search

ratcashdev / authenticroast

Automatically exported from code.google.com/p/authenticroast
1 stars 0 forks source link

HttpServletRequest.isUserInRole() doesn't work #9

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The TomcatAuthenticator runs entirely its own regime about authentication and 
security constraint checking, and it registers a SimplePrincipal rather than a 
Tomcat GenericPrincipal with Tomcat so the default implementation of 
RealmBase.hasRole() always returns false, and this propagates up all the way to 
HttpServletRequest.isUserInRole() always returning false as well.

This can be most simply fixed by registering a GenericPrincipal with Tomcat in 
the TomcatAuthenticator:

    protected void register(AuthenticationRequest request,
            SimplePrincipal simplePrincipal) {
        try {
            Tomcat6Request req =
                    (Tomcat6Request) request;
            GenericPrincipal    gp = new GenericPrincipal(context.getRealm(), simplePrincipal.getName(), null, new LinkedList<String>(simplePrincipal.getGroups()), simplePrincipal);
            req.getCatalinaRequest().setAuthType("ROAST");
            req.getCatalinaRequest().setUserPrincipal(gp);
            Session session = req.getCatalinaRequest().getSessionInternal(true);
            session.setAuthType("ROAST");
            session.setPrincipal(gp);
            session.setNote(Constants.SESS_USERNAME_NOTE, simplePrincipal.getName());
        } catch (Exception ex) {
            throw new RuntimeException(ex);
        }
    }

This fix is tested. This fix also has the side-effect of making AuthenticRoast 
more compatible with existing Tomcat-based applications that know about 
GenericPrincipal for their own fell purposes, e.g. my own JAAS login module set.

However I must say I would like to get rid of SimplePrincipal altogether. It 
would be better to use javax.security.auth.Subject throughout, and make it all 
subject to user-configurable UserPrincipal and RolePrincipal classes in the 
same way as the Tomcat JAAS Realm is.

Original issue reported on code.google.com by EsmondP...@gmail.com on 16 Nov 2010 at 6:37

GoogleCodeExporter commented 9 years ago 
I do agree that some API-cleaning is due. However for now i just applied your 
fix, since i'm a little busy with other things.
I created a milestone for API-cleanup (Milestone-API0.5), feel free to add 
issues for things you think should be reworked.

Original comment by aike.som...@gmail.com on 16 Nov 2010 at 10:22