search

ratcashdev / authenticroast

Automatically exported from code.google.com/p/authenticroast
1 stars 0 forks source link

TomcatAuthenticator denies access if there is an applicable security-constraint but no auth-constraints. #16

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
This situation arises e.g. if you want to set a URL pattern to require SSL but 
you don't want access control. The TomcatAuthenticator returns 'false' if 
roles.length is zero. It should return 'true' in this situation. See 
org.catalina.authenticator.AuthenticatorBase#checkRoles() for the correct 
logic, which is somewhat more complex than this bald summary. I will develop a 
patch for this today.

Original issue reported on code.google.com by EsmondP...@gmail.com on 16 Dec 2010 at 10:23

GoogleCodeExporter commented 9 years ago 
I have a fix for this, attached, but it occurs to me that TomcatAuthenticator 
should really extend org.catalina.authenticator.AuthenticatorBase. Then (a) a 
lot of the stuff it does can disappear and (b) it acquires the possibility to 
be auto-integrated with Tomcat SSO. I'll have a play around with that.

Original comment by EsmondP...@gmail.com on 17 Dec 2010 at 1:21

Attachments:

GoogleCodeExporter commented 9 years ago 
Belay that thought, I had a look into it, I can well see why you did it the way 
you did.

Original comment by EsmondP...@gmail.com on 19 Dec 2010 at 11:40

GoogleCodeExporter commented 9 years ago 
I implemented the fix a little differently (and a little late) but it works.

Original comment by aike.som...@gmail.com on 17 Jan 2011 at 10:09