DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=39364>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39364 Summary: One problem about the JAAS role check. Product: Tomcat 5 Version: 5.5.17 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] If I define the security-cionstraint like this: <security-constraint> <web-resource-collection> <web-resource-name>LoginProxy</web-resource-name> <url-pattern>/jaas/login</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> When start the tomcat, this context will not add any role into Context object. (Please check ContextConfig.validateSecurityRoles() method.) So the StandardContext's securityRoles[] is an empty array. In RealmBase.hasResourcePermission() method, it will get this roles to compare with the ones in web.xml file. if (constraint.getAllRoles()) { // * means all roles defined in web.xml roles = request.getContext().findSecurityRoles(); } else { roles = constraint.findAuthRoles(); } here if constraint.getAllRoles() return true, it does not return directly, but get the securityRoles[] from the context (empty array). so it will not allown to access this path resource. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
