cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Commented] (CXF-5536) JAASAuthenticationFilter can only filter users from groups/roles based on one classname.
Date Mon, 03 Feb 2014 12:00:13 GMT


Sergey Beryozkin commented on CXF-5536:

if the roleClassifier property is not set then
which is aware of Groups will be used. 
Can you try it please ?


> JAASAuthenticationFilter can only filter users from groups/roles based on one classname.
> ----------------------------------------------------------------------------------------
>                 Key: CXF-5536
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.7.8
>            Reporter: Paul Adams
>            Priority: Minor
> This is related to:
> The RolePrefixSecurityContextImpl class and users of it are only allowed to pass a single
String is as a "role classifier".  This is fine assuming that a system only has one other
java principal type other than a "user principal" but many have multiple principal types.
 For instance it's common to have Users, Groups and Roles.
> In such situations the existing code cannot adequately separate what is a user from what
is something else (a group or role).
> Multiple qualifiers should be supported OR the reverse logic might actually be more simplistic.
 That is today you pass in a string that is intended to indicate what is a "role" and the
code then thinks that if it's not a role it must be a user.  Perhaps it would be more straight
forward to ask what's a "user" (since in a set of Principals there will only be one of those)
and then assume everything else is a "role".
> At any rate if I configure karaf with a realm that uses
( and then configure that
properties file to specify both groups and roles then CXF may think that a "group" is a "user"
and more often than not improperly identifies a group has being the user principal.
> To work around this I plan to not use groups so that I only have User and Role Principals
but it would certainly be nicer if CXF could deal with both.

This message was sent by Atlassian JIRA

View raw message