRoles[0] = role;
     int status=contextM.doAuthorize(this, response, checkRoles);
     return status==0;

-------------------- cut here

View raw message