struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Newton (JIRA)" <>
Subject [jira] [Commented] (WW-4117) RolesInterceptor ignores disallowedRoles when allowedRoles are configured
Date Wed, 19 Jun 2013 18:57:20 GMT


Dave Newton commented on WW-4117:

It's not the documentation that concerns me.

It's that when I look at a configuration, unless I already know precisely how it works, I
have to look _up_ the docs in order to fully understand the behavior.

I don't think roles are the right place for this kind of behavior, I think there's a difference
between roles and permissions, although they may be tightly coupled. Using a single role to
represent multiple privileges can lead to arbitrary combinations of role strings, eventually
turning into soup.

Like I said, I'm ambivalent.
> RolesInterceptor ignores disallowedRoles when allowedRoles are configured
> -------------------------------------------------------------------------
>                 Key: WW-4117
>                 URL:
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>            Reporter: Cam Morris
>         Attachments: patch.txt
> The isAllowed method of RolesInterceptor does not enforce the disallowedRoles when allowedRoles
are configured.  ex:
> {code}    
> <interceptor-ref name="roles">
>   <param name="allowedRoles">authenticated</param>
>   <param name="disallowedRoles">restrictedUser</param>
> </interceptor-ref>
> {code}
> With the above configuration a user with the roles "authenticated", and "restrictedUser"
would be granted access.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message