[
https://issues.apache.org/jira/browse/TOMEE-1492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14271621#comment-14271621
]
Ryan McGuinness commented on TOMEE-1492:
----------------------------------------
This was not apparent in the documentation. The RealmBase being inherited from
implements hasRole(Principal, String) and does not adequately delegate to the
underlying realms. The only overridden methods are for authenticate.
This appears to have been broken for a long time. Even worse it is not an
interface but a concrete class. Should we open a ticket to the Tomcat community
then?
> LazyRealm not working well in CombinedRealm (LockOutRealm)
> ----------------------------------------------------------
>
> Key: TOMEE-1492
> URL: https://issues.apache.org/jira/browse/TOMEE-1492
> Project: TomEE
> Issue Type: Bug
> Affects Versions: 1.7.1
> Reporter: Ryan McGuinness
> Labels: Security
>
> The following LazyRealm definition works as expected in TomEE, delegating to
> the authenticate(String, String) and hasRole(Principal, String) of the
> realmClass.
> <Context>
> <Realm
> cdi="true"
> className="org.apache.tomee.catalina.realm.LazyRealm"
> realmClass="example.security.RecipeBookRealm" />
> </Context>
> When wrapped in a combined realm:
> <Context>
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm
> cdi="true"
> className="org.apache.tomee.catalina.realm.LazyRealm"
> realmClass="example.security.RecipeBookRealm"/>
> </Realm>
> </Context>
> The authenticate method is delegated to correctly, but the hasRole(Principal,
> String) method IS NOT.
> Thus when wrapped failure occurs in the annotations for @RolesAllowed() or
> and security assertions made in the web.xml.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
