Ensure RealmBase finds all matching extension based constraints

markt-asf · markt-asf · commit db919ff9912b · 2026-05-01T14:55:31.000+01:00
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
@@ -666,8 +666,6 @@ public SecurityConstraint[] findSecurityConstraints(Request request, Context con
                         constraints[i].included(uri, method));
             }
 
-            boolean matched = false;
-            int pos = -1;
             for (int j = 0; j < collection.length; j++) {
                 String[] patterns = collection[j].findPatterns();
 
@@ -677,6 +675,7 @@ public SecurityConstraint[] findSecurityConstraints(Request request, Context con
                     continue;
                 }
 
+                boolean matched = false;
                 for (int k = 0; k < patterns.length && !matched; k++) {
                     String pattern = patterns[k];
                     if (pattern.startsWith("*.")) {
@@ -686,19 +685,18 @@ public SecurityConstraint[] findSecurityConstraints(Request request, Context con
                                 uri.length() - dot == pattern.length() - 1) {
                             if (pattern.regionMatches(1, uri, dot, uri.length() - dot)) {
                                 matched = true;
-                                pos = j;
                             }
                         }
                     }
                 }
-            }
-            if (matched) {
-                found = true;
-                if (collection[pos].findMethod(method)) {
-                    if (results == null) {
-                        results = new ArrayList<>();
+                if (matched) {
+                    found = true;
+                    if (collection[j].findMethod(method)) {
+                        if (results == null) {
+                            results = new ArrayList<>();
+                        }
+                        results.add(constraints[i]);
                     }
-                    results.add(constraints[i]);
                 }
             }
         }
diff --git a/test/org/apache/catalina/realm/TestRealmBase.java b/test/org/apache/catalina/realm/TestRealmBase.java
@@ -790,4 +790,86 @@ public void testHttpConstraint() throws IOException {
         Assert.assertFalse(mapRealm.hasResourcePermission(
                 request, response, constraintsDelete, null));
     }
+
+
+    @Test
+    public void testUncoveredMethods() throws IOException {
+        // Create a constraint for ROLE1
+        SecurityConstraint constraint = new SecurityConstraint();
+        constraint.addAuthRole(ROLE1);
+        // Add a collection for GET
+        SecurityCollection getCollection = new SecurityCollection();
+        getCollection.addMethod(Method.GET);
+        getCollection.addPatternDecoded("*.html");
+        constraint.addCollection(getCollection);
+        // Add a collection for POST
+        SecurityCollection postCollection = new SecurityCollection();
+        postCollection.addMethod(Method.POST);
+        postCollection.addPatternDecoded("*.html");
+        constraint.addCollection(postCollection);
+
+        TesterMapRealm mapRealm = new TesterMapRealm();
+
+        // Set up the mock request and response
+        TesterRequest request = new TesterRequest();
+        Response response = new TesterResponse();
+        Context context = request.getContext();
+        context.addSecurityRole(ROLE1);
+        context.addSecurityRole(ROLE2);
+        request.getMappingData().context = context;
+
+        // Create the principals
+        List<String> userRoles1 = new ArrayList<>();
+        userRoles1.add(ROLE1);
+        GenericPrincipal gp1 = new GenericPrincipal(USER1, userRoles1);
+
+        List<String> userRoles2 = new ArrayList<>();
+        userRoles2.add(ROLE2);
+        GenericPrincipal gp2 = new GenericPrincipal(USER2, userRoles2);
+
+        List<String> userRoles99 = new ArrayList<>();
+        GenericPrincipal gp99 = new GenericPrincipal(USER99, userRoles99);
+
+        // Add the constraint to the context
+        context.addConstraint(constraint);
+
+
+        // Only user1 should be able to perform a GET
+        request.setMethod(Method.GET);
+
+        SecurityConstraint[] constraintsGet =
+                mapRealm.findSecurityConstraints(request, context);
+
+        request.setUserPrincipal(null);
+        Assert.assertFalse(mapRealm.hasResourcePermission(
+                request, response, constraintsGet, null));
+        request.setUserPrincipal(gp1);
+        Assert.assertTrue(mapRealm.hasResourcePermission(
+                request, response, constraintsGet, null));
+        request.setUserPrincipal(gp2);
+        Assert.assertFalse(mapRealm.hasResourcePermission(
+                request, response, constraintsGet, null));
+        request.setUserPrincipal(gp99);
+        Assert.assertFalse(mapRealm.hasResourcePermission(
+                request, response, constraintsGet, null));
+
+        // Only user1 should be able to perform a POST
+        request.setMethod(Method.POST);
+
+        SecurityConstraint[] constraintsPost =
+                mapRealm.findSecurityConstraints(request, context);
+
+        request.setUserPrincipal(null);
+        Assert.assertFalse(mapRealm.hasResourcePermission(
+                request, response, constraintsPost, null));
+        request.setUserPrincipal(gp1);
+        Assert.assertTrue(mapRealm.hasResourcePermission(
+                request, response, constraintsPost, null));
+        request.setUserPrincipal(gp2);
+        Assert.assertFalse(mapRealm.hasResourcePermission(
+                request, response, constraintsPost, null));
+        request.setUserPrincipal(gp99);
+        Assert.assertFalse(mapRealm.hasResourcePermission(
+                request, response, constraintsPost, null));
+    }
 }
diff --git a/test/org/apache/tomcat/unittest/TesterRequest.java b/test/org/apache/tomcat/unittest/TesterRequest.java
@@ -31,6 +31,7 @@
 import org.apache.catalina.Context;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.session.StandardSession;
+import org.apache.tomcat.util.buf.MessageBytes;
 
