org.mortbay.jetty.Request.isUserInRole() behaves incorrectly until o.m.j.Request.getPrincipal() is invoked

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: 6.1.0
Fix Version/s: None
Component/s: Servlet
Labels:
None

Number of attachments :
0

Description

Looking at the source code, getPrincipal() performs a lazy authentication when it's invoked for the first time.
The lazy authentication is triggered by checking "_userPrincipal instanceof SecurityHandler.NotChecked"

Yet in isUserInRole() method, such check is not performed on _userPrincipal. So the following code will end up passing
unauthenticated dummy "NotChecked" instance to the realm, which will return false.

if (_userRealm!=null && _userPrincipal!=null)
return _userRealm.isUserInRole(_userPrincipal, role);

The correct code should be:

Principal p = getPrincipal();
if (_userRealm!=null && p!=null)
return _userRealm.isUserInRole(p, role);

Activity

Ascending order - Click to sort in descending order

Jan Bartel made changes - 10/Feb/07 12:18 AM

Field	Original Value	New Value
Assignee		Jan Bartel [ janb ]

Jan Bartel made changes - 11/Feb/07 6:05 PM

Resolution		Won't Fix [ 2 ]
Status	Open [ 1 ]	Resolved [ 5 ]

Jan Bartel made changes - 11/Feb/07 6:05 PM

Status

Resolved [ 5 ]

Closed [ 6 ]

People

Assignee:

Jan Bartel

Reporter:

Kohsuke Kawaguchi

Vote (0)

Watch (0)

Dates

Created:

09/Feb/07 8:44 AM

Updated:

11/Feb/07 6:05 PM

Resolved:

11/Feb/07 6:05 PM