0 Replies Latest reply on Nov 14, 2014 5:12 AM by Stefan Biermann

    Picketlink 2.7.0.CR2: Bug in RolePathAuthorizer when using multiple roles for a path

    Stefan Biermann Newbie

      Hi,

      i have a problem when i try to add multiple roles to access to an url of my application.

       

      I have defined the path and the both roles which should have access to the path.

       

          public void onInit(@Observes SecurityConfigurationEvent event) {
              SecurityConfigurationBuilder builder = event.getBuilder();
              builder
                     .http()
                      .forPath("/web/*")
                          .authorizeWith()
                              .role(ADMIN_ROLE_NAME, USER_ROLE_NAME)
                          .authenticateWith()
                          .form()
                          .loginPage("/login")
              .build();
          }
      
      

       

      If only one role is added in .role(...) it works perfect but if i add two or more roles it doesn't work. After debugging i found the problem in the RolePathAuthorizer file. Following shows the method in that file.

       

          @Override
          protected boolean doAuthorize(PathConfiguration pathConfiguration, HttpServletRequest request, HttpServletResponse response) {
              AuthorizationConfiguration authorizationConfiguration = pathConfiguration.getAuthorizationConfiguration();
              String[] allowedRoles = authorizationConfiguration.getAllowedRoles();
      
      
              if (allowedRoles != null) {
                  Identity identity = getIdentity();
      
      
                  for (String roneName : allowedRoles) {
                      if (!hasRole(identity, this.partitionManager, roneName)) {
                          return false;
                      }
                  }
              }
      
      
              return true;
          }
      
      
      
      

       

       

      The line 12 is IMHO wrong, because if you have 2 roles and the user matches only the 2nd role the check returns false for the first role and the 2nd role which matches for the user is never checked.

       

      I think inverting the if clause and returning false at the end of the method would solve the problem.

       

      Is this a bug or have i missed something in the configuration?