tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 30814] New: - Management of the principal in the function org.apache.catalina.security.SecurityUtil.execute()
Date Tue, 24 Aug 2004 02:02:28 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30814>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=30814

Management of the principal in the function org.apache.catalina.security.SecurityUtil.execute()

           Summary: Management of the principal in the function
                    org.apache.catalina.security.SecurityUtil.execute()
           Product: Tomcat 5
           Version: 5.0.27
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: jjureta@videotron.ca


Hi, 
 
I found that the function org.apache.catalina.security.SecurityUtil.execute 
does not cover all the cases (oh yes, the last modifications are mine): 
- if the parameter principal is null and the session is not, the new subject 
is created without any principal (this happened when filters are used). When 
this function is called next time with the principal which is not null, that 
principal is not added to the subject, function is executed without that 
principal; 
- if subject in the session contains the principals different from the one 
passed as the parameter to the function, the new principal is not added to the 
subject in the session. 
 
I have one question: why the principal is passed to this function and not the 
subject? 
 
I propose to change the function execute() to: 
 
private static void execute(final Method method, 
                                final Object targetObject,  
                                final Object[] targetArguments, 
                                Principal principal)  
        throws java.lang.Exception{ 
        
	try{    
            Subject subject = null; 
            PrivilegedExceptionAction pea = new PrivilegedExceptionAction(){ 
                    public Object run() throws Exception{ 
                       method.invoke(targetObject, targetArguments); 
                       return null; 
                    } 
            }; 
 
            // The first argument is always the request object 
            if (targetArguments != null  
                    && targetArguments[0] instanceof HttpServletRequest){ 
                HttpServletRequest request =  
                    (HttpServletRequest)targetArguments[0]; 
 
                HttpSession session = request.getSession(false); 
                if (session != null){ 
                    subject =  
                        (Subject)session.getAttribute(Globals.SUBJECT_ATTR); 
                } 
 
                if(principal != null) { 
                    if (subject == null){ 
                        // Create the new Subject 
                        subject = new Subject(); 
                        subject.getPrincipals().add(principal); 
                    } else {  
                        // Add the new Principal to the Subject if needed 
                        if (!subject.getPrincipals().contains(principal)) 
                            subject.getPrincipals().add(principal); 
                    } 
                     
                    if ((session != null) && (subject != null)) { 
                        // add the subject to the session 
                        session.setAttribute(Globals.SUBJECT_ATTR, subject); 
                    } 
                } 
            } 
 
            Subject.doAsPrivileged(subject, pea, null);        
       } catch( PrivilegedActionException pe) { 
            Throwable e = ((InvocationTargetException)pe.getException()) 
                                .getTargetException(); 
             
            if (log.isDebugEnabled()){ 
                log.debug(sm.getString("SecurityUtil.doAsPrivilege"), e);  
            } 
             
            if (e instanceof UnavailableException) 
                throw (UnavailableException) e; 
            else if (e instanceof ServletException) 
                throw (ServletException) e; 
            else if (e instanceof IOException) 
                throw (IOException) e; 
            else if (e instanceof RuntimeException) 
                throw (RuntimeException) e; 
            else 
                throw new ServletException(e.getMessage(), e); 
        }   
    }

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message