[Bug 63690] [HTTP/2] The socket [*] associated with this connection has been closed.

2019-08-28 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=63690

--- Comment #13 from Boris Petrov  ---
(In reply to Chen Levy from comment #11)
> I encountered a similar issue where multipart form submission resulted in
> none of the form parameters being visible from the servlet (no exception or
> error).
> I created a small test project containing a single HTML file with a
> multipart form, and a single servlet.
> No Java or JavaScript libraries are involved
> 
> Using the latest Firefox and Chrome I encounter the issue when uploading a
> 3MB file. The overheadDataThreadhold="0" setting seem to resolve it
> 
> I'd expect the default Tomcat distribution to allow these kind of activities
> without additional configuration
> 
> I can supply/attach additional information if needed
> Thanks

Chen Levy, if you could provide a simple sample project that, as you say, has
no external dependencies and breaks with the default Tomcat configuration on
the latest Chrome/Firefox, please do so that Tomcat's team could perhaps take a
look and reevaluate the default settings.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



please care and vote for Chinese people under cruel autocracy of CCP, great thanks!

2019-08-28 Thread ant_fighter
Hi all,
Sorry for disturbing you guys. Though I don't think here as a proper place to 
do this, I need your help, your vote, your holy vote, for us Chinese, for 
conscience and justice, for better world.

In the over 70 years of ruling over China, the Chinese Communist Party has done 
many horrible things humans can think of. These malicious and evil deeds 
include but are not limited to: falsifying national history, suppression of 
freedom of speech and press, money laundering in the scale of trillions, live 
organ harvesting, sexual harassment and assault to underaged females, 
slaughtering innocent citizens with counter-revolutionary excuses, etc.

In light of the recent violent actions to Hong Kongers by the People's 
Liberation Army (PLA) disguised as Hong Kong Police Force, we the people 
petition to officially recognize the Chinese Communist Party as a terrorist 
organization.

PLEASE SIGNUP and VOTE for us:
https://petitions.whitehouse.gov/petition/call-official-recognition-chinese-communist-party-terrorist-organization

Thanks again for all!

nameless, an ant fighter
2019.8.29

buildbot success in on tomcat-7-trunk

2019-08-28 Thread buildbot
The Buildbot has detected a restored build on builder tomcat-7-trunk while 
building tomcat. Full details are available at:
https://ci.apache.org/builders/tomcat-7-trunk/builds/1433

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf946_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-7-commit' 
triggered this build
Build Source Stamp: [branch 7.0.x] a486b9e02a0bee2b0c87ee2b5551a82f25cbcf29
Blamelist: Felix Schumacher ,Peter Uhnak 


Build succeeded!

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] 02/02: fix JSSE_OPTS quoting

2019-08-28 Thread fschumacher
This is an automated email from the ASF dual-hosted git repository.

fschumacher pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit a486b9e02a0bee2b0c87ee2b5551a82f25cbcf29
Author: Peter Uhnak 
AuthorDate: Mon Aug 26 11:31:43 2019 +0200

fix JSSE_OPTS quoting

Part of #196 on github
---
 bin/catalina.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/catalina.bat b/bin/catalina.bat
index cd08425..239e81c 100755
--- a/bin/catalina.bat
+++ b/bin/catalina.bat
@@ -206,7 +206,7 @@ set 
"CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jar"
 :juliClasspathDone
 
 if not "%JSSE_OPTS%" == "" goto gotJsseOpts
-set JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
+set "JSSE_OPTS=-Djdk.tls.ephemeralDHKeySize=2048"
 :gotJsseOpts
 set "JAVA_OPTS=%JAVA_OPTS% %JSSE_OPTS%"
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] branch 7.0.x updated (6cb87c8 -> a486b9e)

2019-08-28 Thread fschumacher
This is an automated email from the ASF dual-hosted git repository.

fschumacher pushed a change to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from 6cb87c8  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints
 new 491d1c9  Fix JSSE_OPTS quoting in catalina.bat
 new a486b9e  fix JSSE_OPTS quoting

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 bin/catalina.bat   | 2 +-
 webapps/docs/changelog.xml | 4 
 2 files changed, 5 insertions(+), 1 deletion(-)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] 01/02: Fix JSSE_OPTS quoting in catalina.bat

2019-08-28 Thread fschumacher
This is an automated email from the ASF dual-hosted git repository.

fschumacher pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 491d1c93d2f36808f6693dedbfa96b241af87b35
Author: Felix Schumacher 
AuthorDate: Tue Aug 27 11:55:14 2019 +0200

Fix JSSE_OPTS quoting in catalina.bat

Contributed by Peter Uhnak.
Part of #196 on github
---
 webapps/docs/changelog.xml | 4 
 1 file changed, 4 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 1ff6a47..fae50c6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -205,6 +205,10 @@
 Add simplified Chinese translations to the standard Tomcat 
distribution.
 (markt)
   
+  
+Fix JSSE_OPTS quoting in catalina.bat.
+Contributed by Peter Uhnak. (fschumacher)
+  
 
   
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] 01/02: fix JSSE_OPTS quoting

2019-08-28 Thread fschumacher
This is an automated email from the ASF dual-hosted git repository.

