In theory this method seems to attempt to check if a run-as principal was set by preSetRunAsIdentity() (based on the indirect assumption that if the servlet in the given invocation has a run-as this must've been the case). If so, it retrieves the oldSecurityContext from the invocation object and set it in the SecurityContext.
The problem is that the invocation object is not the same object as was passed in to preSetRunAsIdentity() so it will never contain the right info - see bug 4757733.
In practice it means this method only ever sets the SecurityContext to null (if run-as matched) or does nothing. In particular note the implication that it will be set to null after a run-as invocation completes. This behavior will be retained for the time being for consistency with RI. It must be fixed later. @param inv The invocation object to process.
|
|