Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #5909 - Better handling of merged RoleInfo during omitted method constraints #5917

Merged
merged 3 commits into from
Feb 9, 2021
Merged

Issue #5909 - Better handling of merged RoleInfo during omitted method constraints #5917

merged 3 commits into from
Feb 9, 2021

Conversation

janbartel
Copy link
Contributor

Arises from #5909

We found some code in combining security-constraints that has existed at least since Jetty was brought over into Eclipse (circa 2009?) that wasn't correct, and which then had another bug introduced in 2009.

When RoleInfo is combined from security-constraints with either http-method-omissions or without any http-methods, the code:

  • failed to merge the auth-constraint roles
  • incorrectly switched the sense of whether the request needs to be authenticated

gregw added 2 commits January 26, 2021 09:53
@gregw
Test to reproduce #5909
1f1c4ae 
Test to reproduce #5909
@gregw
Fix #5909 Better handle merged RoleInfo
cc4b6ec 
Fix #5909 Better handle merged RoleInfo
@joakime joakime changed the title Jetty 9.4.x 5909 omitted method constraints Issue #5909 - Better handling of merged RoleInfo during omitted method constraints Jan 26, 2021
@gregw gregw requested a review from lachlan-roberts January 26, 2021 15:03
@gregw
Copy link
Contributor

gregw commented Jan 26, 2021

@lachlan-roberts read up on what http-method-omissions is about. It is really rather bizarre!

lachlan-roberts
lachlan-roberts reviewed Jan 27, 2021
View reviewed changes
jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java Outdated
else if (other._isAnyAuth)
setAnyAuth(true);
else if (!_isAnyRole)
_roles.addAll(other._roles);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't _roles.addAll(other._roles) be done in the other._isAnyRole == true case as well?

In ConstraintSecurityHandler.configureRoleInfo() it is done like that.

if (mapping.getConstraint().isAnyRole())
{
    // * means matches any defined role
    for (String role : _roles)
    {
        ri.addRole(role);
    }
    ri.setAnyRole(true);
}

lachlan-roberts
lachlan-roberts approved these changes Jan 27, 2021
View reviewed changes
Copy link
Contributor

@lachlan-roberts lachlan-roberts left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@janbartel
Issue #5909 Update after review
2c412ac 
Signed-off-by: Jan Bartel <[email protected]>
@janbartel janbartel merged commit 75183e8 into jetty-9.4.x Feb 9, 2021
@janbartel janbartel deleted the jetty-9.4.x-5909-omitted-method-constraints branch February 9, 2021 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lachlan-roberts lachlan-roberts lachlan-roberts approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@janbartel @gregw @lachlan-roberts