fschumacher pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 2f33f550689ce17333a492477f7f35fb728258bf
Author: Peter Uhnak 
AuthorDate: Mon Aug 26 11:31:43 2019 +0200

fix JSSE_OPTS quoting

Part of #196 on github
---
 bin/catalina.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/catalina.bat b/bin/catalina.bat
index 982b23f..eaced8d 100755
--- a/bin/catalina.bat
+++ b/bin/catalina.bat
@@ -206,7 +206,7 @@ set 
"CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jar"
 :juliClasspathDone
 
 if not "%JSSE_OPTS%" == "" goto gotJsseOpts
-set JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
+set "JSSE_OPTS=-Djdk.tls.ephemeralDHKeySize=2048"
 :gotJsseOpts
 set "JAVA_OPTS=%JAVA_OPTS% %JSSE_OPTS%"
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] 02/02: Fix JSSE_OPTS quoting in catalina.bat

2019-08-28 Thread fschumacher
This is an automated email from the ASF dual-hosted git repository.

fschumacher pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 88ae81a72adcc106917b9a138aa7b3cbe7c569b7
Author: Felix Schumacher 
AuthorDate: Tue Aug 27 11:55:14 2019 +0200

Fix JSSE_OPTS quoting in catalina.bat

Contributed by Peter Uhnak.
Part of #196 on github
---
 webapps/docs/changelog.xml | 4 
 1 file changed, 4 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f7c25c0..13c63a6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -100,6 +100,10 @@
 62140: Additional usage documentation in comments for
 catalina.[bat|sh]. (markt)
   
+  
+Fix JSSE_OPTS quoting in catalina.bat.
+Contributed by Peter Uhnak. (fschumacher)
+  
 
   
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 63690] [HTTP/2] The socket [*] associated with this connection has been closed.

2019-08-28 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=63690

--- Comment #12 from Christopher Schultz  ---
(In reply to Mark Thomas from comment #10)
> Which is why the threshold doesn't apply to DATA frames with the EOS (end of
> stream) flag set. Sending a small request body in a single DATA frame is
> fine even if the body is just a single byte. Sending lots of small (less
> than 1024 bytes by default) DATA frames when you could send one larger DATA
> frame is not.

Aha, thanks for pointing out the difference.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 56021] SSL connector using windows-my keystore

2019-08-28 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=56021

--- Comment #6 from Christopher Schultz  ---
(In reply to Martin Stenderup from comment #5)
> It seems to be called "keystorePass" some versions of Tomcat 8.

Yes, it's "keystorePass" in all currently supported versions of Tomcat.
"keystorePassword" is not a valid configuration attribute for any version of
Tomcat.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 63690] [HTTP/2] The socket [*] associated with this connection has been closed.

2019-08-28 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=63690

--- Comment #11 from Chen Levy  ---
I encountered a similar issue where multipart form submission resulted in none
of the form parameters being visible from the servlet (no exception or error).
I created a small test project containing a single HTML file with a multipart
form, and a single servlet.
No Java or JavaScript libraries are involved

Using the latest Firefox and Chrome I encounter the issue when uploading a 3MB
file. The overheadDataThreadhold="0" setting seem to resolve it

I'd expect the default Tomcat distribution to allow these kind of activities
without additional configuration

I can supply/attach additional information if needed
Thanks

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 63701] SSL initialize hangs with OpenSSL 1.1.1

2019-08-28 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=63701

Mladen Turk  changed:

   What|Removed |Added

 OS||All
 Status|NEW |NEEDINFO

--- Comment #1 from Mladen Turk  ---
Applied patch
https://github.com/apache/tomcat-native/commit/b8649e81458194d70667952d9e26df82a79c773f

Please test with various OpenSSL versions

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat-native] branch master updated: Use new OpenSSL v1.1+ initialization API

2019-08-28 Thread mturk
This is an automated email from the ASF dual-hosted git repository.

mturk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git


The following commit(s) were added to refs/heads/master by this push:
 new b8649e8  Use new OpenSSL v1.1+ initialization API
b8649e8 is described below

commit b8649e81458194d70667952d9e26df82a79c773f
Author: Mladen Turk 
AuthorDate: Wed Aug 28 18:38:58 2019 +0200

Use new OpenSSL v1.1+ initialization API
---
 native/src/ssl.c | 16 ++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/native/src/ssl.c b/native/src/ssl.c
index 9dbdcd4..473ca49 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -371,6 +371,11 @@ static apr_status_t ssl_init_cleanup(void *data)
 #endif
 free_dh_params();
 
+#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)
+/* Openssl v1.1+ handles all termination automatically. Do
+ * nothing in this case.
+ */
+#else
 /*
  * Try to kill the internals of the SSL library.
  */
@@ -393,6 +398,7 @@ static apr_status_t ssl_init_cleanup(void *data)
 #if OPENSSL_VERSION_NUMBER < 0x1010L || defined(LIBRESSL_VERSION_NUMBER)
 ERR_remove_thread_state(NULL);
 #endif
+#endif
 
 #ifdef HAVE_KEYLOG_CALLBACK
 if (key_log_file) {
@@ -783,7 +789,14 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, 
jstring engine)
 TCN_FREE_CSTRING(engine);
 return (jint)APR_SUCCESS;
 }
-
+#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)
+/* Openssl v1.1+ handles all initialisation automatically, apart
+ * from hints as to how we want to use the library.
+ *
+ * We tell openssl we want to include engine support.
+ */
+OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
+#else
 /* We must register the library in full, to ensure our configuration
  * code can successfully test the SSL environment.
  */
@@ -797,7 +810,6 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, 
jstring engine)
 #endif
 OPENSSL_load_builtin_modules();
 
