cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aki Yoshida (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-3655) Role based authorization not working with DefaultSecurityContext (i.e., when using JAASLoginInterceptor with non-prefixed role names)
Date Thu, 14 Jul 2011 16:06:59 GMT
Role based authorization not working with DefaultSecurityContext (i.e., when using JAASLoginInterceptor
with non-prefixed role names)
-------------------------------------------------------------------------------------------------------------------------------------

                 Key: CXF-3655
                 URL: https://issues.apache.org/jira/browse/CXF-3655
             Project: CXF
          Issue Type: Bug
          Components: Core
    Affects Versions: 2.4.1
            Reporter: Aki Yoshida
            Assignee: Aki Yoshida
            Priority: Minor
             Fix For: 2.4.2, 2.5


org.apache.cxf.interceptor.security.DefaultSecurityContext's isUserInRole(String) is not working
with jetty's nor virgo's role configuration. This method assumes a role principal to have
interface java.security.acl.Group. 

However, both jetty and virgo represent role principals using their own principal classes
org.eclipse.jetty.plus.jaas.JAASRole or org.eclipse.virgo.kernel.authentication.Role, respectively.

And these role classes do not implement java.security.acl.Group.

So, in order to check if the specified role matches the role-principals assigned to the current
context, the specified role must be compared against those principals set in the subject that
are not equal to the user principal.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message