diff options
Diffstat (limited to 'base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java')
-rw-r--r-- | base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java index 683dc60f8..a112cdbcc 100644 --- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java +++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java @@ -384,10 +384,16 @@ public class PKIJNDIRealm extends JNDIRealm { if (isEntryNegative) { allowed = !allowed; } - - //ToDo: - // Handle the more than one entry case. - // What to do if one of them fails. + + // Our current ACLs require that every entry passes for + // the entire ACL to pass. + // For some reason the original code allows the negative acls (deny) + // to be evaluated first or second based on configuration. Here, simply + // traverse the list as is. + + if (!allowed) { + break; + } } return allowed; |