Return-Path: 
 <dev-return-47964-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-dev-archive@www.apache.org
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2CAF217F99
	for <apmail-directory-dev-archive@www.apache.org>;
 Sun,  1 Mar 2015 16:04:05 +0000 (UTC)
Received: (qmail 17985 invoked by uid 500); 1 Mar 2015 16:04:05 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 17919 invoked by uid 500); 1 Mar 2015 16:04:05 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 17625 invoked by uid 99); 1 Mar 2015 16:04:04 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Mar 2015 16:04:04 +0000
Date: Sun, 1 Mar 2015 16:04:04 +0000 (UTC)
From: "Shawn McKinney (JIRA)" <jira@apache.org>
To: dev@directory.apache.org
Message-ID: <JIRA.12778570.1425211033000.46610.1425225844882@Atlassian.JIRA>
In-Reply-To: <JIRA.12778570.1425211033000@Atlassian.JIRA>
References: <JIRA.12778570.1425211033000@Atlassian.JIRA>
 <JIRA.12778570.1425211033782@arcas>
Subject: [jira] [Resolved] (FC-74) DSD checking on hierarchical
 relationships incorrect
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/FC-74?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Shawn McKinney resolved FC-74.
------------------------------
    Resolution: Fixed

Problem was caused by bug.  Previously the code broke out of the loop anytime found match between role and parent role.  Now only break if exceeds cardinality meaning the assigned role is removed from activated session list.

 if ( map.contains( parentRole ) )
 {
    if ( matchCount >= dsd.getCardinality() )
    {
      String warning = "...
      rc = GlobalErrIds.ACTV_FAILED_DSD;
      // remove the assigned role from session (not the authorized role):
      activatedRoles.remove();
      session.setWarning(... );
      LOG.warn( warning );
      // Breaking loop because assigned role has been removed from session.
     break;
    }
}


> DSD checking on hierarchical relationships incorrect
> ----------------------------------------------------
>
>                 Key: FC-74
>                 URL: https://issues.apache.org/jira/browse/FC-74
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC39
>            Reporter: Shawn McKinney
>             Fix For: 1.0.0-RC40
>
>
> Manually testing of fortress detected that did constraints between roles can be bypassed via inheritance.  
> For example this constraint:
>   sdset name="Demo2DSD" 
>   description="ROLE_TEST DATA roles are mutually exclusive" cardinality="2"
>   setType="DYNAMIC"
>   setmembers="PAGE1_123,PAGE1_456,PAGE1_789,
>                          PAGE2_123,PAGE2_456,PAGE2_789,
>                          PAGE3_123,PAGE3_456,PAGE3_789"/>
> can be bypassed thru these inheritance relationships:
>                 <relationship child="PERSON1" parent="ROLE_PAGE1"/>
>                 <relationship child="PERSON1" parent="PAGE1_123"/>
>                 <relationship child="PERSON1" parent="PAGE1_456"/>
>                 <relationship child="PERSON1" parent="PAGE1_789"/>
> and then assigning to user:
> userrole userId="anyuser" name="PERSON1"
> when user 'any user' logs on, and  activate person1 role, which bypasses the constraint checks for dad on the roles person1 inherits.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)