diff options
Diffstat (limited to 'cpp/src')
| -rw-r--r-- | cpp/src/Glacier2/ProxyVerifier.cpp | 83 | ||||
| -rw-r--r-- | cpp/src/Glacier2/ProxyVerifier.h | 1 | ||||
| -rw-r--r-- | cpp/src/Ice/PropertyNames.cpp | 3 | ||||
| -rw-r--r-- | cpp/src/Ice/PropertyNames.h | 2 |
4 files changed, 59 insertions, 30 deletions
diff --git a/cpp/src/Glacier2/ProxyVerifier.cpp b/cpp/src/Glacier2/ProxyVerifier.cpp index 5f14e855b9c..8028448ff10 100644 --- a/cpp/src/Glacier2/ProxyVerifier.cpp +++ b/cpp/src/Glacier2/ProxyVerifier.cpp @@ -26,6 +26,21 @@ using namespace Ice; // namespace Glacier2 { +// +// Helper function for checking a rule set. +// +static bool +match(const vector<ProxyRule*>& rules, const ObjectPrx& proxy) +{ + for(vector<ProxyRule*>::const_iterator i = rules.begin(); i != rules.end(); ++i) + { + if((*i)->check(proxy)) + { + return true; + } + } + return false; +} // // RegexRule returns true if the proxy matches the configured regular @@ -152,6 +167,8 @@ Glacier2::ProxyVerifier::ProxyVerifier(const CommunicatorPtr& communicator, cons { _rejectRules.push_back(new MaxEndpointsRule(communicator, s, _traceLevel)); } + _rejectOverrides = + communicator->getProperties()->getPropertyAsIntWithDefault("Glacier2.Filter.Regex.Order", 0) == 0; } Glacier2::ProxyVerifier::~ProxyVerifier() @@ -184,51 +201,61 @@ Glacier2::ProxyVerifier::verify(const ObjectPrx& proxy) // // If there are no reject rules, we assume "reject all". // - bool matched = false; - for(vector<ProxyRule*>::const_iterator i = _acceptRules.begin(); i != _acceptRules.end() && !matched; ++i) - { - matched = (*i)->check(proxy); - } - result = matched; + result = match(_acceptRules, proxy); } else if(_acceptRules.size() == 0) { // // If no accept rules are defined we assume accept all. // - bool matched = false; - for(vector<ProxyRule*>::const_iterator i = _rejectRules.begin(); i != _rejectRules.end() && !matched; ++i) - { - matched = (*i)->check(proxy); - } - result = !matched; + result = !match(_rejectRules, proxy); } else { // - // Reject first, then accept. + // _rejectOverrides indicates that any accept rules can be + // overriden by a reject rule. This allows the user to refine + // the allow filter's without having to specify exclusions in + // the accept filter's regular expression. Conversely if + // rejectOverrides is not set then accept rules are allowed to + // override any reject rules that match. // - bool matched = false; - for(vector<ProxyRule*>::const_iterator i = _rejectRules.begin(); i != _rejectRules.end() && !matched; ++i) - { - matched = (*i)->check(proxy); - } - - if(!matched) + // Note that there is implicit additional meaning in the + // _rejectOverrides. If true, then the overall evaluation + // context is 'default reject'. Otherwise there would be no + // point in considering the allow filters and we might as well + // just check the reject filters. Conversely, if false then + // overall context is 'default accept'. Otherwise the accept + // filters would be meaningless, only the reject filters would + // matter. + // + if(_rejectOverrides) { + result = match(_acceptRules, proxy); + // - // The proxy wasn't rejected, so there isn't any point in - // running the accept rules. + // In this context we are default reject, there is no point + // of running the reject filters if there is no accept + // match. // - return true; + if(result) + { + result = !match(_rejectRules, proxy); + } } - - matched = false; - for(vector<ProxyRule*>::const_iterator j = _acceptRules.begin(); j != _acceptRules.end() && !matched; ++j) + else { - matched = (*j)->check(proxy); + // + // In this context we are default accept, there is not point + // of running the accept filters if there is no rejection + // match. + // + result = !match(_rejectRules, proxy); + if(!result) + { + result = match(_acceptRules, proxy); + } } - result = matched; } // diff --git a/cpp/src/Glacier2/ProxyVerifier.h b/cpp/src/Glacier2/ProxyVerifier.h index a7e1e73b97d..5045ec7a5e6 100644 --- a/cpp/src/Glacier2/ProxyVerifier.h +++ b/cpp/src/Glacier2/ProxyVerifier.h @@ -50,6 +50,7 @@ private: std::vector<ProxyRule*> _acceptRules; std::vector<ProxyRule*> _rejectRules; + bool _rejectOverrides; }; } diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp index 2d83f60a053..6916ca4d50f 100644 --- a/cpp/src/Ice/PropertyNames.cpp +++ b/cpp/src/Ice/PropertyNames.cpp @@ -7,7 +7,7 @@ // // ********************************************************************** -// Generated by makeprops.py from file `../config/PropertyNames.def', Mon May 1 12:13:27 2006 +// Generated by makeprops.py from file `../config/PropertyNames.def', Tue May 2 10:18:08 2006 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -283,6 +283,7 @@ const char* IceInternal::PropertyNames::Glacier2Props[] = "Glacier2.Client.Trace.Request", "Glacier2.Filter.Regex.Reject", "Glacier2.Filter.Regex.Accept", + "Glacier2.Filter.Regex.Order", "Glacier2.Filter.MaxProxyLength", "Glacier2.CryptPasswords", "Glacier2.InstanceName", diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h index 759eae8835f..4d4c707ae4e 100644 --- a/cpp/src/Ice/PropertyNames.h +++ b/cpp/src/Ice/PropertyNames.h @@ -7,7 +7,7 @@ // // ********************************************************************** -// Generated by makeprops.py from file `../config/PropertyNames.def', Mon May 1 12:13:27 2006 +// Generated by makeprops.py from file `../config/PropertyNames.def', Tue May 2 10:18:08 2006 // IMPORTANT: Do not edit this file -- any edits made here will be lost! |