From a1ef21445638aadd9d0f2b58000b11bd1ecb58f3 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@dhcp-32-224.sjc.redhat.com>
Date: Wed, 25 Apr 2012 13:49:19 -0700
Subject: JNDI realm enhancement to handle multiple entry ACLs.

Currently the realm only returns the last acl result in a multiple entry ACL. Since most of them only have one entry, this is mistly ok. This simple fix allows the code to handle multiple entries correctly.

Ticket #123.
---
 .../src/com/netscape/cmscore/realm/PKIJNDIRealm.java       | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'base/common/src/com/netscape/cmscore')

diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
index 683dc60f8..a112cdbcc 100644
--- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
+++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
@@ -384,10 +384,16 @@ public class PKIJNDIRealm extends JNDIRealm {
             if (isEntryNegative) {
                 allowed = !allowed;
             }
-
-            //ToDo:
-            // Handle the more than one entry case.
-            // What to do if one of them fails.
+            
+            // Our current ACLs require that every entry passes for
+            // the entire ACL to pass.
+            // For some reason the original code allows the negative acls (deny)
+            // to be evaluated first or second based on configuration. Here, simply
+            // traverse the list as is.
+
+            if (!allowed) {
+                break;
+            }
         }
 
         return allowed;
-- 
cgit