svn commit: r522356 - in /tomcat/tc6.0.x/trunk: build.xml java/org/apache/catalina/realm/JAASRealm.java webapps/docs/changelog.xml

Sun, 25 Mar 2007 13:42:30 -0800 

Author: yoavs
Date: Sun Mar 25 14:42:05 2007
New Revision: 522356

URL: http://svn.apache.org/viewvc?view=rev&rev=522356
Log:
Bugzilla 40150: validate user and role classes in JAASRealm.  While I'm there, 
typify the relevant lists of class names so that JDK 5+ doesn't complain about 
unchecked operations in this class.

Modified:
    tomcat/tc6.0.x/trunk/build.xml
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/JAASRealm.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/build.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/build.xml?view=diff&rev=522356&r1=522355&r2=522356
==============================================================================
--- tomcat/tc6.0.x/trunk/build.xml (original)
+++ tomcat/tc6.0.x/trunk/build.xml Sun Mar 25 14:42:05 2007
@@ -92,6 +92,7 @@
            source="${compile.source}"
            optimize="${compile.optimize}"
            excludes="**/CVS/**,**/.svn/**">
+<!-- Comment this in to show unchecked warnings:     <compilerarg 
value="-Xlint:unchecked"/> -->
       <classpath refid="tomcat.classpath" />
       <exclude name="org/apache/tomcat/util/net/puretls/**" />
     </javac>

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/JAASRealm.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/JAASRealm.java?view=diff&rev=522356&r1=522355&r2=522356
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/JAASRealm.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/JAASRealm.java Sun Mar 
25 14:42:05 2007
@@ -154,7 +154,7 @@
     /**
      * The list of role class names, split out for easy processing.
      */
-    protected List roleClasses = new ArrayList();
+    protected List<String> roleClasses = new ArrayList<String>();
 
 
     /**
@@ -167,7 +167,7 @@
     /**
      * The set of user class names, split out for easy processing.
      */
-    protected List userClasses = new ArrayList();
+    protected List<String> userClasses = new ArrayList<String>();
 
 
     /**
@@ -230,16 +230,16 @@
         }
     }
 
-    /**
-     * Comma-delimited list of <code>java.security.Principal</code> classes
-     * that represent security roles.
-     */
-    protected String roleClassNames = null;
-
-    public String getRoleClassNames() {
-        return (this.roleClassNames);
-    }
-
+     /**
+      * Comma-delimited list of <code>java.security.Principal</code> classes
+      * that represent security roles.
+      */
+     protected String roleClassNames = null;
+     
+     public String getRoleClassNames() {
+         return (this.roleClassNames);
+     }
+     
      /**
       * Sets the list of comma-delimited classes that represent 
       * roles. The classes in the list must implement 
<code>java.security.Principal</code>.
@@ -250,36 +250,48 @@
       */
      public void setRoleClassNames(String roleClassNames) {
          this.roleClassNames = roleClassNames;
-        roleClasses.clear();
-        String temp = this.roleClassNames;
-        if (temp == null) {
-            return;
-        }
-        while (true) {
-            int comma = temp.indexOf(',');
-            if (comma < 0) {
-                break;
-            }
-            roleClasses.add(temp.substring(0, comma).trim());
-            temp = temp.substring(comma + 1);
-        }
-        temp = temp.trim();
-        if (temp.length() > 0) {
-            roleClasses.add(temp);
-        }
-    }
-
-
-    /**
-     * Comma-delimited list of <code>java.security.Principal</code> classes
-     * that represent individual users.
-     */
-    protected String userClassNames = null;
-
-    public String getUserClassNames() {
-        return (this.userClassNames);
-    }
-
+         parseClassNames(roleClassNames, roleClasses);
+     }
+     
+     /**
+      * Parses a comma-delimited list of class names, and store the class names
+      * in the provided List. Each class must implement 
<codejava.security.Principal</code>.
+      * 
+      * @param classNamesString a comma-delimited list of fully qualified 
class names.
+      * @param classNamesList the list in which the class names will be stored.
+      *        The list is cleared before being populated. 
+      */
+     protected void parseClassNames(String classNamesString, List<String> 
classNamesList) {
+         classNamesList.clear();
+         if (classNamesString == null) return;
+         
+         String[] classNames = classNamesString.split("[ ]*,[ ]*");
+         for (int i=0; i<classNames.length; i++) {
+             if (classNames[i].length()==0) continue;        
+             try {
+                 Class principalClass = Class.forName(classNames[i]);
+                 if (Principal.class.isAssignableFrom(principalClass)) {
+                     classNamesList.add(classNames[i]);
+                 } else {
+                     log.error("Class "+classNames[i]+" is not implementing "+
+                               "java.security.Principal! Class not added.");
+                 }
+             } catch (ClassNotFoundException e) {
+                 log.error("Class "+classNames[i]+" not found! Class not 
added.");
+             }
+         }
+     }     
+     
+     /**
+      * Comma-delimited list of <code>java.security.Principal</code> classes
+      * that represent individual users.
+      */
+     protected String userClassNames = null;
+     
+     public String getUserClassNames() {
+         return (this.userClassNames);
+     }
+     
      /**
      * Sets the list of comma-delimited classes that represent individual
      * users. The classes in the list must implement 
<code>java.security.Principal</code>.
@@ -290,23 +302,7 @@
      */
     public void setUserClassNames(String userClassNames) {
         this.userClassNames = userClassNames;
-        userClasses.clear();
-        String temp = this.userClassNames;
-        if (temp == null) {
-            return;
-        }
-        while (true) {
-            int comma = temp.indexOf(',');
-            if (comma < 0) {
-                break;
-            }
-            userClasses.add(temp.substring(0, comma).trim());
-            temp = temp.substring(comma + 1);
-        }
-        temp = temp.trim();
-        if (temp.length() > 0) {
-            userClasses.add(temp);
-        }
+        parseClassNames(userClassNames, userClasses);
     }
 
 
@@ -463,7 +459,7 @@
         // Prepare to scan the Principals for this Subject
         String password = null; // Will not be carried forward
 
-        List roles = new ArrayList();
+        List<String> roles = new ArrayList<String>();
         Principal userPrincipal = null;
 
         // Scan the Principals for this Subject

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?view=diff&rev=522356&r1=522355&r2=522356
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Mar 25 14:42:05 2007
@@ -44,6 +44,10 @@
         <bug>39883</bug> Add documentation warning about using 
antiResourceLocking
         on a webapp outside the Host's appBase. (yoavs)
       </update>
+      <fix>
+        <bug>40150</bug> Ensure user and roll classnames are validated on 
startup.  Patch by
+          Tom. (yoavs)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to