[jboss-cvs] JBossAS SVN: r68092 - trunk/tomcat/src/main/org/jboss/web/tomcat/security.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Dec 10 01:08:27 EST 2007
Author: anil.saldhana at jboss.com
Date: 2007-12-10 01:08:27 -0500 (Mon, 10 Dec 2007)
New Revision: 68092
Modified:
trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
Log:
Do not use authorization framework if the base class decision is false or negative
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java 2007-12-10 06:07:25 UTC (rev 68091)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java 2007-12-10 06:08:27 UTC (rev 68092)
@@ -454,39 +454,40 @@
public boolean hasResourcePermission(Request request, Response response,
SecurityConstraint[] securityConstraints, org.apache.catalina.Context context)
throws IOException
- {
+ {
+ boolean ok = false;
boolean baseDecision = ignoreBaseDecision ? true :
super.hasResourcePermission(request,response,
securityConstraints, context);
- Subject caller = this.establishSubjectContext(request.getPrincipal());
-
- SecurityContext sc = SecurityAssociationActions.getSecurityContext();
- AuthorizationManager am = getAuthorizationManager();
- Map<String,Object> contextMap = new HashMap<String,Object>();
- contextMap.put(ResourceKeys.RESOURCE_PERM_CHECK, Boolean.TRUE);
- contextMap.put(ResourceKeys.AUTHORIZATION_MANAGER, am);
-
- contextMap.put(ResourceKeys.WEB_SECURITY_CONSTRAINTS, securityConstraints);
-
- WebAuthorizationHelper helper = new WebAuthorizationHelper(sc, this.enableAudit);
- boolean authzDecision = helper.checkResourcePermission(contextMap, request, response,
- caller, am,
- requestURI(request));
-
- //Do an AND of the RealmBase decision and the authorization framework decision
//By default, the authorization framework always returns PERMIT such that the
//decision of the realm base holds.
- boolean finalDecision = baseDecision && authzDecision;
+ if(baseDecision)
+ {
+ Subject caller = this.establishSubjectContext(request.getPrincipal());
+
+ SecurityContext sc = SecurityAssociationActions.getSecurityContext();
+ AuthorizationManager am = getAuthorizationManager();
+ Map<String,Object> contextMap = new HashMap<String,Object>();
+ contextMap.put(ResourceKeys.RESOURCE_PERM_CHECK, Boolean.TRUE);
+ contextMap.put(ResourceKeys.AUTHORIZATION_MANAGER, am);
+
+ contextMap.put(ResourceKeys.WEB_SECURITY_CONSTRAINTS, securityConstraints);
+
+ WebAuthorizationHelper helper = new WebAuthorizationHelper(sc, this.enableAudit);
+ ok = helper.checkResourcePermission(contextMap, request, response,
+ caller, am,
+ requestURI(request));
+ }
if(trace)
log.trace("hasResourcePerm:RealmBase says:" + baseDecision +
- "::Authz framework says:" + authzDecision + ":final=" + finalDecision);
- if( finalDecision == false )
+ "::Authz framework says:" + ok + ":final=" + ok);
+ if( ok == false )
{
response.sendError(HttpServletResponse.SC_FORBIDDEN,
sm.getString("realmBase.forbidden"));
}
- return finalDecision;
+ return ok;
}
/**
@@ -538,12 +539,16 @@
}
}
+ boolean authzDecision = false;
boolean baseDecision = ignoreBaseDecision ? true : super.hasRole(principal, role);
- SecurityContext sc = SecurityAssociationActions.getSecurityContext();
- WebAuthorizationHelper wah = new WebAuthorizationHelper(sc, this.enableAudit);
- boolean authzDecision = wah.hasRole(roleName, principal, servletName,
- getPrincipalRoles(principal), getAuthorizationManager());
+ if(baseDecision)
+ {
+ SecurityContext sc = SecurityAssociationActions.getSecurityContext();
+ WebAuthorizationHelper wah = new WebAuthorizationHelper(sc, this.enableAudit);
+ authzDecision = wah.hasRole(roleName, principal, servletName,
+ getPrincipalRoles(principal), getAuthorizationManager());
+ }
boolean finalDecision = baseDecision && authzDecision;
if(trace)
log.trace("hasRole:RealmBase says:" + baseDecision +
More information about the jboss-cvs-commits
mailing list