Sorry, I'm just being dump here. My comment should be for r348091 instead of this r348087.
Shamefully yours Nam -- Random humorous quote: Monday is an awful way to spend 1/7th of your life. -----Original Message----- From: Nam T. Nguyen [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 22, 2005 1:17 PM To: Tomcat Developers List Subject: RE: svn commit: r348087 - /tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authent icator/AuthenticatorBase.java This is in accordance with both Servlet and JACC specs. JACC spec gives higher precedence to unchecked permissions than checked permissions. Complaints should go to both groups :D Cheers Nam -- Random humorous quote: Usually I try to take it one day at a time, but lately several have attacked me at once... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 22, 2005 1:07 PM To: tomcat-dev@jakarta.apache.org Subject: svn commit: r348087 - /tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authent icator/AuthenticatorBase.java Author: billbarker Date: Mon Nov 21 21:06:40 2005 New Revision: 348087 URL: http://svn.apache.org/viewcvs?rev=348087&view=rev Log: The rule is that you authenticate if *all* security-constraints include an auth-constraint. If you have a problem with this, take it up with the Servlet expert-group ;-). Reported By: Nam T. Nguyen <[EMAIL PROTECTED]> Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti cator/AuthenticatorBase.java Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti cator/AuthenticatorBase.java URL: http://svn.apache.org/viewcvs/tomcat/container/tc5.5.x/catalina/src/shar e/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=348087&r1 =348086&r2=348087&view=diff ======================================================================== ====== --- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti cator/AuthenticatorBase.java (original) +++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti cator/AuthenticatorBase.java Mon Nov 21 21:06:40 2005 @@ -468,28 +468,33 @@ */ return; } - - for(i=0; i < constraints.length; i++) { - // Authenticate based upon the specified login configuration - if (constraints[i].getAuthConstraint()) { + + // Since authenticate modifies the response on failure, + // we have to check for allow-from-all first. + boolean authRequired = true; + for(i=0; i < constraints.length && authRequired; i++) { + if(!constraints[i].getAuthConstraint()) { + authRequired = false; + } + } + + if(authRequired) { + if (log.isDebugEnabled()) { + log.debug(" Calling authenticate()"); + } + if (!authenticate(request, response, config)) { if (log.isDebugEnabled()) { - log.debug(" Calling authenticate()"); + log.debug(" Failed authenticate() test"); } - if (!authenticate(request, response, config)) { - if (log.isDebugEnabled()) { - log.debug(" Failed authenticate() test"); - } - /* - * ASSERT: Authenticator already set the appropriate - * HTTP status code, so we do not have to do anything - * special - */ - return; - } else { - break; - } - } + /* + * ASSERT: Authenticator already set the appropriate + * HTTP status code, so we do not have to do anything + * special + */ + return; + } } + if (log.isDebugEnabled()) { log.debug(" Calling accessControl()"); } --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
