tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan McGuinness (JIRA)" <>
Subject [jira] [Commented] (TOMEE-1492) LazyRealm not working well in CombinedRealm (LockOutRealm)
Date Fri, 09 Jan 2015 18:05:34 GMT


Ryan McGuinness commented on TOMEE-1492:

This was not apparent in the documentation. The RealmBase being inherited from implements
hasRole(Principal, String) and does not adequately delegate to the underlying realms. The
only overridden methods are for authenticate. 
This appears to have been broken for a long time. Even worse it is not an interface but a
concrete class. Should we open a ticket to the Tomcat community then?

> LazyRealm not working well in CombinedRealm (LockOutRealm)
> ----------------------------------------------------------
>                 Key: TOMEE-1492
>                 URL:
>             Project: TomEE
>          Issue Type: Bug
>    Affects Versions: 1.7.1
>            Reporter: Ryan McGuinness
>              Labels: Security
> The following LazyRealm definition works as expected in TomEE, delegating to the authenticate(String,
String) and hasRole(Principal, String) of the realmClass.
> <Context>
>     <Realm
>             cdi="true"
>             className="org.apache.tomee.catalina.realm.LazyRealm"
>             realmClass="" />
> </Context>
> When wrapped in a combined realm:
> <Context>
>     <Realm className="org.apache.catalina.realm.LockOutRealm">
>         <Realm
>                 cdi="true"
>                 className="org.apache.tomee.catalina.realm.LazyRealm"
>                 realmClass=""/>
>     </Realm>
> </Context>
> The authenticate method is delegated to correctly, but the hasRole(Principal, String)
method IS NOT.
> Thus when wrapped failure occurs in the annotations for @RolesAllowed() or and security
assertions made in the web.xml.

This message was sent by Atlassian JIRA

View raw message