Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Issue #9731 infinite loop in role refs (#9732) 

* Issue #9731 infinite loop in role refs

* Update jetty-ee9/jetty-ee9-nested/src/main/java/org/eclipse/jetty/ee9/nested/UserIdentityScope.java

Co-authored-by: Greg Wilkins <gregw@webtide.com>

---------

Co-authored-by: Greg Wilkins <gregw@webtide.com>
This commit is contained in:
Jan Bartel 2023-05-06 00:58:22 +10:00 committed by GitHub
parent 7e6de2512c
commit 11a67fbdd7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/internal/DefaultUserIdentity.java
View File

@ -50,6 +50,9 @@ public class DefaultUserIdentity implements UserIdentity
@Override
public boolean isUserInRole(String role)
{
if (role == null)
return false;
if (DefaultIdentityService.isRoleAssociated(role))
return true;

12
jetty-ee9/jetty-ee9-nested/src/main/java/org/eclipse/jetty/ee9/nested/UserIdentityScope.java
View File

@ -50,16 +50,14 @@ public interface UserIdentityScope
if (scope == null)
return role;
if (role == null)
return null;
Map<String, String> roleRefMap = scope.getRoleRefMap();
if (roleRefMap == null || roleRefMap.isEmpty())
return role;
String ref = roleRefMap.get(role);
while (ref != null)
{
role = ref;
ref = roleRefMap.get(role);
}
return role;
String deref = roleRefMap.get(role);
return deref == null ? role : deref;
}
}

14
jetty-ee9/jetty-ee9-security/src/main/java/org/eclipse/jetty/ee9/security/AbstractUserAuthentication.java
View File

@ -56,13 +56,11 @@ public abstract class AbstractUserAuthentication implements User, Serializable
@Override
public boolean isUserInRole(UserIdentityScope scope, String role)
{
String roleToTest = null;
if (scope != null && scope.getRoleRefMap() != null)
roleToTest = scope.getRoleRefMap().get(role);
if (roleToTest == null)
roleToTest = role;
String roleToTest = UserIdentityScope.deRefRole(scope, role);
roleToTest = (roleToTest == null ? null : roleToTest.trim());
//Servlet Spec 3.1 pg 125 if testing special role **
if ("**".equals(roleToTest.trim()))
if ("**".equals(roleToTest))
{
//if ** is NOT a declared role name, the we return true
//as the user is authenticated. If ** HAS been declared as a
@ -70,10 +68,10 @@ public abstract class AbstractUserAuthentication implements User, Serializable
if (!declaredRolesContains("**"))
return true;
else
return _userIdentity.isUserInRole(UserIdentityScope.deRefRole(scope, role));
return _userIdentity.isUserInRole(roleToTest);
}
return _userIdentity.isUserInRole(UserIdentityScope.deRefRole(scope, role));
return _userIdentity.isUserInRole(roleToTest);
}
public boolean declaredRolesContains(String roleName)