-#if OPENSSL_VERSION_NUMBER < 0x1010L
 #if ! (defined(WIN32) || defined(WIN64))
 err = apr_threadkey_private_create(_exit_key, _ssl_thread_exit,
tcn_global_pool);


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



buildbot success in on tomcat-trunk

2019-08-28 Thread buildbot
The Buildbot has detected a restored build on builder tomcat-trunk while 
building tomcat. Full details are available at:
https://ci.apache.org/builders/tomcat-trunk/builds/4569

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf946_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' 
triggered this build
Build Source Stamp: [branch master] d5f3c97a05e050a1b38b801e9545b92d97c93407
Blamelist: Michael Osipov 

Build succeeded!

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 63684] Wrapper never passed to RealmBase#hasRole() for given security constraints

2019-08-28 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=63684

Michael Osipov  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #1 from Michael Osipov  ---
Fixed in:
- master for 9.0.25 onwards
- 8.5.x for 8.5.46 onwards
- 7.0.x for 7.0.97 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] branch BZ-63684/8.5.x deleted (was 8b7e6f0)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch BZ-63684/8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


 was 8b7e6f0  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

The revisions that were on this branch are still contained in
other references; therefore, this change does not discard any commits
from the repository.


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] branch BZ-63684/9.0.x deleted (was d5f3c97)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch BZ-63684/9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


 was d5f3c97  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

The revisions that were on this branch are still contained in
other references; therefore, this change does not discard any commits
from the repository.


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] branch BZ-63684/7.0.x deleted (was 6cb87c8)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch BZ-63684/7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


 was 6cb87c8  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

The revisions that were on this branch are still contained in
other references; therefore, this change does not discard any commits
from the repository.


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] branch 7.0.x updated (29fd3a4 -> 6cb87c8)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from 29fd3a4  Fix BZ 62140 Document catalina.[sh|bat] commands
 add 6cb87c8  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

No new revisions were added by this update.

Summary of changes:
 java/org/apache/catalina/realm/RealmBase.java  |  2 +-
 .../apache/catalina/realm/UserDatabaseRealm.java   |  4 ++-
 .../apache/catalina/core/TestStandardWrapper.java  | 31 +-
 webapps/docs/changelog.xml |  5 
 4 files changed, 33 insertions(+), 9 deletions(-)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] branch master updated (6b125eb -> d5f3c97)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from 6b125eb  Fix typo (missing a on via)
 add d5f3c97  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

No new revisions were added by this update.

Summary of changes:
 java/org/apache/catalina/realm/RealmBase.java  |  2 +-
 .../apache/catalina/realm/UserDatabaseRealm.java   |  2 ++
 .../apache/catalina/core/TestStandardWrapper.java  | 31 +-
 webapps/docs/changelog.xml |  5 
 4 files changed, 32 insertions(+), 8 deletions(-)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] branch BZ-63684/9.0.x updated (18e0445 -> d5f3c97)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch BZ-63684/9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


 discard 18e0445  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints
 new d5f3c97  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version.  This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:

 * -- * -- B -- O -- O -- O   (18e0445)
\
 N -- N -- N   refs/heads/BZ-63684/9.0.x (d5f3c97)

You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.

Any revisions marked "omit" are not gone; other references still
refer to them.  Any revisions marked "discard" are gone forever.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 test/org/apache/catalina/core/TestStandardWrapper.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] 01/01: BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security constraints

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a commit to branch BZ-63684/9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit d5f3c97a05e050a1b38b801e9545b92d97c93407
Author: Michael Osipov 
AuthorDate: Thu Aug 22 14:34:31 2019 +0200

BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security 
constraints
---
 java/org/apache/catalina/realm/RealmBase.java  |  2 +-
 .../apache/catalina/realm/UserDatabaseRealm.java   |  2 ++
 .../apache/catalina/core/TestStandardWrapper.java  | 31 +-
 webapps/docs/changelog.xml |  5 
 4 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/java/org/apache/catalina/realm/RealmBase.java 
b/java/org/apache/catalina/realm/RealmBase.java
index 833973a..aa542a7 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -856,7 +856,7 @@ public abstract class RealmBase extends LifecycleMBeanBase 
implements Realm {
 log.debug("  No user authenticated, cannot grant access");
 } else {
 for (int j = 0; j < roles.length; j++) {
-if (hasRole(null, principal, roles[j])) {
+if (hasRole(request.getWrapper(), principal, roles[j])) {
 status = true;
 if( log.isDebugEnabled() )
 log.debug( "Role found:  " + roles[j]);
diff --git a/java/org/apache/catalina/realm/UserDatabaseRealm.java 
b/java/org/apache/catalina/realm/UserDatabaseRealm.java
index a552fc4..64957a9 100644
--- a/java/org/apache/catalina/realm/UserDatabaseRealm.java
+++ b/java/org/apache/catalina/realm/UserDatabaseRealm.java
@@ -108,6 +108,8 @@ public class UserDatabaseRealm extends RealmBase {
 }
 if (!(principal instanceof User)) {
 // Play nice with SSO and mixed Realms
+// No need to pass the wrapper here because role mapping has been
+// performed already a few lines above
 return super.hasRole(null, principal, role);
 }
 if ("*".equals(role)) {
diff --git a/test/org/apache/catalina/core/TestStandardWrapper.java 
b/test/org/apache/catalina/core/TestStandardWrapper.java
index 9358345..fbd0046 100644
--- a/test/org/apache/catalina/core/TestStandardWrapper.java
+++ b/test/org/apache/catalina/core/TestStandardWrapper.java
@@ -259,14 +259,14 @@ public class TestStandardWrapper extends TomcatBaseTest {
 
