[
https://issues.apache.org/jira/browse/GERONIMO-6057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shenghao Fang updated GERONIMO-6057:
------------------------------------
Attachment: GERONIMO-6057.patch
> HttpServletRequest.isUserInRole() returns wrong value
> -----------------------------------------------------
>
> Key: GERONIMO-6057
> URL: https://issues.apache.org/jira/browse/GERONIMO-6057
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: console, security
> Affects Versions: 3.0
> Environment: Tomcat
> Reporter: Shenghao Fang
> Assignee: Shenghao Fang
> Attachments: GERONIMO-6057.patch
>
>
> HttpServletRequest.isUserInRole("admin") always returns false in Admin
> Console although loginned by 'system'. (eg. welcomeNormal.jsp:59)
> I did some investigation and found that current implementation in
> JACCRealm.hasRole uses wrapper.getName() to get the servlet name.
> {code:title=JACCRealm.java|borderStyle=solid}
> public boolean hasRole(Wrapper wrapper, Principal principal, String role)
> {
> AccessControlContext acc = ContextManager.getCurrentContext();
> String name = wrapper.getName();
> /**
> * JACC v1.0 secion B.19
> */
> if (name == null || name.equals("jsp")) {
> name = "";
> }
> try {
> acc.checkPermission(new WebRoleRefPermission(name, role));
> return true;
> } catch (AccessControlException e) {
> return false;
> }
> }
> {code}
> But implementation in previous version uses currentRequestWrapperName.get()
> to get the servlet name.
> {code:title=JACCRealm.java|borderStyle=solid}
> public boolean hasRole(Principal principal, String role) {
> AccessControlContext acc = ContextManager.getCurrentContext();
> String name = currentRequestWrapperName.get();
> /**
> * JACC v1.0 secion B.19
> */
> if (name == null || name.equals("jsp")) {
> name = "";
> }
> try {
> acc.checkPermission(new WebRoleRefPermission(name, role));
> return true;
> } catch (AccessControlException e) {
> return false;
> }
> }
> {code}
> currentRequestWrapperName is a ThreadLocal variable and is set by
> DispatchListener.beforeDispatch()
> {code:title=DispatchListener|borderStyle=solid}
> private void beforeDispatch(GeronimoStandardContext webContext,
> ServletRequest request, ServletResponse response) {
> BeforeAfter beforeAfter = webContext.getBeforeAfter();
> if (beforeAfter != null) {
> Stack<BeforeAfterContext> stack = currentContext.get();
> BeforeAfterContext beforeAfterContext = new
> BeforeAfterContext(webContext.getContextCount() + 2);
> String wrapperName = getWrapperName(request, webContext);
> beforeAfterContext.contexts[webContext.getContextCount()] =
> JACCRealm.setRequestWrapperName(wrapperName);
> beforeAfterContext.contexts[webContext.getContextCount() + 1] =
> PolicyContext.getContextID();
> PolicyContext.setContextID(webContext.getPolicyContextId());
> beforeAfter.before(beforeAfterContext, request, response,
> BeforeAfter.DISPATCHED);
> stack.push(beforeAfterContext);
> }
> }
> private String getWrapperName(ServletRequest request,
> GeronimoStandardContext webContext) {
> MappingData mappingData = new MappingData();
> Mapper mapper = webContext.getMapper();
> MessageBytes mb = MessageBytes.newInstance();
> String dispatchPath = (String)
> request.getAttribute(Globals.DISPATCHER_REQUEST_PATH_ATTR);
> mb.setString(webContext.getName() + dispatchPath);
> try {
> mapper.map(mb, mappingData);
> StandardWrapper wrapper = (StandardWrapper) mappingData.wrapper;
> return wrapper.getName();
> } catch (Exception e) {
> log.error(e.getMessage(), e);
> }
> return null;
> }
> }
> {code}
> It looks to me that wrapper.getName() returns the name of the initial servlet
> instead of the current servlet.
> I thought using currentRequestWrapperName.get() leads to the right behavior.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
