Author: markt Date: Mon Jan 2 07:46:04 2006 New Revision: 365363 URL: http://svn.apache.org/viewcvs?rev=365363&view=rev Log: Fix bug 15570. Magic role of * was interpreted as all authenticated users rather than as all roles defined in web.xml Ported from TC4.
Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java tomcat/container/tc5.5.x/webapps/docs/changelog.xml Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java URL: http://svn.apache.org/viewcvs/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java?rev=365363&r1=365362&r2=365363&view=diff ============================================================================== --- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java (original) +++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/realm/RealmBase.java Mon Jan 2 07:46:04 2006 @@ -728,12 +728,17 @@ boolean denyfromall = false; for(int i=0; i < constraints.length; i++) { SecurityConstraint constraint = constraints[i]; - String roles[] = constraint.findAuthRoles(); + + String roles[]; + if (constraint.getAllRoles()) { + // * means all roles defined in web.xml + roles = request.getContext().findSecurityRoles(); + } else { + roles = constraint.findAuthRoles(); + } + if (roles == null) roles = new String[0]; - - if (constraint.getAllRoles() && !denyfromall) - status = true; if (log.isDebugEnabled()) log.debug(" Checking roles " + principal); Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml URL: http://svn.apache.org/viewcvs/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=365363&r1=365362&r2=365363&view=diff ============================================================================== --- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original) +++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Mon Jan 2 07:46:04 2006 @@ -31,11 +31,18 @@ <bug>37934</bug>: Don't ask for authentication if deny-from-all is in effect. (billbarker) </fix> <fix> + <bug>15570</bug>: auth-constraint of * was interpretted as all + authenticated users rather than as all roles defined in web.xml. (markt) + </fix> + <fix> Remove leftover static logger which was used to log application level messages in ApplicationContextFacade (remm) </fix> <fix> <bug>38012</bug>: Where a CGI script sets a response code, use it. (markt) + </fix> + <fix> + <bug>37854</bug>: Extension-List checking was too strict. (markt) </fix> </changelog> </subsection> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]