Author: fschumacher
Date: Thu Jul 28 20:19:40 2016
New Revision: 1754467
URL: http://svn.apache.org/viewvc?rev=1754467&view=rev
Log:
Fix Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59839
Apply roleSearchAsUser to all nested searches in JNDIRealm.
Modified:
tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1754467&r1=1754466&r2=1754467&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Thu Jul 28
20:19:40 2016
@@ -1946,18 +1946,8 @@ public class JNDIRealm extends RealmBase
}
// Perform the configured search and process the results
- NamingEnumeration<SearchResult> results = null;
- boolean thisRoleSearchAsUser = isRoleSearchAsUser();
- try {
- if (thisRoleSearchAsUser) {
- userCredentialsAdd(context, dn, user.getPassword());
- }
- results = context.search(base, filter, controls);
- } finally {
- if (thisRoleSearchAsUser) {
- userCredentialsRemove(context);
- }
- }
+ NamingEnumeration<SearchResult> results = searchAsUser(context, user,
base, filter, controls,
+ isRoleSearchAsUser());
if (results == null)
return list; // Should never happen, but just in case ...
@@ -2008,7 +1998,8 @@ public class JNDIRealm extends RealmBase
containerLog.trace("Perform a nested group search with
base "+ roleBase + " and filter " + filter);
}
- results = context.search(roleBase, filter, controls);
+ results = searchAsUser(context, user, roleBase, filter,
controls,
+ isRoleSearchAsUser());
try {
while (results.hasMore()) {
@@ -2044,6 +2035,45 @@ public class JNDIRealm extends RealmBase
return list;
}
+ /**
+ * Perform the search on the context as the {@code dn}, when
+ * {@code searchAsUser} is {@code true}, otherwise search the context with
+ * the default credentials.
+ *
+ * @param context
+ * context to search on
+ * @param user
+ * user to bind on
+ * @param base
+ * base to start the search from
+ * @param filter
+ * filter to use for the search
+ * @param controls
+ * controls to use for the search
+ * @param searchAsUser
+ * {@code true} when the search should be done as user, or
+ * {@code false} for using the default credentials
+ * @return enumeration with all found entries
+ * @throws NamingException
+ * if a directory server error occurs
+ */
+ private NamingEnumeration<SearchResult> searchAsUser(DirContext context,
+ User user, String base, String filter,
+ SearchControls controls, boolean searchAsUser) throws
NamingException {
+ NamingEnumeration<SearchResult> results;
+ try {
+ if (searchAsUser) {
+ userCredentialsAdd(context, user.getDN(), user.getPassword());
+ }
+ results = context.search(base, filter, controls);
+ } finally {
+ if (searchAsUser) {
+ userCredentialsRemove(context);
+ }
+ }
+ return results;
+ }
+
/**
* Return a String representing the value of the specified attribute.
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1754467&r1=1754466&r2=1754467&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jul 28 20:19:40 2016
@@ -76,6 +76,10 @@
extend SecurityManager protection to the system property replacement
feature of the digester. (markt)
</add>
+ <fix>
+ <bug>59839</bug>: Apply <code>roleSearchAsUser</code> to all nested
searches
+ in JNDIRealm. (fschumacher)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