 // No file system docBase required
 Context ctx = tomcat.addContext("", null);
-ctx.addRoleMapping("testRole2", "very-complex-role-name");
-/* We won't map "testRole3" to "another-very-complex-role-name" to make
- * it fail intentionally.
- */
+ctx.addRoleMapping("testRole", "very-complex-role-name");
 
-Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", 
TestServlet.class.getName());
+Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", 
RoleAllowServlet.class.getName());
 ctx.addServletMappingDecoded("/", "servlet");
 
+ctx.setLoginConfig(new LoginConfig("BASIC", null, null, null));
+ctx.getPipeline().addValve(new BasicAuthenticator());
+
 TesterMapRealm realm = new TesterMapRealm();
 MessageDigestCredentialHandler ch = new 
MessageDigestCredentialHandler();
 ch.setAlgorithm("SHA");
@@ -296,10 +296,27 @@ public class TestStandardWrapper extends TomcatBaseTest {
 
 Assert.assertNotNull(p);
 Assert.assertEquals("testUser", p.getName());
+// This one is mapped
+Assert.assertTrue(realm.hasRole(wrapper, p, "testRole"));
 Assert.assertTrue(realm.hasRole(wrapper, p, "testRole1"));
-Assert.assertTrue(realm.hasRole(wrapper, p, "testRole2"));
+Assert.assertFalse(realm.hasRole(wrapper, p, "testRole2"));
 Assert.assertTrue(realm.hasRole(wrapper, p, "very-complex-role-name"));
-Assert.assertFalse(realm.hasRole(wrapper, p, "testRole3"));
+Assert.assertTrue(realm.hasRole(wrapper, p, 
"another-very-complex-role-name"));
+
+// This now tests RealmBase#hasResourcePermission() because we need a 
wrapper
+// to be passed from an authenticator
+ByteChunk bc = new ByteChunk();
+Map> reqHeaders = new HashMap<>();
+List authHeaders = new ArrayList<>();
+// testUser, testPwd
+authHeaders.add("Basic dGVzdFVzZXI6dGVzdFB3ZA==");
+reqHeaders.put("Authorization", authHeaders);
+
+int rc = getUrl("http://localhost:; + getPort() + "/", bc, reqHeaders,
+null);
+
+Assert.assertEquals("OK", bc.toString());
+Assert.assertEquals(200, rc);
 }
 
 private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 64cf807..d2abd52 100644
--- 

[tomcat] branch BZ-63684/7.0.x updated (4a2b022 -> 6cb87c8)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch BZ-63684/7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


 discard 4a2b022  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints
 new 6cb87c8  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version.  This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:

 * -- * -- B -- O -- O -- O   (4a2b022)
\
 N -- N -- N   refs/heads/BZ-63684/7.0.x (6cb87c8)

You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.

Any revisions marked "omit" are not gone; other references still
refer to them.  Any revisions marked "discard" are gone forever.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 test/org/apache/catalina/core/TestStandardWrapper.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] 01/01: BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security constraints

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a commit to branch BZ-63684/7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 6cb87c8da83627f645cc8eb878f1eeb87207c18a
Author: Michael Osipov 
AuthorDate: Thu Aug 22 14:34:31 2019 +0200

BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security 
constraints
---
 java/org/apache/catalina/realm/RealmBase.java  |  2 +-
 .../apache/catalina/realm/UserDatabaseRealm.java   |  4 ++-
 .../apache/catalina/core/TestStandardWrapper.java  | 31 +-
 webapps/docs/changelog.xml |  5 
 4 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/java/org/apache/catalina/realm/RealmBase.java 
b/java/org/apache/catalina/realm/RealmBase.java
index 8796ed8..80027fd 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -993,7 +993,7 @@ public abstract class RealmBase extends LifecycleMBeanBase 
implements Realm {
 log.debug("  No user authenticated, cannot grant access");
 } else {
 for (int j = 0; j < roles.length; j++) {
-if (hasRole(null, principal, roles[j])) {
+if (hasRole(request.getWrapper(), principal, roles[j])) {
 status = true;
 if( log.isDebugEnabled() )
 log.debug( "Role found:  " + roles[j]);
diff --git a/java/org/apache/catalina/realm/UserDatabaseRealm.java 
b/java/org/apache/catalina/realm/UserDatabaseRealm.java
index c13efaf..54e6864 100644
--- a/java/org/apache/catalina/realm/UserDatabaseRealm.java
+++ b/java/org/apache/catalina/realm/UserDatabaseRealm.java
@@ -147,7 +147,9 @@ public class UserDatabaseRealm
 }
 }
 if(! (principal instanceof User) ) {
-//Play nice with SSO and mixed Realms
+// Play nice with SSO and mixed Realms
+// No need to pass the wrapper here because role mapping has been
+// performed already a few lines above
 return super.hasRole(null, principal, role);
 }
 if("*".equals(role)) {
diff --git a/test/org/apache/catalina/core/TestStandardWrapper.java 
b/test/org/apache/catalina/core/TestStandardWrapper.java
index b719efe..3d35df0 100644
--- a/test/org/apache/catalina/core/TestStandardWrapper.java
+++ b/test/org/apache/catalina/core/TestStandardWrapper.java
@@ -213,14 +213,14 @@ public class TestStandardWrapper extends TomcatBaseTest {
 
