[jboss-cvs] JBossAS SVN: r103425 - trunk/tomcat/src/main/java/org/jboss/web/tomcat/security.

Thu Apr 1 10:25:11 EDT 2010

Author: mmoyses
Date: 2010-04-01 10:25:10 -0400 (Thu, 01 Apr 2010)
New Revision: 103425

Modified:
   trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java
Log:
JBAS-7881: flag to bypass JBoss authz

Modified: trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java
===================================================================

--- trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java	2010-04-01 13:41:07 UTC (rev 103424)
+++ trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java	2010-04-01 14:25:10 UTC (rev 103425)
@@ -119,7 +119,8 @@
    protected boolean ignoreBaseDecision = false;
 
    /**
-    * Should we rely on RealmBase Authorization Check Alone? */
+    * Should we rely on RealmBase Authorization Check Alone?
+    */
    protected boolean ignoreJBossAuthorization = false;
    
    protected static boolean securityManagerFallback = false;
@@ -180,16 +181,15 @@
    public void setIgnoreBaseDecision(boolean ignoreBaseDecision)
    {
       this.ignoreBaseDecision = ignoreBaseDecision;
-      if( ignoreBaseDecision && ignoreJBossAuthorization )
-         throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+      if (ignoreBaseDecision && ignoreJBossAuthorization)
+         throw new RuntimeException("One of ignoreBaseDecision or ignoreJBossAuthorization should be false");
    }
 
-
    public void setIgnoreJBossAuthorization(boolean ignoreJBossAuthz )
    {
       this.ignoreJBossAuthorization = ignoreJBossAuthz;
-      if( ignoreBaseDecision && ignoreJBossAuthorization )
-         throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+      if (ignoreBaseDecision && ignoreJBossAuthorization)
+         throw new RuntimeException("One of ignoreBaseDecision or ignoreJBossAuthorization should be false");
    }
 
    //*************************************************************************
@@ -486,13 +486,16 @@
    public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] securityConstraints,
          org.apache.catalina.Context context) throws IOException
    {
-      boolean ok = false;
+      if (ignoreBaseDecision && ignoreJBossAuthorization)
+         throw new RuntimeException("One of ignoreBaseDecision or ignoreJBossAuthorization should be false");
+      
+      boolean ok = ignoreJBossAuthorization ? true : false;
       boolean baseDecision = ignoreBaseDecision ? true : super.hasResourcePermission(request, response,
             securityConstraints, context);
 
       //By default, the authorization framework always returns PERMIT such that the
       //decision of the realm base holds.
-      if (baseDecision)
+      if (baseDecision && !ignoreJBossAuthorization)
       {
          Subject caller = this.establishSubjectContext(request.getPrincipal());
 
@@ -522,13 +525,14 @@
          ok = helper.checkResourcePermission(contextMap, request, response, caller, PolicyContext.getContextID(),
                requestURI(request));
       }
+      boolean finalDecision = baseDecision && ok;
       if (trace)
-         log.trace("hasResourcePerm:RealmBase says:" + baseDecision + "::Authz framework says:" + ok + ":final=" + ok);
-      if (ok == false)
+         log.trace("hasResourcePerm:RealmBase says:" + baseDecision + "::Authz framework says:" + ok + ":final=" + finalDecision);
+      if (!finalDecision)
       {
          response.sendError(HttpServletResponse.SC_FORBIDDEN, sm.getString("realmBase.forbidden"));
       }
-      return ok;
+      return finalDecision;
    }
 
    /**
@@ -545,8 +549,8 @@
     */
    public boolean hasRole(Principal principal, String role)
    {
-      if( ignoreBaseDecision && ignoreJBossAuthorization )
-         throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+      if (ignoreBaseDecision && ignoreJBossAuthorization)
+         throw new RuntimeException("One of ignoreBaseDecision or ignoreJBossAuthorization should be false");
 
       String servletName = null;
       //WebProgrammaticAuthentication does not go through hasResourcePermission
@@ -585,10 +589,10 @@
          }
       }
 
-      boolean authzDecision = false;
+      boolean authzDecision = ignoreJBossAuthorization ? true : false;
       boolean baseDecision = ignoreBaseDecision ? true : super.hasRole(principal, role);
 
-      if (baseDecision && !ignoreJBossAuthorization )
+      if (baseDecision && !ignoreJBossAuthorization)
       {
          SecurityContext sc = SecurityAssociationActions.getSecurityContext();
 
@@ -630,12 +634,12 @@
    public boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] constraints)
          throws IOException
    {
-      if( ignoreBaseDecision && ignoreJBossAuthorization )
-         throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+      if (ignoreBaseDecision && ignoreJBossAuthorization)
+         throw new RuntimeException("One of ignoreBaseDecision or ignoreJBossAuthorization should be false");
 
       boolean ok = ignoreBaseDecision ? true : super.hasUserDataPermission(request, response, constraints);
       //If the realmbase check has passed, then we can go to authz framework
-      if (ok && !ignoreJBossAuthorization )
+      if (ok && !ignoreJBossAuthorization)
       {
          Principal requestPrincipal = request.getPrincipal();
          establishSubjectContext(requestPrincipal);


