[jboss-cvs] JBossAS SVN: r68092 - trunk/tomcat/src/main/org/jboss/web/tomcat/security.

[jboss-cvs-commits at lists.jboss.org]

Author: anil.saldhana at jboss.com
Date: 2007-12-10 01:08:27 -0500 (Mon, 10 Dec 2007)
New Revision: 68092

Modified:
   trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
Log:
Do not use authorization framework if the base class decision is false or negative

Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java	2007-12-10 06:07:25 UTC (rev 68091)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java	2007-12-10 06:08:27 UTC (rev 68092)
@@ -454,39 +454,40 @@
    public boolean hasResourcePermission(Request request, Response response,
          SecurityConstraint[] securityConstraints, org.apache.catalina.Context context)
    throws IOException
-   {   
+   { 
+      boolean ok = false;
       boolean baseDecision =  ignoreBaseDecision ? true :
                    super.hasResourcePermission(request,response, 
                                       securityConstraints, context);  
       
-      Subject caller = this.establishSubjectContext(request.getPrincipal()); 
-
-      SecurityContext sc = SecurityAssociationActions.getSecurityContext();
-      AuthorizationManager am = getAuthorizationManager();
-      Map<String,Object> contextMap = new HashMap<String,Object>();     
-      contextMap.put(ResourceKeys.RESOURCE_PERM_CHECK, Boolean.TRUE);
-      contextMap.put(ResourceKeys.AUTHORIZATION_MANAGER, am);
-      
-      contextMap.put(ResourceKeys.WEB_SECURITY_CONSTRAINTS, securityConstraints);
-      
-      WebAuthorizationHelper helper = new WebAuthorizationHelper(sc, this.enableAudit);
-      boolean authzDecision = helper.checkResourcePermission(contextMap, request, response, 
-                                     caller, am, 
-                                     requestURI(request));
-      
-      //Do an AND of the RealmBase decision and the authorization framework decision
       //By default, the authorization framework always returns PERMIT such that the
       //decision of the realm base holds.
-      boolean finalDecision = baseDecision && authzDecision; 
+      if(baseDecision)
+      {
+         Subject caller = this.establishSubjectContext(request.getPrincipal()); 
+
+         SecurityContext sc = SecurityAssociationActions.getSecurityContext();
+         AuthorizationManager am = getAuthorizationManager();
+         Map<String,Object> contextMap = new HashMap<String,Object>();     
+         contextMap.put(ResourceKeys.RESOURCE_PERM_CHECK, Boolean.TRUE);
+         contextMap.put(ResourceKeys.AUTHORIZATION_MANAGER, am);
+         
+         contextMap.put(ResourceKeys.WEB_SECURITY_CONSTRAINTS, securityConstraints);
+         
+         WebAuthorizationHelper helper = new WebAuthorizationHelper(sc, this.enableAudit);
+         ok = helper.checkResourcePermission(contextMap, request, response, 
+                                        caller, am, 
+                                        requestURI(request));
+      }     
       if(trace)
          log.trace("hasResourcePerm:RealmBase says:" + baseDecision + 
-               "::Authz framework says:" + authzDecision + ":final=" + finalDecision); 
-      if( finalDecision == false )
+               "::Authz framework says:" + ok + ":final=" + ok); 
+      if( ok == false )
       {
          response.sendError(HttpServletResponse.SC_FORBIDDEN,
                sm.getString("realmBase.forbidden"));
       }
-      return finalDecision;
+      return ok;
    }
    
    /**
@@ -538,12 +539,16 @@
          }
       }
 
+      boolean authzDecision = false;
       boolean baseDecision = ignoreBaseDecision ? true : super.hasRole(principal, role); 
       
-      SecurityContext sc = SecurityAssociationActions.getSecurityContext();      
-      WebAuthorizationHelper wah = new WebAuthorizationHelper(sc, this.enableAudit);
-      boolean authzDecision = wah.hasRole(roleName, principal, servletName, 
-                                     getPrincipalRoles(principal), getAuthorizationManager());
+      if(baseDecision)
+      {  
+         SecurityContext sc = SecurityAssociationActions.getSecurityContext();      
+         WebAuthorizationHelper wah = new WebAuthorizationHelper(sc, this.enableAudit);
+         authzDecision = wah.hasRole(roleName, principal, servletName, 
+                                        getPrincipalRoles(principal), getAuthorizationManager());
+      }
       boolean finalDecision = baseDecision && authzDecision; 
       if(trace)
          log.trace("hasRole:RealmBase says:" + baseDecision +