 // No file system docBase required
 Context ctx = tomcat.addContext("", null);
-ctx.addRoleMapping("testRole2", "very-complex-role-name");
-/* We won't map "testRole3" to "another-very-complex-role-name" to make
- * it fail intentionally.
- */
+ctx.addRoleMapping("testRole", "very-complex-role-name");
 
-Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", 
TestServlet.class.getName());
+Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", 
RoleAllowServlet.class.getName());
 ctx.addServletMapping("/", "servlet");
 
+ctx.setLoginConfig(new LoginConfig("BASIC", null, null, null));
+ctx.getPipeline().addValve(new BasicAuthenticator());
+
 MapRealm realm = new MapRealm();
 
 /* Attach the realm to the appropriate container, but role mapping must
@@ -247,10 +247,27 @@ public class TestStandardWrapper extends TomcatBaseTest {
 
 Assert.assertNotNull(p);
 Assert.assertEquals("testUser", p.getName());
+// This one is mapped
+Assert.assertTrue(realm.hasRole(wrapper, p, "testRole"));
 Assert.assertTrue(realm.hasRole(wrapper, p, "testRole1"));
-Assert.assertTrue(realm.hasRole(wrapper, p, "testRole2"));
+Assert.assertFalse(realm.hasRole(wrapper, p, "testRole2"));
 Assert.assertTrue(realm.hasRole(wrapper, p, "very-complex-role-name"));
-Assert.assertFalse(realm.hasRole(wrapper, p, "testRole3"));
+Assert.assertTrue(realm.hasRole(wrapper, p, 
"another-very-complex-role-name"));
+
+// This now tests RealmBase#hasResourcePermission() because we need a 
wrapper
+// to be passed from an authenticator
+ByteChunk bc = new ByteChunk();
+Map> reqHeaders = new HashMap>();
+List authHeaders = new ArrayList();
+// testUser, testPwd
+authHeaders.add("Basic dGVzdFVzZXI6dGVzdFB3ZA==");
+reqHeaders.put("Authorization", authHeaders);
+
+int rc = getUrl("http://localhost:; + getPort() + "/", bc, reqHeaders,
+null);
+
+Assert.assertEquals("OK", bc.toString());
+Assert.assertEquals(200, rc);
 }
 
 private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b698428..1ff6a47 100644
--- 

[tomcat] branch BZ-63684/7.0.x created (now 4a2b022)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch BZ-63684/7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


  at 4a2b022  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

This branch includes the following new commits:

 new 4a2b022  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] 01/01: BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security constraints

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a commit to branch BZ-63684/7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 4a2b022fe4d8c7470f25f4abc5c4b7ab218ff098
Author: Michael Osipov 
AuthorDate: Thu Aug 22 14:34:31 2019 +0200

BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security 
constraints
---
 java/org/apache/catalina/realm/RealmBase.java  |  2 +-
 .../apache/catalina/realm/UserDatabaseRealm.java   |  4 ++-
 .../apache/catalina/core/TestStandardWrapper.java  | 31 +-
 webapps/docs/changelog.xml |  5 
 4 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/java/org/apache/catalina/realm/RealmBase.java 
b/java/org/apache/catalina/realm/RealmBase.java
index 8796ed8..80027fd 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -993,7 +993,7 @@ public abstract class RealmBase extends LifecycleMBeanBase 
implements Realm {
 log.debug("  No user authenticated, cannot grant access");
 } else {
 for (int j = 0; j < roles.length; j++) {
-if (hasRole(null, principal, roles[j])) {
+if (hasRole(request.getWrapper(), principal, roles[j])) {
 status = true;
 if( log.isDebugEnabled() )
 log.debug( "Role found:  " + roles[j]);
diff --git a/java/org/apache/catalina/realm/UserDatabaseRealm.java 
b/java/org/apache/catalina/realm/UserDatabaseRealm.java
index c13efaf..54e6864 100644
--- a/java/org/apache/catalina/realm/UserDatabaseRealm.java
+++ b/java/org/apache/catalina/realm/UserDatabaseRealm.java
@@ -147,7 +147,9 @@ public class UserDatabaseRealm
 }
 }
 if(! (principal instanceof User) ) {
-//Play nice with SSO and mixed Realms
+// Play nice with SSO and mixed Realms
+// No need to pass the wrapper here because role mapping has been
+// performed already a few lines above
 return super.hasRole(null, principal, role);
 }
 if("*".equals(role)) {
diff --git a/test/org/apache/catalina/core/TestStandardWrapper.java 
b/test/org/apache/catalina/core/TestStandardWrapper.java
index b719efe..b6c02bb 100644
--- a/test/org/apache/catalina/core/TestStandardWrapper.java
+++ b/test/org/apache/catalina/core/TestStandardWrapper.java
@@ -213,14 +213,14 @@ public class TestStandardWrapper extends TomcatBaseTest {
 
