This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a commit to branch BZ-63636/tomcat-9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit c9d38596d29db2af3cc1fee16a5b86d453a46b49
Author: Michael Osipov <micha...@apache.org>
AuthorDate: Mon Aug 5 21:32:58 2019 +0200

    BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
---
 java/org/apache/catalina/realm/RealmBase.java     |  9 +++++
 test/org/apache/catalina/realm/TestRealmBase.java | 43 +++++++++++++++++++++++
 webapps/docs/changelog.xml                        |  4 +++
 3 files changed, 56 insertions(+)

diff --git a/java/org/apache/catalina/realm/RealmBase.java 
b/java/org/apache/catalina/realm/RealmBase.java
index c779c34..dbeeaa3 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -928,6 +928,15 @@ public abstract class RealmBase extends LifecycleMBeanBase 
implements Realm {
             }
         }
 
+        // Check for a role alias/mapping defined on context level
+        if (getContainer() instanceof Context) {
+            Context context = (Context) getContainer();
+            String realRole = context.findRoleMapping(role);
+            if (realRole != null) {
+                role = realRole;
+            }
+        }
+
         // Should be overridden in JAASRealm - to avoid pretty inefficient 
conversions
         if (principal == null || role == null) {
             return false;
diff --git a/test/org/apache/catalina/realm/TestRealmBase.java 
b/test/org/apache/catalina/realm/TestRealmBase.java
index 7ef9191..b4d35fb 100644
--- a/test/org/apache/catalina/realm/TestRealmBase.java
+++ b/test/org/apache/catalina/realm/TestRealmBase.java
@@ -19,7 +19,9 @@ package org.apache.catalina.realm;
 import java.io.IOException;
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import javax.servlet.ServletSecurityElement;
 import javax.servlet.annotation.ServletSecurity;
@@ -789,4 +791,45 @@ public class TestRealmBase {
         Assert.assertFalse(mapRealm.hasResourcePermission(
                 request, response, constraintsDelete, null));
     }
+
+    @Test
+    public void testRoleMapping() throws Exception {
+        Context context = new TesterContext() {
+            private Map<String, String> roleMapping = new HashMap<>();
+
+            public void addRoleMapping(String role, String link) {
+                roleMapping.put(role, link);
+            }
+
+            @Override
+            public String findRoleMapping(String role) {
+                return roleMapping.get(role);
+            }
+        };
+
+        context.addRoleMapping(ROLE2, "very-complex-role-name");
+        // We won't map ROLE3 to "another-very-complex-role-name" to make it 
fail
+        // intentionally
+
+        TesterMapRealm realm = new TesterMapRealm();
+        MessageDigestCredentialHandler ch = new 
MessageDigestCredentialHandler();
+        ch.setAlgorithm("SHA");
+        realm.setCredentialHandler(ch);
+        realm.setContainer(context);
+        realm.start();
+
+        realm.addUser(USER1, PWD_SHA);
+        realm.addUserRole(USER1, ROLE1);
+        realm.addUserRole(USER1, "very-complex-role-name");
+        realm.addUserRole(USER1, "another-very-complex-role-name");
+
+        Principal p = realm.authenticate(USER1, PWD);
+
+        Assert.assertNotNull(p);
+        Assert.assertEquals(USER1, p.getName());
+        Assert.assertTrue(realm.hasRole(null, p, ROLE1));
+        Assert.assertTrue(realm.hasRole(null, p, ROLE2));
+        Assert.assertTrue(realm.hasRole(null, p, "very-complex-role-name"));
+        Assert.assertFalse(realm.hasRole(null, p, ROLE3));
+    }
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 214ec60..8d2855e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -47,6 +47,10 @@
 <section name="Tomcat 9.0.23 (markt)" rtext="in development">
   <subsection name="Catalina">
     <changelog>
+      <fix>
+        <bug>63636</bug>: <code>Context.findRoleMapping()</code> never called
+        in <code>RealmBase#hasRole()</code>. (michaelo)
+      </fix>
       <update>
         <bug>63627</bug>: Implement more fine-grained handling in
         <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo)


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to