[jboss-jira] [JBoss JIRA] Created: (JBAS-4249) isUserInRole returns always false when jacc is enabled and the principal roles are empty

Roland Räz (JIRA) jira-events at lists.jboss.org
Mon Mar 26 09:22:57 EDT 2007 

isUserInRole returns always false when jacc is enabled and the principal roles are empty
----------------------------------------------------------------------------------------

                 Key: JBAS-4249
                 URL: http://jira.jboss.com/jira/browse/JBAS-4249
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Web (Tomcat) service
    Affects Versions: JBossAS-4.0.5.GA
            Reporter: Roland Räz
         Assigned To: Remy Maucherat


We are using our won jacc policy and login modules that don't add (cache) the roles in the principal. In this situation, the org.jboss.web.tomcat.security.JaccAuthorizationRealm hasRole method always returns false. The reason behind that is that the method hasRole setups a Principal array that does not contain the principal itself (only the roles are contained) when getPrincipalRoles return a not null Set. The getPrincipalRoles retuns for the above described setup not null.

The following code fixes the issue:

public boolean hasRole(Principal principal, String name)
   {
      ...
      Principal[] principals = {principal};
      Set roles = getPrincipalRoles(principal);
      if( roles != null )
      {
         principals = new Principal[roles.size() + 1];
         principals[0]= principal;
    	 Iterator it = roles.iterator();
    	 for (int i=1;it.hasNext();i++) {
    		 principals[i] =(Principal) it.next();
    	 }
      }
      ...



In my opinion it would be even cleaner to use only the Principal and do not using the principal roles as own identity when querying a jacc provider. JBoss could then still extract in it's own jacc provider the principal roles from the principal. In the current design there is a clash between the role and principal names. The better solution is used in the EJB 2.x code (org.jboss.ejb.enterpriseContext.isCallerInRoleCheckForJacc();

It looks like this for servlets:

...
Principal[] principals = {principal};
...


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list