summaryrefslogtreecommitdiffstats
path: root/base
diff options
context:
space:
mode:
authorJack Magne <jmagne@dhcp-32-224.sjc.redhat.com>2012-04-25 13:49:19 -0700
committerJack Magne <jmagne@dhcp-32-224.sjc.redhat.com>2012-05-04 18:23:00 -0700
commita1ef21445638aadd9d0f2b58000b11bd1ecb58f3 (patch)
treed09181639587153c9cc3017ff65c8313b96378fd /base
parentac2dcb4573ad33f927c5dae49a6bd473592083c0 (diff)
downloadpki-a1ef21445638aadd9d0f2b58000b11bd1ecb58f3.tar.gz
pki-a1ef21445638aadd9d0f2b58000b11bd1ecb58f3.tar.xz
pki-a1ef21445638aadd9d0f2b58000b11bd1ecb58f3.zip
JNDI realm enhancement to handle multiple entry ACLs.
Currently the realm only returns the last acl result in a multiple entry ACL. Since most of them only have one entry, this is mistly ok. This simple fix allows the code to handle multiple entries correctly. Ticket #123.
Diffstat (limited to 'base')
-rw-r--r--base/common/src/CMakeLists.txt1
-rw-r--r--base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java14
2 files changed, 11 insertions, 4 deletions
diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index 5cd55365d..2b3977dbe 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -1093,6 +1093,7 @@ set(PKI_CMSBUNDLE_JAR ${pki-cmsbundle_JAR_FILE} CACHE INTERNAL "pki-cmsbundle ja
# build pki jndi realm
set(CMAKE_JAR_CLASSES_PREFIX com/netscape/cmscore/realm)
add_jar(pki-jndi-realm ${pki-jndi-realm_SRCS})
+add_dependencies(pki-jndi-realm pki-nsutil pki-cmsutil pki-certsrv pki-cms pki-cmscore pki-cmsbundle)
install_jar(pki-jndi-realm ${JAVA_JAR_INSTALL_DIR}/pki)
set(PKI_JNDI_REALM_JAR ${pki-jndi-realm_JAR_FILE} CACHE INTERNAL "pki-jndi-realm jar file")
diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
index 683dc60f8..a112cdbcc 100644
--- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
+++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
@@ -384,10 +384,16 @@ public class PKIJNDIRealm extends JNDIRealm {
if (isEntryNegative) {
allowed = !allowed;
}
-
- //ToDo:
- // Handle the more than one entry case.
- // What to do if one of them fails.
+
+ // Our current ACLs require that every entry passes for
+ // the entire ACL to pass.
+ // For some reason the original code allows the negative acls (deny)
+ // to be evaluated first or second based on configuration. Here, simply
+ // traverse the list as is.
+
+ if (!allowed) {
+ break;
+ }
}
return allowed;