cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-5536) JAASAuthenticationFilter can only filter users from groups/roles based on one classname.
Date Mon, 03 Feb 2014 12:00:13 GMT

    [ https://issues.apache.org/jira/browse/CXF-5536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13889426#comment-13889426
] 

Sergey Beryozkin commented on CXF-5536:
---------------------------------------

Hi, 
if the roleClassifier property is not set then org.apache.cxf.interceptor.security.DefaultSecurityContext
which is aware of Groups will be used. 
Can you try it please ?

Sergey

> JAASAuthenticationFilter can only filter users from groups/roles based on one classname.
> ----------------------------------------------------------------------------------------
>
>                 Key: CXF-5536
>                 URL: https://issues.apache.org/jira/browse/CXF-5536
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.7.8
>            Reporter: Paul Adams
>            Priority: Minor
>
> This is related to:
> https://issues.apache.org/jira/browse/CXF-5484
> The RolePrefixSecurityContextImpl class and users of it are only allowed to pass a single
String is as a "role classifier".  This is fine assuming that a system only has one other
java principal type other than a "user principal" but many have multiple principal types.
 For instance it's common to have Users, Groups and Roles.
> In such situations the existing code cannot adequately separate what is a user from what
is something else (a group or role).
> Multiple qualifiers should be supported OR the reverse logic might actually be more simplistic.
 That is today you pass in a string that is intended to indicate what is a "role" and the
code then thinks that if it's not a role it must be a user.  Perhaps it would be more straight
forward to ask what's a "user" (since in a set of Principals there will only be one of those)
and then assume everything else is a "role".
> At any rate if I configure karaf with a realm that uses org.apache.karaf.jaas.modules.properties.PropertiesLoginModule
(http://karaf.apache.org/manual/latest/users-guide/security.html) and then configure that
properties file to specify both groups and roles then CXF may think that a "group" is a "user"
and more often than not improperly identifies a group has being the user principal.
> To work around this I plan to not use groups so that I only have User and Role Principals
but it would certainly be nicer if CXF could deal with both.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message