From 9b88073e5deab1ea24f59ba525b6234581026aca Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Mon, 8 Mar 2010 17:59:51 +0000
Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48629
 Make nested role search work with username as well as DN Add roleNested to
 the docs Patch provided by Felix Schumacher

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@920422 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/realm/JNDIRealm.java | 16 +++++++++-------
 webapps/docs/realm-howto.xml                  |  6 ++++++
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java
index d4f26af63..2fed70979 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -30,7 +30,9 @@ import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
+import java.util.Map.Entry;
 
 import javax.naming.Context;
 import javax.naming.CommunicationException;
@@ -1683,12 +1685,12 @@ public class JNDIRealm extends RealmBase {
             // Directory Groups". It avoids group slurping and handles cyclic group memberships as well.
             // See http://middleware.internet2.edu/dir/ for details
 
-            Set<String> newGroupDNs = new HashSet<String>(groupMap.keySet());
-            while (!newGroupDNs.isEmpty()) {
-                Set<String> newThisRound = new HashSet<String>(); // Stores the groups we find in this iteration
+            Map<String, String> newGroups = new HashMap<String,String>(groupMap);
+            while (!newGroups.isEmpty()) {
+                Map<String, String> newThisRound = new HashMap<String, String>(); // Stores the groups we find in this iteration
 
-                for (String groupDN : newGroupDNs) {
-                    filter = roleFormat.format(new String[] { groupDN });
+                for (Entry<String, String> group : newGroups.entrySet()) {
+                    filter = roleFormat.format(new String[] { group.getKey(), group.getValue() });
 
                     if (containerLog.isTraceEnabled()) {
                         containerLog.trace("Perform a nested group search with base "+ roleBase + " and filter " + filter);
@@ -1706,7 +1708,7 @@ public class JNDIRealm extends RealmBase {
                             String name = getAttributeValue(roleName, attrs);
                             if (name != null && dname != null && !groupMap.keySet().contains(dname)) {
                                 groupMap.put(dname, name);
-                                newThisRound.add(dname);
+                                newThisRound.put(dname, name);
 
                                 if (containerLog.isTraceEnabled()) {
                                     containerLog.trace("  Found nested role " + dname + " -> " + name);
@@ -1720,7 +1722,7 @@ public class JNDIRealm extends RealmBase {
                     }
                 }
 
-                newGroupDNs = newThisRound;
+                newGroups = newThisRound;
             }
         }
 
diff --git a/webapps/docs/realm-howto.xml b/webapps/docs/realm-howto.xml
index 44e0999ae..710895ebb 100644
--- a/webapps/docs/realm-howto.xml
+++ b/webapps/docs/realm-howto.xml
@@ -651,6 +651,12 @@ find the names of roles associated with the authenticated user:</p>
 <li><strong>roleName</strong> - the attribute in a role entry
      containing the name of that role.</li>
 
+<li><strong>roleNested</strong> - enable nested roles. Set to
+     <code>true</code> if you want to nest roles in roles. If configured
+     every newly found roleName and distinguished
+     Name will be recursively tried for a new role search.
+     The default value is <code>false</code>.</li>
+
 </ul>
 
 </li>
-- 
2.11.0