Menu
▾
▴
[Jboss-svn-commits] JBL Code SVN: r1618 - in trunk/labs/jbossweb/src/share/classes/org/apache/catalina: authenticator realm
|
From: <jbo...@li...> - 2005-11-22 11:06:35
|
Author: rem...@jb...
Date: 2005-11-22 06:06:05 -0500 (Tue, 22 Nov 2005)
New Revision: 1618
Modified:
trunk/labs/jbossweb/src/share/classes/org/apache/catalina/authenticator/AuthenticatorBase.java
trunk/labs/jbossweb/src/share/classes/org/apache/catalina/realm/RealmBase.java
Log:
- Port patch.
Modified: trunk/labs/jbossweb/src/share/classes/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
--- trunk/labs/jbossweb/src/share/classes/org/apache/catalina/authenticator/AuthenticatorBase.java 2005-11-22 00:12:38 UTC (rev 1617)
+++ trunk/labs/jbossweb/src/share/classes/org/apache/catalina/authenticator/AuthenticatorBase.java 2005-11-22 11:06:05 UTC (rev 1618)
@@ -69,7 +69,7 @@
* requests. Requests of any other type will simply be passed through.
*
* @author Craig R. McClanahan
- * @version $Revision: 322520 $ $Date: 2005-10-17 00:21:00 +0200 (lun., 17 oct. 2005) $
+ * @version $Revision: 348087 $ $Date: 2005-11-22 06:06:40 +0100 (mar., 22 nov. 2005) $
*/
@@ -468,28 +468,33 @@
*/
return;
}
-
- for(i=0; i < constraints.length; i++) {
- // Authenticate based upon the specified login configuration
- if (constraints[i].getAuthConstraint()) {
+
+ // Since authenticate modifies the response on failure,
+ // we have to check for allow-from-all first.
+ boolean authRequired = true;
+ for(i=0; i < constraints.length && authRequired; i++) {
+ if(!constraints[i].getAuthConstraint()) {
+ authRequired = false;
+ }
+ }
+
+ if(authRequired) {
+ if (log.isDebugEnabled()) {
+ log.debug(" Calling authenticate()");
+ }
+ if (!authenticate(request, response, config)) {
if (log.isDebugEnabled()) {
- log.debug(" Calling authenticate()");
+ log.debug(" Failed authenticate() test");
}
- if (!authenticate(request, response, config)) {
- if (log.isDebugEnabled()) {
- log.debug(" Failed authenticate() test");
- }
- /*
- * ASSERT: Authenticator already set the appropriate
- * HTTP status code, so we do not have to do anything
- * special
- */
- return;
- } else {
- break;
- }
- }
+ /*
+ * ASSERT: Authenticator already set the appropriate
+ * HTTP status code, so we do not have to do anything
+ * special
+ */
+ return;
+ }
}
+
if (log.isDebugEnabled()) {
log.debug(" Calling accessControl()");
}
Modified: trunk/labs/jbossweb/src/share/classes/org/apache/catalina/realm/RealmBase.java
===================================================================
--- trunk/labs/jbossweb/src/share/classes/org/apache/catalina/realm/RealmBase.java 2005-11-22 00:12:38 UTC (rev 1617)
+++ trunk/labs/jbossweb/src/share/classes/org/apache/catalina/realm/RealmBase.java 2005-11-22 11:06:05 UTC (rev 1618)
@@ -60,7 +60,7 @@
* location) are identical to those currently supported by Tomcat 3.X.
*
* @author Craig R. McClanahan
- * @version $Revision: 325874 $ $Date: 2005-10-17 12:39:15 +0200 (lun., 17 oct. 2005) $
+ * @version $Revision: 348091 $ $Date: 2005-11-22 06:18:05 +0100 (mar., 22 nov. 2005) $
*/
public abstract class RealmBase
@@ -724,26 +724,26 @@
// Which user principal have we already authenticated?
Principal principal = request.getPrincipal();
+ boolean status = false;
+ boolean denyfromall = false;
for(int i=0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String roles[] = constraint.findAuthRoles();
if (roles == null)
roles = new String[0];
- if (constraint.getAllRoles())
- return (true);
+ if (constraint.getAllRoles() && !denyfromall)
+ status = true;
if (log.isDebugEnabled())
log.debug(" Checking roles " + principal);
if (roles.length == 0) {
if(constraint.getAuthConstraint()) {
- response.sendError
- (HttpServletResponse.SC_FORBIDDEN,
- sm.getString("realmBase.forbidden"));
if( log.isDebugEnabled() )
log.debug("No roles ");
- return (false); // No listed roles means no access at all
+ status = false; // No listed roles means no access at all
+ denyfromall = true;
} else {
if(log.isDebugEnabled())
log.debug("Passing all access");
@@ -752,25 +752,24 @@
} else if (principal == null) {
if (log.isDebugEnabled())
log.debug(" No user authenticated, cannot grant access");
- response.sendError
- (HttpServletResponse.SC_FORBIDDEN,
- sm.getString("realmBase.notAuthenticated"));
- return (false);
- }
+ status = false;
+ } else if(!denyfromall) {
-
- for (int j = 0; j < roles.length; j++) {
- if (hasRole(principal, roles[j]))
- return (true);
- if( log.isDebugEnabled() )
- log.debug( "No role found: " + roles[j]);
+ for (int j = 0; j < roles.length; j++) {
+ if (hasRole(principal, roles[j]))
+ status = true;
+ if( log.isDebugEnabled() )
+ log.debug( "No role found: " + roles[j]);
+ }
}
}
// Return a "Forbidden" message denying access to this resource
- response.sendError
- (HttpServletResponse.SC_FORBIDDEN,
- sm.getString("realmBase.forbidden"));
- return (false);
+ if(!status) {
+ response.sendError
+ (HttpServletResponse.SC_FORBIDDEN,
+ sm.getString("realmBase.forbidden"));
+ }
+ return status;
}
|