 public class TesterRequest extends Request {
 
@@ -81,6 +82,15 @@ public String getRequestURI() {
         return "/level1/level2/foo.html";
     }
 
+
+    @Override
+    public MessageBytes getRequestPathMB() {
+        MessageBytes result = MessageBytes.newInstance();
+        result.setString(getRequestURI());
+        return result;
+    }
+
+
     @Override
     public String getDecodedRequestURI() {
         // Decoding not required
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -172,6 +172,10 @@
       <fix>
         Correct the handling of invalid users with DIGEST authentication. (markt)
       </fix>
+      <fix>
+        Ensure <code>RealmBase</code> finds all matching extension based
+        security constraints. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Original file line number	Diff line number	Diff line change
`@@ -666,8 +666,6 @@ public SecurityConstraint[] findSecurityConstraints(Request request, Context con`
`666`	`666`	`constraints[i].included(uri, method));`
`667`	`667`	`}`
`668`	`668`
`669`		`- boolean matched = false;`
`670`		`- int pos = -1;`
`671`	`669`	`for (int j = 0; j < collection.length; j++) {`
`672`	`670`	`String[] patterns = collection[j].findPatterns();`
`673`	`671`
`@@ -677,6 +675,7 @@ public SecurityConstraint[] findSecurityConstraints(Request request, Context con`
`677`	`675`	`continue;`
`678`	`676`	`}`
`679`	`677`
	`678`	`+ boolean matched = false;`
`680`	`679`	`for (int k = 0; k < patterns.length && !matched; k++) {`
`681`	`680`	`String pattern = patterns[k];`
`682`	`681`	`if (pattern.startsWith("*.")) {`
`@@ -686,19 +685,18 @@ public SecurityConstraint[] findSecurityConstraints(Request request, Context con`
`686`	`685`	`uri.length() - dot == pattern.length() - 1) {`
`687`	`686`	`if (pattern.regionMatches(1, uri, dot, uri.length() - dot)) {`
`688`	`687`	`matched = true;`
`689`		`- pos = j;`
`690`	`688`	`}`
`691`	`689`	`}`
`692`	`690`	`}`
`693`	`691`	`}`
`694`		`- }`
`695`		`- if (matched) {`
`696`		`- found = true;`
`697`		`- if (collection[pos].findMethod(method)) {`
`698`		`- if (results == null) {`
`699`		`- results = new ArrayList<>();`
	`692`	`+ if (matched) {`
	`693`	`+ found = true;`
	`694`	`+ if (collection[j].findMethod(method)) {`
	`695`	`+ if (results == null) {`
	`696`	`+ results = new ArrayList<>();`
	`697`	`+ }`
	`698`	`+ results.add(constraints[i]);`
`700`	`699`	`}`
`701`		`- results.add(constraints[i]);`
`702`	`700`	`}`
`703`	`701`	`}`
`704`	`702`	`}`