Resolution: Won't Fix
Affects Version/s: 6.1.0
Fix Version/s: None
Number of attachments :
Looking at the source code, getPrincipal() performs a lazy authentication when it's invoked for the first time.
The lazy authentication is triggered by checking "_userPrincipal instanceof SecurityHandler.NotChecked"
Yet in isUserInRole() method, such check is not performed on _userPrincipal. So the following code will end up passing
unauthenticated dummy "NotChecked" instance to the realm, which will return false.
if (_userRealm!=null && _userPrincipal!=null)
return _userRealm.isUserInRole(_userPrincipal, role);
The correct code should be:
Principal p = getPrincipal();
if (_userRealm!=null && p!=null)
return _userRealm.isUserInRole(p, role);