https://bz.apache.org/bugzilla/show_bug.cgi?id=63982
Bug ID: 63982
Summary: CombinedRealm makes assumptions about principal
implementation
Product: Tomcat 9
Version: 9.0.29
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: micha...@apache.org
Target Milestone: -----
Consider the following configuration:
> <Realm className="org.apache.catalina.realm.CombinedRealm">
> <Realm className="CustomRealm"
> ... />
> <Realm className="CustomRealm"
> ... />
> </Realm>
CustomRealm uses CustomPrincipal, not of type GenericPrincipal. Two issues
arise:
1. When AuthenticatorBase now invokes CombinedRealm#hasRole() it will delegate
to RealmBase#hasRole() which will call RealmBase#hasRoleInternal(): it will
always return false bacause CustomPrincipal is not instance of
GenericPrincipal.
2. CustomRealm#getRoles() will again delegate to RealmBase#getRoles() and will
throw an exception.
Thus, this realm is tied to the GenericPrincipal and cannot be used
generically. You have to write a CustomCombinedRealm.
It could be solved the following way:
1. Delegate all #hasRole() calls to the underlying realms and return first true
2. Delegate all #getRoles() calls to the underlying realms, catch exceptions,
rethrow at and return the first array.
Unfortunately, RealmBase throws an IllegalStateException for #getRoles(), but
this is nowhere documented. If would return a null array, one could loop until
the first non-null array. In my opinion, if this is not documented, it could
simply return null.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
