[jboss-cvs] JBossAS SVN: r103425 - trunk/tomcat/src/main/java/org/jboss/web/tomcat/security.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Apr 1 10:25:11 EDT 2010
Author: mmoyses
Date: 2010-04-01 10:25:10 -0400 (Thu, 01 Apr 2010)
New Revision: 103425
Modified:
trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java
Log:
JBAS-7881: flag to bypass JBoss authz
Modified: trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java
===================================================================
--- trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java 2010-04-01 13:41:07 UTC (rev 103424)
+++ trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java 2010-04-01 14:25:10 UTC (rev 103425)
@@ -119,7 +119,8 @@
protected boolean ignoreBaseDecision = false;
/**
- * Should we rely on RealmBase Authorization Check Alone? */
+ * Should we rely on RealmBase Authorization Check Alone?
+ */
protected boolean ignoreJBossAuthorization = false;
protected static boolean securityManagerFallback = false;
@@ -180,16 +181,15 @@
public void setIgnoreBaseDecision(boolean ignoreBaseDecision)
{
this.ignoreBaseDecision = ignoreBaseDecision;
- if( ignoreBaseDecision && ignoreJBossAuthorization )
- throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+ if (ignoreBaseDecision && ignoreJBossAuthorization)
+ throw new RuntimeException("One of ignoreBaseDecision or ignoreJBossAuthorization should be false");
}
-
public void setIgnoreJBossAuthorization(boolean ignoreJBossAuthz )
{
this.ignoreJBossAuthorization = ignoreJBossAuthz;
- if( ignoreBaseDecision && ignoreJBossAuthorization )
- throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+ if (ignoreBaseDecision && ignoreJBossAuthorization)
+ throw new RuntimeException("One of ignoreBaseDecision or ignoreJBossAuthorization should be false");
}
//*************************************************************************
@@ -486,13 +486,16 @@
public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] securityConstraints,
org.apache.catalina.Context context) throws IOException
{
- boolean ok = false;
+ if (ignoreBaseDecision && ignoreJBossAuthorization)
+ throw new RuntimeException("One of ignoreBaseDecision or ignoreJBossAuthorization should be false");
+
+ boolean ok = ignoreJBossAuthorization ? true : false;
boolean baseDecision = ignoreBaseDecision ? true : super.hasResourcePermission(request, response,
securityConstraints, context);
//By default, the authorization framework always returns PERMIT such that the
//decision of the realm base holds.
- if (baseDecision)
+ if (baseDecision && !ignoreJBossAuthorization)
{
Subject caller = this.establishSubjectContext(request.getPrincipal());
@@ -522,13 +525,14 @@
ok = helper.checkResourcePermission(contextMap, request, response, caller, PolicyContext.getContextID(),
requestURI(request));
}
+ boolean finalDecision = baseDecision && ok;
if (trace)
- log.trace("hasResourcePerm:RealmBase says:" + baseDecision + "::Authz framework says:" + ok + ":final=" + ok);
- if (ok == false)
+ log.trace("hasResourcePerm:RealmBase says:" + baseDecision + "::Authz framework says:" + ok + ":final=" + finalDecision);
+ if (!finalDecision)
{
response.sendError(HttpServletResponse.SC_FORBIDDEN, sm.getString("realmBase.forbidden"));
}
- return ok;
+ return finalDecision;
}
/**
@@ -545,8 +549,8 @@
*/
public boolean hasRole(Principal principal, String role)
{
- if( ignoreBaseDecision && ignoreJBossAuthorization )
- throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+ if (ignoreBaseDecision && ignoreJBossAuthorization)
+ throw new RuntimeException("One of ignoreBaseDecision or ignoreJBossAuthorization should be false");
String servletName = null;
//WebProgrammaticAuthentication does not go through hasResourcePermission
@@ -585,10 +589,10 @@
}
}
- boolean authzDecision = false;
+ boolean authzDecision = ignoreJBossAuthorization ? true : false;
boolean baseDecision = ignoreBaseDecision ? true : super.hasRole(principal, role);
- if (baseDecision && !ignoreJBossAuthorization )
+ if (baseDecision && !ignoreJBossAuthorization)
{
SecurityContext sc = SecurityAssociationActions.getSecurityContext();
@@ -630,12 +634,12 @@
public boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] constraints)
throws IOException
{
- if( ignoreBaseDecision && ignoreJBossAuthorization )
- throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+ if (ignoreBaseDecision && ignoreJBossAuthorization)
+ throw new RuntimeException("One of ignoreBaseDecision or ignoreJBossAuthorization should be false");
boolean ok = ignoreBaseDecision ? true : super.hasUserDataPermission(request, response, constraints);
//If the realmbase check has passed, then we can go to authz framework
- if (ok && !ignoreJBossAuthorization )
+ if (ok && !ignoreJBossAuthorization)
{
Principal requestPrincipal = request.getPrincipal();
establishSubjectContext(requestPrincipal);
More information about the jboss-cvs-commits
mailing list