You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Shawn McKinney (JIRA)" <ji...@apache.org> on 2015/03/01 17:04:04 UTC

[jira] [Resolved] (FC-74) DSD checking on hierarchical relationships incorrect

     [ https://issues.apache.org/jira/browse/FC-74?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Shawn McKinney resolved FC-74.
------------------------------
    Resolution: Fixed

Problem was caused by bug.  Previously the code broke out of the loop anytime found match between role and parent role.  Now only break if exceeds cardinality meaning the assigned role is removed from activated session list.

 if ( map.contains( parentRole ) )
 {
    if ( matchCount >= dsd.getCardinality() )
    {
      String warning = "...
      rc = GlobalErrIds.ACTV_FAILED_DSD;
      // remove the assigned role from session (not the authorized role):
      activatedRoles.remove();
      session.setWarning(... );
      LOG.warn( warning );
      // Breaking loop because assigned role has been removed from session.
     break;
    }
}


> DSD checking on hierarchical relationships incorrect
> ----------------------------------------------------
>
>                 Key: FC-74
>                 URL: https://issues.apache.org/jira/browse/FC-74
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC39
>            Reporter: Shawn McKinney
>             Fix For: 1.0.0-RC40
>
>
> Manually testing of fortress detected that did constraints between roles can be bypassed via inheritance.  
> For example this constraint:
>   sdset name="Demo2DSD" 
>   description="ROLE_TEST DATA roles are mutually exclusive" cardinality="2"
>   setType="DYNAMIC"
>   setmembers="PAGE1_123,PAGE1_456,PAGE1_789,
>                          PAGE2_123,PAGE2_456,PAGE2_789,
>                          PAGE3_123,PAGE3_456,PAGE3_789"/>
> can be bypassed thru these inheritance relationships:
>                 <relationship child="PERSON1" parent="ROLE_PAGE1"/>
>                 <relationship child="PERSON1" parent="PAGE1_123"/>
>                 <relationship child="PERSON1" parent="PAGE1_456"/>
>                 <relationship child="PERSON1" parent="PAGE1_789"/>
> and then assigning to user:
> userrole userId="anyuser" name="PERSON1"
> when user 'any user' logs on, and  activate person1 role, which bypasses the constraint checks for dad on the roles person1 inherits.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)