[jboss-jira] [JBoss JIRA] Resolved: (JBAS-4249) isUserInRole returns always false when jacc is enabled and the principal roles are empty

Remy Maucherat (JIRA) jira-events at lists.jboss.org
Fri Feb 5 10:09:26 EST 2010 

     [ https://jira.jboss.org/jira/browse/JBAS-4249?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Remy Maucherat resolved JBAS-4249.
----------------------------------

    Resolution: Cannot Reproduce Bug


Reopen with new details if it still occurs in current AS releases.

> isUserInRole returns always false when jacc is enabled and the principal roles are empty
> ----------------------------------------------------------------------------------------
>
>                 Key: JBAS-4249
>                 URL: https://jira.jboss.org/jira/browse/JBAS-4249
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service
>    Affects Versions: JBossAS-4.0.5.GA
>            Reporter: Roland Räz
>            Assignee: Remy Maucherat
>
> We are using our won jacc policy and login modules that don't add (cache) the roles in the principal. In this situation, the org.jboss.web.tomcat.security.JaccAuthorizationRealm hasRole method always returns false. The reason behind that is that the method hasRole setups a Principal array that does not contain the principal itself (only the roles are contained) when getPrincipalRoles return a not null Set. The getPrincipalRoles retuns for the above described setup not null.
> The following code fixes the issue:
> public boolean hasRole(Principal principal, String name)
>    {
>       ...
>       Principal[] principals = {principal};
>       Set roles = getPrincipalRoles(principal);
>       if( roles != null )
>       {
>          principals = new Principal[roles.size() + 1];
>          principals[0]= principal;
>     	 Iterator it = roles.iterator();
>     	 for (int i=1;it.hasNext();i++) {
>     		 principals[i] =(Principal) it.next();
>     	 }
>       }
>       ...
> In my opinion it would be even cleaner to use only the Principal and do not using the principal roles as own identity when querying a jacc provider. JBoss could then still extract in it's own jacc provider the principal roles from the principal. In the current design there is a clash between the role and principal names. The better solution is used in the EJB 2.x code (org.jboss.ejb.enterpriseContext.isCallerInRoleCheckForJacc();
> It looks like this for servlets:
> ...
> Principal[] principals = {principal};
> ...

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list