Author: yoavs
Date: Sun Mar 25 14:31:22 2007
New Revision: 522354
URL: http://svn.apache.org/viewvc?view=rev&rev=522354
Log:
Bugzilla 40150: validate user and role class names in JAAS realm.
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JAASRealm.java
tomcat/container/tc5.5.x/webapps/docs/changelog.xml
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JAASRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JAASRealm.java?view=diff&rev=522354&r1=522353&r2=522354
==============================================================================
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JAASRealm.java
(original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/JAASRealm.java
Sun Mar 25 14:31:22 2007
@@ -230,16 +230,16 @@
}
}
- /**
- * Comma-delimited list of <code>java.security.Principal</code> classes
- * that represent security roles.
- */
- protected String roleClassNames = null;
-
- public String getRoleClassNames() {
- return (this.roleClassNames);
- }
-
+ /**
+ * Comma-delimited list of <code>java.security.Principal</code> classes
+ * that represent security roles.
+ */
+ protected String roleClassNames = null;
+
+ public String getRoleClassNames() {
+ return (this.roleClassNames);
+ }
+
/**
* Sets the list of comma-delimited classes that represent
* roles. The classes in the list must implement
<code>java.security.Principal</code>.
@@ -250,36 +250,48 @@
*/
public void setRoleClassNames(String roleClassNames) {
this.roleClassNames = roleClassNames;
- roleClasses.clear();
- String temp = this.roleClassNames;
- if (temp == null) {
- return;
- }
- while (true) {
- int comma = temp.indexOf(',');
- if (comma < 0) {
- break;
- }
- roleClasses.add(temp.substring(0, comma).trim());
- temp = temp.substring(comma + 1);
- }
- temp = temp.trim();
- if (temp.length() > 0) {
- roleClasses.add(temp);
- }
- }
-
-
- /**
- * Comma-delimited list of <code>java.security.Principal</code> classes
- * that represent individual users.
- */
- protected String userClassNames = null;
-
- public String getUserClassNames() {
- return (this.userClassNames);
- }
-
+ parseClassNames(roleClassNames, roleClasses);
+ }
+
+ /**
+ * Parses a comma-delimited list of class names, and store the class names
+ * in the provided List. Each class must implement
<code>java.security.Principal</code>.
+ *
+ * @param classNamesString a comma-delimited list of fully qualified
class names.
+ * @param classNamesList the list in which the class names will be stored.
+ * The list is cleared before being populated.
+ */
+ protected void parseClassNames(String classNamesString, List
classNamesList) {
+ classNamesList.clear();
+ if (classNamesString == null) return;
+
+ String[] classNames = classNamesString.split("[ ]*,[ ]*");
+ for (int i=0; i<classNames.length; i++) {
+ if (classNames[i].length()==0) continue;
+ try {
+ Class principalClass = Class.forName(classNames[i]);
+ if (Principal.class.isAssignableFrom(principalClass)) {
+ classNamesList.add(classNames[i]);
+ } else {
+ log.error("Class "+classNames[i]+" is not implementing "+
+ "java.security.Principal! Class not added.");
+ }
+ } catch (ClassNotFoundException e) {
+ log.error("Class "+classNames[i]+" not found! Class not
added.");
+ }
+ }
+ }
+
+ /**
+ * Comma-delimited list of <code>java.security.Principal</code> classes
+ * that represent individual users.
+ */
+ protected String userClassNames = null;
+
+ public String getUserClassNames() {
+ return (this.userClassNames);
+ }
+
/**
* Sets the list of comma-delimited classes that represent individual
* users. The classes in the list must implement
<code>java.security.Principal</code>.
@@ -290,23 +302,7 @@
*/
public void setUserClassNames(String userClassNames) {
this.userClassNames = userClassNames;
- userClasses.clear();
- String temp = this.userClassNames;
- if (temp == null) {
- return;
- }
- while (true) {
- int comma = temp.indexOf(',');
- if (comma < 0) {
- break;
- }
- userClasses.add(temp.substring(0, comma).trim());
- temp = temp.substring(comma + 1);
- }
- temp = temp.trim();
- if (temp.length() > 0) {
- userClasses.add(temp);
- }
+ parseClassNames(userClassNames, userClasses);
}
Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?view=diff&rev=522354&r1=522353&r2=522354
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Sun Mar 25 14:31:22 2007
@@ -31,6 +31,10 @@
<bug>41477</bug> Add commons-el.jar to bin/catalina-tasks.xml,
required for jasper2 tasks
using EL. Patch by Daniel Santos. (yoavs)
</fix>
+ <fix>
+ <bug>40150</bug> Ensure user and roll classnames are validated on
startup. Patch by
+ Tom. (yoavs)
+ </fix>
</changelog>
</subsection>
<subsection name="Webapps">
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
