Bug 46925

Summary: Nested groups in JNDI realm with non-recursive implementation
Product: Tomcat 6 Reporter: Stefan Zoerner <stefan>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: enhancement CC: antoine
Priority: P2    
Version: unspecified   
Target Milestone: default   
Hardware: All   
OS: All   
Attachments: Patch which replaced the recursive method with a while loop ("memberOf Algorithm")

Description Stefan Zoerner 2009-03-27 03:58:28 UTC 
Created attachment 23420 [details]
Patch which replaced the recursive method with a while loop ("memberOf Algorithm")

I have modified the method getRoles in org.apache.catalina.realm.JNDIRealm in the trunk in order to use a while loop to detect nested groups (instead of the recursive method currently implemented there).

The algorithm is inspired by the article "Practices in Directory Groups" found here: http://middleware.internet2.edu/dir/groups/internet2-mace-dir-groups-best-practices-200210.htm 
It avoids group slurping and handles cyclic group memberships as well.

Find a patch attached.

Greetings from Amsterdam, Stefan
Comment 1 Rainer Jung 2009-04-27 11:57:02 UTC 
Applied to trunk as r769102, thanks for the patch.

I consider proposing backporting most of the JDNIRealm improvements to TC 6 after intensive testing.
Comment 2 Mark Thomas 2010-03-10 14:11:42 UTC 
This improvement was added to 6.0.x in 6.0.21 onwards
Comment 3 Konstantin Kolinko 2010-03-11 13:09:57 UTC 
*** Bug 40218 has been marked as a duplicate of this bug. ***