[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

bugzilla Tue, 23 Jan 2018 09:52:01 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=62036


--- Comment #5 from Konstantin Kolinko <knst.koli...@gmail.com> ---
(In reply to Konstantin Kolinko from comment #3)
> 2). It is also odd that RealmBase.hasRole() check for a MemoryUser fails.

Debugging Tomcat 9:

The following methods in RealmBase are called:
(the actual object is LockOutRealm)

1. hasResourcePermission(request, response, SecurityConstraint []constraints,
context)
2. hasRole((Wrapper) null, principal, (String) "testrole")
3. hasRoleInternal(principal, (String) "testrole")

On successful call the 'principal' is GenericPrincipal.

On unsuccessful call the 'principal' is MemoryUser and
RealmBase.hasRoleInternal() fails because of the following lines:

[[[
 // Should be overridden in JAASRealm - to avoid pretty inefficient conversions
 if (!(principal instanceof GenericPrincipal)) {
        return false;
 }
]]]

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

Reply via email to