You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Aki Yoshida (JIRA)" <ji...@apache.org> on 2011/07/14 18:06:59 UTC
[jira] [Created] (CXF-3655) Role based authorization not working
with DefaultSecurityContext (i.e., when using JAASLoginInterceptor with
non-prefixed role names)
Role based authorization not working with DefaultSecurityContext (i.e., when using JAASLoginInterceptor with non-prefixed role names)
-------------------------------------------------------------------------------------------------------------------------------------
Key: CXF-3655
URL: https://issues.apache.org/jira/browse/CXF-3655
Project: CXF
Issue Type: Bug
Components: Core
Affects Versions: 2.4.1
Reporter: Aki Yoshida
Assignee: Aki Yoshida
Priority: Minor
Fix For: 2.4.2, 2.5
org.apache.cxf.interceptor.security.DefaultSecurityContext's isUserInRole(String) is not working with jetty's nor virgo's role configuration. This method assumes a role principal to have interface java.security.acl.Group.
However, both jetty and virgo represent role principals using their own principal classes
org.eclipse.jetty.plus.jaas.JAASRole or org.eclipse.virgo.kernel.authentication.Role, respectively.
And these role classes do not implement java.security.acl.Group.
So, in order to check if the specified role matches the role-principals assigned to the current context, the specified role must be compared against those principals set in the subject that are not equal to the user principal.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-3655) Role based authorization not working
with DefaultSecurityContext (i.e., when using JAASLoginInterceptor with
non-prefixed role names)
Posted by "Aki Yoshida (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-3655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aki Yoshida resolved CXF-3655.
------------------------------
Resolution: Fixed
> Role based authorization not working with DefaultSecurityContext (i.e., when using JAASLoginInterceptor with non-prefixed role names)
> -------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-3655
> URL: https://issues.apache.org/jira/browse/CXF-3655
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.4.1
> Reporter: Aki Yoshida
> Assignee: Aki Yoshida
> Priority: Minor
> Fix For: 2.4.2, 2.5
>
>
> org.apache.cxf.interceptor.security.DefaultSecurityContext's isUserInRole(String) is not working with jetty's nor virgo's role configuration. This method assumes a role principal to have interface java.security.acl.Group.
> However, both jetty and virgo represent role principals using their own principal classes
> org.eclipse.jetty.plus.jaas.JAASRole or org.eclipse.virgo.kernel.authentication.Role, respectively.
> And these role classes do not implement java.security.acl.Group.
> So, in order to check if the specified role matches the role-principals assigned to the current context, the specified role must be compared against those principals set in the subject that are not equal to the user principal.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira