https://bz.apache.org/bugzilla/show_bug.cgi?id=65351
Bug ID: 65351
Summary: Regression in UserDatabaseRealm: Groups are no longer
considered in hasRole
Product: Tomcat 10
Version: 10.0.6
Hardware: All
OS: All
Status: NEW
Severity: regression
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ------
There's a regression bug in the reworked UserDatabaseRealm. The method
User.isInRole(Role) called in line 276 (that's in the UserDatabasePrincipal
class) does NOT consider roles inherited from Groups, the user is a member of.
Although the method's documentation states this explicitly, its name actually
does not really suggest this behavior :(
A new method User.hasEffectiveRole(Role) (or isInEffectiveRole to stay
consistent with the naming scheme) would be one of the possible options:
public boolean isInEffectiveRole(Role role) {
synchronized (groups) {
for (Group group : groups) {
if (group.isInRole(role)) {
return true;
}
}
}
return false;
}
Otherwise, group -> role expansion must be performed in the hasRole method in
class UserDatabasePrincipal.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
