directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (FC-74) DSD checking on hierarchical relationships incorrect
Date Sun, 01 Mar 2015 16:04:04 GMT

     [ https://issues.apache.org/jira/browse/FC-74?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Shawn McKinney resolved FC-74.
------------------------------
    Resolution: Fixed

Problem was caused by bug.  Previously the code broke out of the loop anytime found match
between role and parent role.  Now only break if exceeds cardinality meaning the assigned
role is removed from activated session list.

 if ( map.contains( parentRole ) )
 {
    if ( matchCount >= dsd.getCardinality() )
    {
      String warning = "...
      rc = GlobalErrIds.ACTV_FAILED_DSD;
      // remove the assigned role from session (not the authorized role):
      activatedRoles.remove();
      session.setWarning(... );
      LOG.warn( warning );
      // Breaking loop because assigned role has been removed from session.
     break;
    }
}


> DSD checking on hierarchical relationships incorrect
> ----------------------------------------------------
>
>                 Key: FC-74
>                 URL: https://issues.apache.org/jira/browse/FC-74
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC39
>            Reporter: Shawn McKinney
>             Fix For: 1.0.0-RC40
>
>
> Manually testing of fortress detected that did constraints between roles can be bypassed
via inheritance.  
> For example this constraint:
>   sdset name="Demo2DSD" 
>   description="ROLE_TEST DATA roles are mutually exclusive" cardinality="2"
>   setType="DYNAMIC"
>   setmembers="PAGE1_123,PAGE1_456,PAGE1_789,
>                          PAGE2_123,PAGE2_456,PAGE2_789,
>                          PAGE3_123,PAGE3_456,PAGE3_789"/>
> can be bypassed thru these inheritance relationships:
>                 <relationship child="PERSON1" parent="ROLE_PAGE1"/>
>                 <relationship child="PERSON1" parent="PAGE1_123"/>
>                 <relationship child="PERSON1" parent="PAGE1_456"/>
>                 <relationship child="PERSON1" parent="PAGE1_789"/>
> and then assigning to user:
> userrole userId="anyuser" name="PERSON1"
> when user 'any user' logs on, and  activate person1 role, which bypasses the constraint
checks for dad on the roles person1 inherits.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message