From d8a429b0ca90235e5f29631e489458dea3563dea Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Tue, 22 Feb 2011 11:08:42 +0000
Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
 Add an option to the JNDI realm to allow role searches to be performed by the
 authenticated user.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1073296 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/realm/JNDIRealm.java | 23 ++++++++++++++++++++---
 webapps/docs/changelog.xml                    |  4 ++++
 webapps/docs/config/realm.xml                 |  8 ++++++++
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java
index de37672dd..cc2974beb 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -365,7 +365,14 @@ public class JNDIRealm extends RealmBase {
      */
     protected boolean roleNested = false;
 
-
+    /**
+     * When searching for user roles, should the search be performed as the user
+     * currently being authenticated? If false, {@link #connectionName} and
+     * {@link #connectionPassword} will be used if specified, else an anonymous
+     * connection will be used. 
+     */
+    protected boolean roleSearchAsUser = false;
+    
     /**
      * An alternate URL, to which, we should connect if connectionURL fails.
      */
@@ -1692,8 +1699,18 @@ public class JNDIRealm extends RealmBase {
         controls.setReturningAttributes(new String[] {roleName});
 
         // Perform the configured search and process the results
-        NamingEnumeration<SearchResult> results =
-            context.search(roleBase, filter, controls);
+        NamingEnumeration<SearchResult> results = null;
+        try {
+            if (roleSearchAsUser) {
+                userCredentialsAdd(context, dn, user.getPassword());
+            }
+            results = context.search(roleBase, filter, controls);
+        } finally {
+            if (roleSearchAsUser) {
+                userCredentialsRemove(context);
+            }
+        }
+
         if (results == null)
             return (list);  // Should never happen, but just in case ...
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2f8cab023..6a39b3154 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -45,6 +45,10 @@
 <section name="Tomcat 7.0.9 (markt)">
   <subsection name="Catalina">
     <changelog>
+      <add>
+        <bug>19444</bug>: Add an option to the JNDI realm to allow role searches
+        to be performed by the authenticated user. (markt)
+      </add>
       <fix>
         <bug>48863</bug>: Better logging when specifying an invalid directory
         for a class loader. Based on a patch by Ralf Hauser. (markt)
diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml
index 0aa1c034a..bd6d6a205 100644
--- a/webapps/docs/config/realm.xml
+++ b/webapps/docs/config/realm.xml
@@ -412,6 +412,14 @@
         property.</p>
       </attribute>
 
+      <attribute name="roleSearchAsUser" required="false">
+        <p> When searching for user roles, should the search be performed as the
+        user currently being authenticated? If false,
+        <code>connectionName</code>} and <code>connectionPassword</code> will be
+        used if specified, else an anonymous. If not specified, the default
+        value of <code>false</code> is used.</p>
+      </attribute>
+
       <attribute name="roleSubtree" required="false">
         <p>Set to <code>true</code> if you want to search the entire
         subtree of the element specified by the <code>roleBase</code>
-- 
2.11.0