 // No file system docBase required
 Context ctx = tomcat.addContext("", null);
-ctx.addRoleMapping("testRole2", "very-complex-role-name");
-/* We won't map "testRole3" to "another-very-complex-role-name" to make
- * it fail intentionally.
- */
+ctx.addRoleMapping("testRole", "very-complex-role-name");
 
-Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", 
TestServlet.class.getName());
+Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", 
RoleAllowServlet.class.getName());
 ctx.addServletMapping("/", "servlet");
 
+ctx.setLoginConfig(new LoginConfig("BASIC", null, null, null));
+ctx.getPipeline().addValve(new BasicAuthenticator());
+
 MapRealm realm = new MapRealm();
 
 /* Attach the realm to the appropriate container, but role mapping must
@@ -247,10 +247,27 @@ public class TestStandardWrapper extends TomcatBaseTest {
 
 Assert.assertNotNull(p);
 Assert.assertEquals("testUser", p.getName());
+// This one is mapped
+Assert.assertTrue(realm.hasRole(wrapper, p, "testRole"));
 Assert.assertTrue(realm.hasRole(wrapper, p, "testRole1"));
-Assert.assertTrue(realm.hasRole(wrapper, p, "testRole2"));
+Assert.assertFalse(realm.hasRole(wrapper, p, "testRole2"));
 Assert.assertTrue(realm.hasRole(wrapper, p, "very-complex-role-name"));
-Assert.assertFalse(realm.hasRole(wrapper, p, "testRole3"));
+Assert.assertTrue(realm.hasRole(wrapper, p, 
"another-very-complex-role-name"));
+
+// This now tests RealmBase#hasResourcePermission() because we need a 
wrapper
+// to be passed from an authenticator
+ByteChunk bc = new ByteChunk();
+Map> reqHeaders = new 
HashMap>();
+List authHeaders = new ArrayList();
+// testUser, testPwd
+authHeaders.add("Basic dGVzdFVzZXI6dGVzdFB3ZA==");
+reqHeaders.put("Authorization", authHeaders);
+
+int rc = getUrl("http://localhost:; + getPort() + "/", bc, reqHeaders,
+null);
+
+Assert.assertEquals("OK", bc.toString());
+Assert.assertEquals(200, rc);
 }
 
 private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b698428..1ff6a47 100644
--- 

[tomcat] 01/01: BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security constraints

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a commit to branch BZ-63684/9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 18e0445d033a6f36011df2ff8baf830b59708b2d
Author: Michael Osipov 
AuthorDate: Thu Aug 22 14:34:31 2019 +0200

BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security 
constraints
---
 java/org/apache/catalina/realm/RealmBase.java  |  2 +-
 .../apache/catalina/realm/UserDatabaseRealm.java   |  2 ++
 .../apache/catalina/core/TestStandardWrapper.java  | 31 +-
 webapps/docs/changelog.xml |  5 
 4 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/java/org/apache/catalina/realm/RealmBase.java 
b/java/org/apache/catalina/realm/RealmBase.java
index 833973a..aa542a7 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -856,7 +856,7 @@ public abstract class RealmBase extends LifecycleMBeanBase 
implements Realm {
 log.debug("  No user authenticated, cannot grant access");
 } else {
 for (int j = 0; j < roles.length; j++) {
-if (hasRole(null, principal, roles[j])) {
+if (hasRole(request.getWrapper(), principal, roles[j])) {
 status = true;
 if( log.isDebugEnabled() )
 log.debug( "Role found:  " + roles[j]);
diff --git a/java/org/apache/catalina/realm/UserDatabaseRealm.java 
b/java/org/apache/catalina/realm/UserDatabaseRealm.java
index a552fc4..64957a9 100644
--- a/java/org/apache/catalina/realm/UserDatabaseRealm.java
+++ b/java/org/apache/catalina/realm/UserDatabaseRealm.java
@@ -108,6 +108,8 @@ public class UserDatabaseRealm extends RealmBase {
 }
 if (!(principal instanceof User)) {
 // Play nice with SSO and mixed Realms
+// No need to pass the wrapper here because role mapping has been
+// performed already a few lines above
 return super.hasRole(null, principal, role);
 }
 if ("*".equals(role)) {
diff --git a/test/org/apache/catalina/core/TestStandardWrapper.java 
b/test/org/apache/catalina/core/TestStandardWrapper.java
index 9358345..a169b77 100644
--- a/test/org/apache/catalina/core/TestStandardWrapper.java
+++ b/test/org/apache/catalina/core/TestStandardWrapper.java
@@ -259,14 +259,14 @@ public class TestStandardWrapper extends TomcatBaseTest {
 
 // No file system docBase required
 Context ctx = tomcat.addContext("", null);
-ctx.addRoleMapping("testRole2", "very-complex-role-name");
-/* We won't map "testRole3" to "another-very-complex-role-name" to make
- * it fail intentionally.
- */
+ctx.addRoleMapping("testRole", "very-complex-role-name");
 
-Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", 
TestServlet.class.getName());
+Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", 
RoleAllowServlet.class.getName());
 ctx.addServletMappingDecoded("/", "servlet");
 
