// Which user principal have we already authenticated?
Principal principal =
((HttpServletRequest) request.getRequest()).getUserPrincipal();
for(int i=0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String roles[] = constraint.findAuthRoles();
if (roles == null)
roles = new String[0];
if (constraint.getAllRoles())
return (true);
if (log.isDebugEnabled())
log.debug(" Checking roles " + principal);
if (roles.length == 0) {
if(constraint.getAuthConstraint()) {
((HttpServletResponse) response.getResponse()).sendError
(HttpServletResponse.SC_FORBIDDEN,
sm.getString("realmBase.forbidden"));
if( log.isDebugEnabled() ) log.debug("No roles ");
return (false); // No listed roles means no access at all