This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch BZ-63684/7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 6cb87c8da83627f645cc8eb878f1eeb87207c18a
Author: Michael Osipov <micha...@apache.org>
AuthorDate: Thu Aug 22 14:34:31 2019 +0200
BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security
constraints
---
java/org/apache/catalina/realm/RealmBase.java | 2 +-
.../apache/catalina/realm/UserDatabaseRealm.java | 4 ++-
.../apache/catalina/core/TestStandardWrapper.java | 31 +++++++++++++++++-----
webapps/docs/changelog.xml | 5 ++++
4 files changed, 33 insertions(+), 9 deletions(-)
diff --git a/java/org/apache/catalina/realm/RealmBase.java
b/java/org/apache/catalina/realm/RealmBase.java
index 8796ed8..80027fd 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -993,7 +993,7 @@ public abstract class RealmBase extends LifecycleMBeanBase
implements Realm {
log.debug(" No user authenticated, cannot grant access");
} else {
for (int j = 0; j < roles.length; j++) {
- if (hasRole(null, principal, roles[j])) {
+ if (hasRole(request.getWrapper(), principal, roles[j])) {
status = true;
if( log.isDebugEnabled() )
log.debug( "Role found: " + roles[j]);
diff --git a/java/org/apache/catalina/realm/UserDatabaseRealm.java
b/java/org/apache/catalina/realm/UserDatabaseRealm.java
index c13efaf..54e6864 100644
--- a/java/org/apache/catalina/realm/UserDatabaseRealm.java
+++ b/java/org/apache/catalina/realm/UserDatabaseRealm.java
@@ -147,7 +147,9 @@ public class UserDatabaseRealm
}
}
if(! (principal instanceof User) ) {
- //Play nice with SSO and mixed Realms
+ // Play nice with SSO and mixed Realms
+ // No need to pass the wrapper here because role mapping has been
+ // performed already a few lines above
return super.hasRole(null, principal, role);
}
if("*".equals(role)) {
diff --git a/test/org/apache/catalina/core/TestStandardWrapper.java
b/test/org/apache/catalina/core/TestStandardWrapper.java
index b719efe..3d35df0 100644
--- a/test/org/apache/catalina/core/TestStandardWrapper.java
+++ b/test/org/apache/catalina/core/TestStandardWrapper.java
@@ -213,14 +213,14 @@ public class TestStandardWrapper extends TomcatBaseTest {
// No file system docBase required
Context ctx = tomcat.addContext("", null);
- ctx.addRoleMapping("testRole2", "very-complex-role-name");
- /* We won't map "testRole3" to "another-very-complex-role-name" to make
- * it fail intentionally.
- */
+ ctx.addRoleMapping("testRole", "very-complex-role-name");
- Wrapper wrapper = Tomcat.addServlet(ctx, "servlet",
TestServlet.class.getName());
+ Wrapper wrapper = Tomcat.addServlet(ctx, "servlet",
RoleAllowServlet.class.getName());
ctx.addServletMapping("/", "servlet");
+ ctx.setLoginConfig(new LoginConfig("BASIC", null, null, null));
+ ctx.getPipeline().addValve(new BasicAuthenticator());
+
MapRealm realm = new MapRealm();
/* Attach the realm to the appropriate container, but role mapping must
@@ -247,10 +247,27 @@ public class TestStandardWrapper extends TomcatBaseTest {
Assert.assertNotNull(p);
Assert.assertEquals("testUser", p.getName());
+ // This one is mapped
+ Assert.assertTrue(realm.hasRole(wrapper, p, "testRole"));
Assert.assertTrue(realm.hasRole(wrapper, p, "testRole1"));
- Assert.assertTrue(realm.hasRole(wrapper, p, "testRole2"));
+ Assert.assertFalse(realm.hasRole(wrapper, p, "testRole2"));
Assert.assertTrue(realm.hasRole(wrapper, p, "very-complex-role-name"));
- Assert.assertFalse(realm.hasRole(wrapper, p, "testRole3"));
+ Assert.assertTrue(realm.hasRole(wrapper, p,
"another-very-complex-role-name"));
+
+ // This now tests RealmBase#hasResourcePermission() because we need a
wrapper
+ // to be passed from an authenticator
+ ByteChunk bc = new ByteChunk();
+ Map<String, List<String>> reqHeaders = new HashMap<String,
List<String>>();
+ List<String> authHeaders = new ArrayList<String>();
+ // testUser, testPwd
+ authHeaders.add("Basic dGVzdFVzZXI6dGVzdFB3ZA==");
+ reqHeaders.put("Authorization", authHeaders);
+
+ int rc = getUrl("http://localhost:"; + getPort() + "/", bc, reqHeaders,
+ null);
+
+ Assert.assertEquals("OK", bc.toString());
+ Assert.assertEquals(200, rc);
}
private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b698428..1ff6a47 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -93,6 +93,11 @@
Fix a crash on shutdown with the APR/native connector when a blocking
I/O operation was still in progress when the connector stopped. (markt)
</fix>
+ <fix>
+ <bug>63684</bug>: <code>Wrapper</code> never passed to
+ <code>RealmBase.hasRole()</code> for given security constraints.
+ (michaelo)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