+ctx.setLoginConfig(new LoginConfig("BASIC", null, null, null));
+ctx.getPipeline().addValve(new BasicAuthenticator());
+
 TesterMapRealm realm = new TesterMapRealm();
 MessageDigestCredentialHandler ch = new 
MessageDigestCredentialHandler();
 ch.setAlgorithm("SHA");
@@ -296,10 +296,27 @@ public class TestStandardWrapper extends TomcatBaseTest {
 
 Assert.assertNotNull(p);
 Assert.assertEquals("testUser", p.getName());
+// This one is mapped
+Assert.assertTrue(realm.hasRole(wrapper, p, "testRole"));
 Assert.assertTrue(realm.hasRole(wrapper, p, "testRole1"));
-Assert.assertTrue(realm.hasRole(wrapper, p, "testRole2"));
+Assert.assertFalse(realm.hasRole(wrapper, p, "testRole2"));
 Assert.assertTrue(realm.hasRole(wrapper, p, "very-complex-role-name"));
-Assert.assertFalse(realm.hasRole(wrapper, p, "testRole3"));
+Assert.assertTrue(realm.hasRole(wrapper, p, 
"another-very-complex-role-name"));
+
+// This now tests RealmBase#hasResourcePermission() because we need a 
wrapper
+// to be passed from an authenticator
+ByteChunk bc = new ByteChunk();
+Map> reqHeaders = new HashMap<>();
+List authHeaders = new ArrayList<>();
+// testUser, testPwd
+authHeaders.add("Basic dGVzdFVzZXI6dGVzdFB3ZA==");
+reqHeaders.put("Authorization", authHeaders);
+
+int rc = getUrl("http://localhost:; + getPort() + "/", bc, reqHeaders,
+null);
+
+Assert.assertEquals("OK", bc.toString());
+Assert.assertEquals(200, rc);
 }
 
 private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 64cf807..d2abd52 100644
--- 

[tomcat] branch BZ-63684/9.0.x created (now 18e0445)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch BZ-63684/9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


  at 18e0445  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

This branch includes the following new commits:

 new 18e0445  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[GitHub] [tomcat] asfgit merged pull request #195: BZ 63684: Wrapper never passed to RealmBase#hasRole() for given secur…

2019-08-28 Thread GitBox
asfgit merged pull request #195: BZ 63684: Wrapper never passed to 
RealmBase#hasRole() for given secur…
URL: https://github.com/apache/tomcat/pull/195
 
 
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] branch 8.5.x updated (4fc4825 -> 8b7e6f0)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from 4fc4825  Fix trivial typo in changelog.
 add 8b7e6f0  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

No new revisions were added by this update.

Summary of changes:
 java/org/apache/catalina/realm/RealmBase.java  |  2 +-
 .../apache/catalina/realm/UserDatabaseRealm.java   |  2 ++
 .../apache/catalina/core/TestStandardWrapper.java  | 31 +-
 webapps/docs/changelog.xml |  9 +++
 4 files changed, 36 insertions(+), 8 deletions(-)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[tomcat] 01/01: BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security constraints

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a commit to branch BZ-63684/8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 8b7e6f087d511c9da2a0d664b9c77ee6676a1eaf
Author: Michael Osipov 
AuthorDate: Thu Aug 22 14:34:31 2019 +0200

BZ 63684: Wrapper never passed to RealmBase#hasRole() for given security 
constraints
---
 java/org/apache/catalina/realm/RealmBase.java  |  2 +-
 .../apache/catalina/realm/UserDatabaseRealm.java   |  2 ++
 .../apache/catalina/core/TestStandardWrapper.java  | 31 +-
 webapps/docs/changelog.xml |  9 +++
 4 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/java/org/apache/catalina/realm/RealmBase.java 
b/java/org/apache/catalina/realm/RealmBase.java
index dd1761c..d321c56 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -858,7 +858,7 @@ public abstract class RealmBase extends LifecycleMBeanBase 
implements Realm {
 log.debug("  No user authenticated, cannot grant access");
 } else {
 for (int j = 0; j < roles.length; j++) {
-if (hasRole(null, principal, roles[j])) {
+if (hasRole(request.getWrapper(), principal, roles[j])) {
 status = true;
 if( log.isDebugEnabled() )
 log.debug( "Role found:  " + roles[j]);
diff --git a/java/org/apache/catalina/realm/UserDatabaseRealm.java 
b/java/org/apache/catalina/realm/UserDatabaseRealm.java
index 38f8822..bd2a7aa 100644
--- a/java/org/apache/catalina/realm/UserDatabaseRealm.java
+++ b/java/org/apache/catalina/realm/UserDatabaseRealm.java
@@ -117,6 +117,8 @@ public class UserDatabaseRealm extends RealmBase {
 }
 if (!(principal instanceof User)) {
 // Play nice with SSO and mixed Realms
+// No need to pass the wrapper here because role mapping has been
+// performed already a few lines above
 return super.hasRole(null, principal, role);
 }
 if ("*".equals(role)) {
diff --git a/test/org/apache/catalina/core/TestStandardWrapper.java 
b/test/org/apache/catalina/core/TestStandardWrapper.java
index 9358345..a169b77 100644
--- a/test/org/apache/catalina/core/TestStandardWrapper.java
+++ b/test/org/apache/catalina/core/TestStandardWrapper.java
@@ -259,14 +259,14 @@ public class TestStandardWrapper extends TomcatBaseTest {
 
