[jboss-jira] [JBoss JIRA] Created: (JBAS-4249) isUserInRole returns always false when jacc is enabled and the principal roles are empty

Monday, 26 March 2007

isUserInRole returns always false when jacc is enabled and the principal roles are empty
----------------------------------------------------------------------------------------

                 Key: JBAS-4249
                 URL: http://jira.jboss.com/jira/browse/JBAS-4249
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Web (Tomcat) service
    Affects Versions: JBossAS-4.0.5.GA
            Reporter: Roland Räz
         Assigned To: Remy Maucherat

We are using our won jacc policy and login modules that don't add (cache) the roles in
the principal. In this situation, the org.jboss.web.tomcat.security.JaccAuthorizationRealm
hasRole method always returns false. The reason behind that is that the method hasRole
setups a Principal array that does not contain the principal itself (only the roles are
contained) when getPrincipalRoles return a not null Set. The getPrincipalRoles retuns for
the above described setup not null.

The following code fixes the issue:

public boolean hasRole(Principal principal, String name)
   {
      ...
      Principal[] principals = {principal};
      Set roles = getPrincipalRoles(principal);
      if( roles != null )
      {
         principals = new Principal[roles.size() + 1];
         principals[0]= principal;
    	 Iterator it = roles.iterator();
    	 for (int i=1;it.hasNext();i++) {
    		 principals[i] =(Principal) it.next();
    	 }
      }
      ...

In my opinion it would be even cleaner to use only the Principal and do not using the
principal roles as own identity when querying a jacc provider. JBoss could then still
extract in it's own jacc provider the principal roles from the principal. In the
current design there is a clash between the role and principal names. The better solution
is used in the EJB 2.x code
(org.jboss.ejb.enterpriseContext.isCallerInRoleCheckForJacc();

It looks like this for servlets:

...
Principal[] principals = {principal};
...

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-jira] [JBoss JIRA] Created: (JBAS-4249) isUserInRole returns always false when jacc is enabled and the principal roles are empty