You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2018/09/18 10:03:00 UTC

[jira] [Resolved] (CXF-5536) JAASAuthenticationFilter can only filter users from groups/roles based on one classname.

     [ https://issues.apache.org/jira/browse/CXF-5536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved CXF-5536.
--------------------------------------
    Resolution: Won't Fix

See Sergey's comment.

> JAASAuthenticationFilter can only filter users from groups/roles based on one classname.
> ----------------------------------------------------------------------------------------
>
>                 Key: CXF-5536
>                 URL: https://issues.apache.org/jira/browse/CXF-5536
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.7.8
>            Reporter: Paul Adams
>            Priority: Minor
>
> This is related to:
> https://issues.apache.org/jira/browse/CXF-5484
> The RolePrefixSecurityContextImpl class and users of it are only allowed to pass a single String is as a "role classifier".  This is fine assuming that a system only has one other java principal type other than a "user principal" but many have multiple principal types.  For instance it's common to have Users, Groups and Roles.
> In such situations the existing code cannot adequately separate what is a user from what is something else (a group or role).
> Multiple qualifiers should be supported OR the reverse logic might actually be more simplistic.  That is today you pass in a string that is intended to indicate what is a "role" and the code then thinks that if it's not a role it must be a user.  Perhaps it would be more straight forward to ask what's a "user" (since in a set of Principals there will only be one of those) and then assume everything else is a "role".
> At any rate if I configure karaf with a realm that uses org.apache.karaf.jaas.modules.properties.PropertiesLoginModule (http://karaf.apache.org/manual/latest/users-guide/security.html) and then configure that properties file to specify both groups and roles then CXF may think that a "group" is a "user" and more often than not improperly identifies a group has being the user principal.
> To work around this I plan to not use groups so that I only have User and Role Principals but it would certainly be nicer if CXF could deal with both.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)