 // No file system docBase required
 Context ctx = tomcat.addContext("", null);
-ctx.addRoleMapping("testRole2", "very-complex-role-name");
-/* We won't map "testRole3" to "another-very-complex-role-name" to make
- * it fail intentionally.
- */
+ctx.addRoleMapping("testRole", "very-complex-role-name");
 
-Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", 
TestServlet.class.getName());
+Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", 
RoleAllowServlet.class.getName());
 ctx.addServletMappingDecoded("/", "servlet");
 
+ctx.setLoginConfig(new LoginConfig("BASIC", null, null, null));
+ctx.getPipeline().addValve(new BasicAuthenticator());
+
 TesterMapRealm realm = new TesterMapRealm();
 MessageDigestCredentialHandler ch = new 
MessageDigestCredentialHandler();
 ch.setAlgorithm("SHA");
@@ -296,10 +296,27 @@ public class TestStandardWrapper extends TomcatBaseTest {
 
 Assert.assertNotNull(p);
 Assert.assertEquals("testUser", p.getName());
+// This one is mapped
+Assert.assertTrue(realm.hasRole(wrapper, p, "testRole"));
 Assert.assertTrue(realm.hasRole(wrapper, p, "testRole1"));
-Assert.assertTrue(realm.hasRole(wrapper, p, "testRole2"));
+Assert.assertFalse(realm.hasRole(wrapper, p, "testRole2"));
 Assert.assertTrue(realm.hasRole(wrapper, p, "very-complex-role-name"));
-Assert.assertFalse(realm.hasRole(wrapper, p, "testRole3"));
+Assert.assertTrue(realm.hasRole(wrapper, p, 
"another-very-complex-role-name"));
+
+// This now tests RealmBase#hasResourcePermission() because we need a 
wrapper
+// to be passed from an authenticator
+ByteChunk bc = new ByteChunk();
+Map> reqHeaders = new HashMap<>();
+List authHeaders = new ArrayList<>();
+// testUser, testPwd
+authHeaders.add("Basic dGVzdFVzZXI6dGVzdFB3ZA==");
+reqHeaders.put("Authorization", authHeaders);
+
+int rc = getUrl("http://localhost:; + getPort() + "/", bc, reqHeaders,
+null);
+
+Assert.assertEquals("OK", bc.toString());
+Assert.assertEquals(200, rc);
 }
 
 private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 1b66477..f7c25c0 100644
--- 

[tomcat] branch BZ-63684/8.5.x updated (8a54c7f -> 8b7e6f0)

2019-08-28 Thread michaelo
This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a change to branch BZ-63684/8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


omit 8a54c7f  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints
 add 4fc4825  Fix trivial typo in changelog.
 new 8b7e6f0  BZ 63684: Wrapper never passed to RealmBase#hasRole() for 
given security constraints

This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version.  This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:

 * -- * -- B -- O -- O -- O   (8a54c7f)
\
 N -- N -- N   refs/heads/BZ-63684/8.5.x (8b7e6f0)

You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.

Any revisions marked "omit" are not gone; other references still
refer to them.  Any revisions marked "discard" are gone forever.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 webapps/docs/changelog.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 56148] support (multiple) ocsp stapling

2019-08-28 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148

--- Comment #10 from Azat  ---
(In reply to Mark Thomas from comment #9)
> The current status is what you see here. It will be implemented when someone
> provides a suitable patch.

Ok.Thanks, Mark. I understand that patches from the Tomcat community are
welcome, but is this item on your TODO list as well?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 63690] [HTTP/2] The socket [*] associated with this connection has been closed.

2019-08-28 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=63690

--- Comment #10 from Mark Thomas  ---
(In reply to Boris Petrov from comment #8)
> Hi, thanks for the detailed answer.
> 
> There is no intermediate HTTP/2 proxy.
> 
> Before I open an issue somewhere, could you please explain me something. I'm
> not sure I fully understand what's going on but how can a JavaScript library
> manage the HTTP/2 frames at all?

It will depend on the API it uses to pass data to the browser. For example, if
the API offers the capability to a) control the write buffer size and b) flush
writes then the client can - broadly - control the size of the DATA frames
written. I'm not at all familiar with the API in use. What I would suggest is
to test a simple POST with the same file and no Javascript library and see how
that behaves.


(In reply to Christopher Schultz from comment #9)
> 1024 might be too high for a default, but the good news is that the
> "abusive" threshold can be changed (right?).

Right.



> That's a scant 44 bytes.
> 
> Not every application will be sending large documents around.

Which is why the threshold doesn't apply to DATA frames with the EOS (end of
stream) flag set. Sending a small request body in a single DATA frame is fine
even if the body is just a single byte. Sending lots of small (less than 1024
bytes by default) DATA frames when you could send one larger DATA frame is not.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 63625] Unable to start Tomcat 7.0.96 (stop by 0xc0000005)

2019-08-28 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=63625

--- Comment #17 from Mark Thomas  ---
Note that Tomcat is not officially supported on Windows XP now that Microsoft
have ended support for XP. That said, you should be able to use Tomcat9.exe
from 9.0.22 as a workaround.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org