Author: markt Date: Wed Oct 5 13:52:58 2016 New Revision: 1763450 URL: http://svn.apache.org/viewvc?rev=1763450&view=rev Log: Ensure that the isMandatory flag is correctly set when using JASPIC authentication.
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1763450&r1=1763449&r2=1763450&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Wed Oct 5 13:52:58 2016 @@ -506,23 +506,26 @@ public abstract class AuthenticatorBase // Since authenticate modifies the response on failure, // we have to check for allow-from-all first. - if (!authRequired && constraints != null) { - authRequired = true; - for (int i = 0; i < constraints.length && authRequired; i++) { + boolean hasAuthConstraint = false; + if (constraints != null) { + hasAuthConstraint = true; + for (int i = 0; i < constraints.length && hasAuthConstraint; i++) { if (!constraints[i].getAuthConstraint()) { - authRequired = false; - break; + hasAuthConstraint = false; } else if (!constraints[i].getAllRoles() && !constraints[i].getAuthenticatedUsers()) { String[] roles = constraints[i].findAuthRoles(); if (roles == null || roles.length == 0) { - authRequired = false; - break; + hasAuthConstraint = false; } } } } + if (!authRequired && hasAuthConstraint) { + authRequired = true; + } + if (!authRequired && context.getPreemptiveAuthentication()) { authRequired = request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null; @@ -542,7 +545,7 @@ public abstract class AuthenticatorBase } if (jaspicProvider != null) { - jaspicState = getJaspicState(jaspicProvider, request, response); + jaspicState = getJaspicState(jaspicProvider, request, response, hasAuthConstraint); if (jaspicState == null) { return; } @@ -601,7 +604,7 @@ public abstract class AuthenticatorBase return doAuthenticate(request, httpResponse); } else { Response response = request.getResponse(); - JaspicState jaspicState = getJaspicState(jaspicProvider, request, response); + JaspicState jaspicState = getJaspicState(jaspicProvider, request, response, true); if (jaspicState == null) { return false; } @@ -627,11 +630,11 @@ public abstract class AuthenticatorBase private JaspicState getJaspicState(AuthConfigProvider jaspicProvider, Request request, - Response response) throws IOException { + Response response, boolean authMandatory) throws IOException { JaspicState jaspicState = new JaspicState(); jaspicState.messageInfo = - new MessageInfoImpl(request.getRequest(), response.getResponse(), true); + new MessageInfoImpl(request.getRequest(), response.getResponse(), authMandatory); try { ServerAuthConfig serverAuthConfig = jaspicProvider.getServerAuthConfig( Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1763450&r1=1763449&r2=1763450&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Oct 5 13:52:58 2016 @@ -117,6 +117,10 @@ where the current class loader is a child of the web application class loader. (markt) </fix> + <fix> + <bug>60196</bug>: Ensure that the <code>isMandatory</code> flag is + correctly set when using JASPIC authentication. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org