Skip to content

Commit f688a20

Browse files
committed
Don't ignore methods on security constraints mapped to "/"
1 parent 6546a48 commit f688a20

3 files changed

Lines changed: 72 additions & 1 deletion

File tree

java/org/apache/catalina/realm/RealmBase.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -753,7 +753,7 @@ public SecurityConstraint[] findSecurityConstraints(Request request, Context con
753753

754754
boolean matched = false;
755755
for (String pattern : patterns) {
756-
if (pattern.equals("/")) {
756+
if (pattern.equals("/") && securityCollection.findMethod(method)) {
757757
matched = true;
758758
break;
759759
}

test/org/apache/catalina/realm/TestRealmBase.java

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -872,4 +872,71 @@ public void testUncoveredMethods() throws IOException {
872872
Assert.assertFalse(mapRealm.hasResourcePermission(
873873
request, response, constraintsPost, null));
874874
}
875+
876+
877+
@Test
878+
public void testDefaultServletConstraints() throws IOException {
879+
// Create a constraint that allows GET
880+
SecurityConstraint allowConstraint = new SecurityConstraint();
881+
SecurityCollection allowCollection = new SecurityCollection();
882+
allowCollection.addMethod(Method.GET);
883+
allowCollection.addPatternDecoded("/");
884+
allowConstraint.addCollection(allowCollection);
885+
// Create a constraint that disallows everything but GET
886+
SecurityConstraint blockConstraint = new SecurityConstraint();
887+
SecurityCollection blockCollection = new SecurityCollection();
888+
blockCollection.addOmittedMethod(Method.GET);
889+
blockCollection.addPatternDecoded("/");
890+
blockConstraint.addCollection(blockCollection);
891+
blockConstraint.addAuthRole(ROLE1);
892+
893+
TesterMapRealm mapRealm = new TesterMapRealm();
894+
895+
// Set up the mock request and response
896+
TesterRequest request = new TesterRequest();
897+
Response response = new TesterResponse();
898+
Context context = request.getContext();
899+
request.getMappingData().context = context;
900+
901+
// Create the principals
902+
List<String> userRoles1 = new ArrayList<>();
903+
userRoles1.add(ROLE1);
904+
GenericPrincipal gp1 = new GenericPrincipal(USER1, userRoles1);
905+
906+
List<String> userRoles2 = new ArrayList<>();
907+
userRoles2.add(ROLE2);
908+
GenericPrincipal gp2 = new GenericPrincipal(USER2, userRoles2);
909+
910+
// Add the constraints to the context
911+
context.addConstraint(allowConstraint);
912+
context.addConstraint(blockConstraint);
913+
914+
// GET should be allowed
915+
request.setMethod(Method.GET);
916+
SecurityConstraint[] constraints = mapRealm.findSecurityConstraints(request, context);
917+
918+
request.setUserPrincipal(null);
919+
Assert.assertTrue(mapRealm.hasResourcePermission(
920+
request, response, constraints, null));
921+
request.setUserPrincipal(gp1);
922+
Assert.assertTrue(mapRealm.hasResourcePermission(
923+
request, response, constraints, null));
924+
request.setUserPrincipal(gp2);
925+
Assert.assertTrue(mapRealm.hasResourcePermission(
926+
request, response, constraints, null));
927+
928+
// POST should require ROLE1 should be allowed
929+
request.setMethod(Method.POST);
930+
constraints = mapRealm.findSecurityConstraints(request, context);
931+
932+
request.setUserPrincipal(null);
933+
Assert.assertFalse(mapRealm.hasResourcePermission(
934+
request, response, constraints, null));
935+
request.setUserPrincipal(gp1);
936+
Assert.assertTrue(mapRealm.hasResourcePermission(
937+
request, response, constraints, null));
938+
request.setUserPrincipal(gp2);
939+
Assert.assertFalse(mapRealm.hasResourcePermission(
940+
request, response, constraints, null));
941+
}
875942
}

webapps/docs/changelog.xml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -407,6 +407,10 @@
407407
Ensure atomic session persistence in <code>FileStore</code>. Based on
408408
pull request <pr>1016</pr> by sahvx655-wq. (markt)
409409
</fix>
410+
<fix>
411+
Do not ignore methods configured on security constraints that map to the
412+
default servlet. (markt)
413+
</fix>
410414
</changelog>
411415
</subsection>
412416
<subsection name="Coyote">

0 commit comments

Comments
 (0)