Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #5909 - Better handling of merged RoleInfo during omitted method constraints #5917

Merged
merged 3 commits into from Feb 9, 2021
Merged

Issue #5909 - Better handling of merged RoleInfo during omitted method constraints #5917

merged 3 commits into from Feb 9, 2021

Conversation

janbartel
Copy link
Contributor

Arises from #5909

We found some code in combining security-constraints that has existed at least since Jetty was brought over into Eclipse (circa 2009?) that wasn't correct, and which then had another bug introduced in 2009.

When RoleInfo is combined from security-constraints with either http-method-omissions or without any http-methods, the code:

  • failed to merge the auth-constraint roles
  • incorrectly switched the sense of whether the request needs to be authenticated

@gregw
Test to reproduce #5909
1f1c4ae 
Test to reproduce #5909
@gregw
Fix #5909 Better handle merged RoleInfo
cc4b6ec 
Fix #5909 Better handle merged RoleInfo
@janbartel janbartel added this to In progress in Jetty 9.4.37 via automation Jan 26, 2021
@joakime joakime changed the title Jetty 9.4.x 5909 omitted method constraints Issue #5909 - Better handling of merged RoleInfo during omitted method constraints Jan 26, 2021
@gregw
Copy link
Contributor

gregw commented Jan 26, 2021

@lachlan-roberts read up on what http-method-omissions is about. It is really rather bizarre!

lachlan-roberts
lachlan-roberts reviewed Jan 27, 2021
View reviewed changes
jetty-security/src/main/java/org/eclipse/jetty/security/RoleInfo.java Outdated
else if (other._isAnyAuth)
setAnyAuth(true);
else if (!_isAnyRole)
_roles.addAll(other._roles);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't _roles.addAll(other._roles) be done in the other._isAnyRole == true case as well?

In ConstraintSecurityHandler.configureRoleInfo() it is done like that.

if (mapping.getConstraint().isAnyRole())
{
    // * means matches any defined role
    for (String role : _roles)
    {
        ri.addRole(role);
    }
    ri.setAnyRole(true);
}

lachlan-roberts
lachlan-roberts approved these changes Jan 27, 2021
View reviewed changes
Copy link
Contributor

@lachlan-roberts lachlan-roberts left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Jetty 9.4.37 automation moved this from In progress to Reviewer approved Jan 27, 2021
@janbartel
Issue #5909 Update after review
2c412ac 
Signed-off-by: Jan Bartel <janb@webtide.com>
@janbartel janbartel merged commit 75183e8 into jetty-9.4.x Feb 9, 2021
Jetty 9.4.37 automation moved this from Reviewer approved to Done Feb 9, 2021
@janbartel janbartel deleted the jetty-9.4.x-5909-omitted-method-constraints branch February 9, 2021 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lachlan-roberts lachlan-roberts lachlan-roberts approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Jetty 9.4.37
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@janbartel @gregw @lachlan-roberts