tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40150] New: - Incorrect User/Role classnames are silently ignored.
Date Tue, 01 Aug 2006 08:52:32 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40150>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40150

           Summary: Incorrect User/Role classnames are silently ignored.
           Product: Tomcat 5
           Version: 5.5.17
          Platform: All
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: vandenberget@aciworldwide.com


org.apache.catalina.realm.JAASRealm does not verify any of the class names that
are set through setRoleClassNames() and setUserClassNames().

If an incorrect class name (e.g. a typo) is configured in context.xml, this is
unnoticed by JAASRealm. The result is that during authentication, when the
subject's principals are checked against the configured class names, the
principals are not recognised, and therefore not added to the subject.

The fact an incorrect configured class name is currently not detected and logged
makes it very hard to find the source of the problem. It can be easily fixed by
checking the class names in the two methods mentioned above. The class must
exist, and it must implement java.security.Principal, which is currently not
enforced/checked by the code.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message