This is an automated email from the ASF dual-hosted git repository.
rmaucher pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new f30f64419c Avoid adding a "null" or empty string role where non is
specified
f30f64419c is described below
commit f30f64419cdc30771143573eb8fcf235211e74c1
Author: remm <[email protected]>
AuthorDate: Fri May 22 19:20:50 2026 +0200
Avoid adding a "null" or empty string role where non is specified
---
java/org/apache/catalina/realm/MemoryRealm.java | 18 ++++++++++--------
test/org/apache/catalina/realm/TestMemoryRealm.java | 4 ++++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/java/org/apache/catalina/realm/MemoryRealm.java
b/java/org/apache/catalina/realm/MemoryRealm.java
index bb127312db..797bf1c3b0 100644
--- a/java/org/apache/catalina/realm/MemoryRealm.java
+++ b/java/org/apache/catalina/realm/MemoryRealm.java
@@ -166,15 +166,17 @@ public class MemoryRealm extends RealmBase {
// Accumulate the list of roles for this user
List<String> list = new ArrayList<>();
- roles += ",";
- while (true) {
- int comma = roles.indexOf(',');
- if (comma < 0) {
- break;
+ if (roles != null && !roles.isBlank()) {
+ roles += ",";
+ while (true) {
+ int comma = roles.indexOf(',');
+ if (comma < 0) {
+ break;
+ }
+ String role = roles.substring(0, comma).trim();
+ list.add(role);
+ roles = roles.substring(comma + 1);
}
- String role = roles.substring(0, comma).trim();
- list.add(role);
- roles = roles.substring(comma + 1);
}
// Construct and cache the Principal for this user
diff --git a/test/org/apache/catalina/realm/TestMemoryRealm.java
b/test/org/apache/catalina/realm/TestMemoryRealm.java
index 9ba71d268f..1035c80ce1 100644
--- a/test/org/apache/catalina/realm/TestMemoryRealm.java
+++ b/test/org/apache/catalina/realm/TestMemoryRealm.java
@@ -37,6 +37,7 @@ public class TestMemoryRealm extends TomcatBaseTest {
+ "<role rolename=\"testrole\" />"
+ "<group groupname=\"testgroup\" />"
+ "<user username=\"admin\" password=\"sekr3t\" roles=\"testrole,
otherrole\" groups=\"testgroup, othergroup\" />"
+ + "<user username=\"otheruser\" password=\"sekr3t2\" roles=\" \"
/>"
+ "</tomcat-users>";
@Test
@@ -74,6 +75,9 @@ public class TestMemoryRealm extends TomcatBaseTest {
p = lockout.authenticate("admin", "sekr3t");
Assert.assertNull(p);
+ Principal p2 = lockout.authenticate("otheruser", "sekr3t2");
+ Assert.assertNotNull(p2);
+ Assert.assertTrue(((GenericPrincipal) p2).getRoles().length == 0);
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8c67e2d5aa..36ab6955ee 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -172,6 +172,10 @@
On JAAS logout, clear out role principals on the subject that were
added on commit, as recommended by the JAAS specification. (remm)
</fix>
+ <fix>
+ <code>MemoryRealm</code> should not add a dummy role when none is
+ specified in the configuration. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
