JNDI realm enhancement to handle multiple entry ACLs.

Currently the realm only returns the last acl result in a multiple entry ACL. Since most of them only have one entry, this is mistly ok. This simple fix allows the code to handle multiple entries correctly.

Ticket #123.

2 files changed, 11 insertions, 4 deletions

diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index 5cd55365d..2b3977dbe 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -1093,6 +1093,7 @@ set(PKI_CMSBUNDLE_JAR ${pki-cmsbundle_JAR_FILE} CACHE INTERNAL "pki-cmsbundle ja
 # build pki jndi realm
 set(CMAKE_JAR_CLASSES_PREFIX com/netscape/cmscore/realm)
 add_jar(pki-jndi-realm ${pki-jndi-realm_SRCS})
+add_dependencies(pki-jndi-realm pki-nsutil pki-cmsutil pki-certsrv pki-cms pki-cmscore pki-cmsbundle)
 install_jar(pki-jndi-realm ${JAVA_JAR_INSTALL_DIR}/pki)
 set(PKI_JNDI_REALM_JAR ${pki-jndi-realm_JAR_FILE} CACHE INTERNAL "pki-jndi-realm jar file")
 
diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
index 683dc60f8..a112cdbcc 100644
--- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
+++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
@@ -384,10 +384,16 @@ public class PKIJNDIRealm extends JNDIRealm {
             if (isEntryNegative) {
                 allowed = !allowed;
             }
-
-            //ToDo:
-            // Handle the more than one entry case.
-            // What to do if one of them fails.
+            
+            // Our current ACLs require that every entry passes for
+            // the entire ACL to pass.
+            // For some reason the original code allows the negative acls (deny)
+            // to be evaluated first or second based on configuration. Here, simply
+            // traverse the list as is.
+
+            if (!allowed) {
+                break;
+            }
         }
 
         return allowed;