Allow ':' to appear in ACL expressions

Currently if ':' appears in an ACL expression (e.g. a group name, as
occurs in FreeIPA permissions), the ACL gets parsed incorrectly.

Look backwards from end of string for the final ':', so that the ACL
parses correctly.

Part of: https://fedorahosted.org/pki/ticket/1359

1 files changed, 3 insertions, 1 deletions

diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index e37ba25e0..9b87f6e24 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -681,8 +681,10 @@ public class CMSEngine implements ICMSEngine {
 
             acl = new ACL(resource, rights, resACLs);
 
+            // search *backwards* for final instance of ':', to handle case
+            // where acl expressions contain colon, e.g. in a group name.
             String stx = st.substring(idx2 + 1);
-            int idx3 = stx.indexOf(":");
+            int idx3 = stx.lastIndexOf(":");
             String aclStr = stx.substring(0, idx3);
 
             // getting list of acl entries