Hi,
i have a problem when i try to add multiple roles to access to an url of my application.
I have defined the path and the both roles which should have access to the path.
public void onInit(@Observes SecurityConfigurationEvent event) { SecurityConfigurationBuilder builder = event.getBuilder(); builder .http() .forPath("/web/*") .authorizeWith() .role(ADMIN_ROLE_NAME, USER_ROLE_NAME) .authenticateWith() .form() .loginPage("/login") .build(); }
If only one role is added in .role(...) it works perfect but if i add two or more roles it doesn't work. After debugging i found the problem in the RolePathAuthorizer file. Following shows the method in that file.
@Override protected boolean doAuthorize(PathConfiguration pathConfiguration, HttpServletRequest request, HttpServletResponse response) { AuthorizationConfiguration authorizationConfiguration = pathConfiguration.getAuthorizationConfiguration(); String[] allowedRoles = authorizationConfiguration.getAllowedRoles(); if (allowedRoles != null) { Identity identity = getIdentity(); for (String roneName : allowedRoles) { if (!hasRole(identity, this.partitionManager, roneName)) { return false; } } } return true; }
The line 12 is IMHO wrong, because if you have 2 roles and the user matches only the 2nd role the check returns false for the first role and the 2nd role which matches for the user is never checked.
I think inverting the if clause and returning false at the end of the method would solve the problem.
Is this a bug or have i missed something in the configuration?