https://issues.apache.org/bugzilla/show_bug.cgi?id=44529

No roles (deny all) trumps no auth-constraint (allow all)

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@642542 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
index 39c01ef..603e81b 100644 (file)
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -776,17 +776,16 @@ public abstract class RealmBase
                         log.debug("No roles ");
                     status = false; // No listed roles means no access at all
                     denyfromall = true;
+                    break;
                 } else {
                     if(log.isDebugEnabled())
                         log.debug("Passing all access");
-                    return (true);
+                    status = true;
                 }
             } else if (principal == null) {
                 if (log.isDebugEnabled())
                     log.debug("  No user authenticated, cannot grant access");
-                status = false;
-            } else if(!denyfromall) {
-
+            } else {
                 for (int j = 0; j < roles.length; j++) {
                     if (hasRole(principal, roles[j]))
                         status = true;
@@ -796,7 +795,8 @@ public abstract class RealmBase
             }
         }
 
-        if (allRolesMode != AllRolesMode.STRICT_MODE && !status && principal != null) {
+        if (!denyfromall && allRolesMode != AllRolesMode.STRICT_MODE &&
+                !status && principal != null) {
             if (log.isDebugEnabled()) {
                 log.debug("Checking for all roles mode: " + allRolesMode);
             }