Return-Path: 
 <issues-return-17599-apmail-cxf-issues-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-issues-archive@www.apache.org
Delivered-To: apmail-cxf-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 4E1B17F40
	for <apmail-cxf-issues-archive@www.apache.org>;
 Thu, 14 Jul 2011 16:07:27 +0000 (UTC)
Received: (qmail 27162 invoked by uid 500); 14 Jul 2011 16:07:26 -0000
Delivered-To: apmail-cxf-issues-archive@cxf.apache.org
Received: (qmail 26548 invoked by uid 500); 14 Jul 2011 16:07:25 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 26253 invoked by uid 99); 14 Jul 2011 16:07:25 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Jul 2011 16:07:25 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED,T_RP_MATCHES_RCVD
X-Spam-Check-By: apache.org
Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Jul 2011 16:07:20 +0000
Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116])
	by hel.zones.apache.org (Postfix) with ESMTP id E85E7571E3
	for <issues@cxf.apache.org>; Thu, 14 Jul 2011 16:06:59 +0000 (UTC)
Date: Thu, 14 Jul 2011 16:06:59 +0000 (UTC)
From: "Aki Yoshida (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: 
 <1921146205.13955.1310659619948.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Created] (CXF-3655) Role based authorization not working
 with DefaultSecurityContext (i.e., when using JAASLoginInterceptor with
 non-prefixed role names)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

Role based authorization not working with DefaultSecurityContext (i.e., when using JAASLoginInterceptor with non-prefixed role names)
-------------------------------------------------------------------------------------------------------------------------------------

                 Key: CXF-3655
                 URL: https://issues.apache.org/jira/browse/CXF-3655
             Project: CXF
          Issue Type: Bug
          Components: Core
    Affects Versions: 2.4.1
            Reporter: Aki Yoshida
            Assignee: Aki Yoshida
            Priority: Minor
             Fix For: 2.4.2, 2.5


org.apache.cxf.interceptor.security.DefaultSecurityContext's isUserInRole(String) is not working with jetty's nor virgo's role configuration. This method assumes a role principal to have interface java.security.acl.Group. 

However, both jetty and virgo represent role principals using their own principal classes
org.eclipse.jetty.plus.jaas.JAASRole or org.eclipse.virgo.kernel.authentication.Role, respectively.

And these role classes do not implement java.security.acl.Group.

So, in order to check if the specified role matches the role-principals assigned to the current context, the specified role must be compared against those principals set in the subject that are not equal to the user principal.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira