[JBoss JIRA] Created: (JBAS-4249) isUserInRole returns always false when jacc is enabled and the principal roles are empty
9:22 a.m.
isUserInRole returns always false when jacc is enabled and the principal roles are empty
----------------------------------------------------------------------------------------
Key: JBAS-4249
URL: http://jira.jboss.com/jira/browse/JBAS-4249
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Web (Tomcat) service
Affects Versions: JBossAS-4.0.5.GA
Reporter: Roland Räz
Assigned To: Remy Maucherat
We are using our won jacc policy and login modules that don't add (cache) the roles in
the principal. In this situation, the org.jboss.web.tomcat.security.JaccAuthorizationRealm
hasRole method always returns false. The reason behind that is that the method hasRole
setups a Principal array that does not contain the principal itself (only the roles are
contained) when getPrincipalRoles return a not null Set. The getPrincipalRoles retuns for
the above described setup not null.
The following code fixes the issue:
public boolean hasRole(Principal principal, String name)
{
...
Principal[] principals = {principal};
Set roles = getPrincipalRoles(principal);
if( roles != null )
{
principals = new Principal[roles.size() + 1];
principals[0]= principal;
Iterator it = roles.iterator();
for (int i=1;it.hasNext();i++) {
principals[i] =(Principal) it.next();
}
}
...
In my opinion it would be even cleaner to use only the Principal and do not using the
principal roles as own identity when querying a jacc provider. JBoss could then still
extract in it's own jacc provider the principal roles from the principal. In the
current design there is a clash between the role and principal names. The better solution
is used in the EJB 2.x code
(org.jboss.ejb.enterpriseContext.isCallerInRoleCheckForJacc();
It looks like this for servlets:
...
Principal[] principals = {principal};
...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:09 a.m.
New subject: [JBoss JIRA] Resolved: (JBAS-4249) isUserInRole returns always false when jacc is enabled and the principal roles are empty
[
https://jira.jboss.org/jira/browse/JBAS-4249?page=com.atlassian.jira.plug...
]
Remy Maucherat resolved JBAS-4249.
----------------------------------
Resolution: Cannot Reproduce Bug
Reopen with new details if it still occurs in current AS releases.
isUserInRole returns always false when jacc is enabled and the
principal roles are empty
----------------------------------------------------------------------------------------
Key: JBAS-4249
URL: https://jira.jboss.org/jira/browse/JBAS-4249
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Web (Tomcat) service
Affects Versions: JBossAS-4.0.5.GA
Reporter: Roland Räz
Assignee: Remy Maucherat
We are using our won jacc policy and login modules that don't add (cache) the roles
in the principal. In this situation, the
org.jboss.web.tomcat.security.JaccAuthorizationRealm hasRole method always returns false.
The reason behind that is that the method hasRole setups a Principal array that does not
contain the principal itself (only the roles are contained) when getPrincipalRoles return
a not null Set. The getPrincipalRoles retuns for the above described setup not null.
The following code fixes the issue:
public boolean hasRole(Principal principal, String name)
{
...
Principal[] principals = {principal};
Set roles = getPrincipalRoles(principal);
if( roles != null )
{
principals = new Principal[roles.size() + 1];
principals[0]= principal;
Iterator it = roles.iterator();
for (int i=1;it.hasNext();i++) {
principals[i] =(Principal) it.next();
}
}
...
In my opinion it would be even cleaner to use only the Principal and do not using the
principal roles as own identity when querying a jacc provider. JBoss could then still
extract in it's own jacc provider the principal roles from the principal. In the
current design there is a clash between the role and principal names. The better solution
is used in the EJB 2.x code
(org.jboss.ejb.enterpriseContext.isCallerInRoleCheckForJacc();
It looks like this for servlets:
...
Principal[] principals = {principal};
...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5192
days inactive
6239
days old
1 comments
2 participants
participants (2)
-
Remy Maucherat (JIRA) -
Roland Räz (JIRA)