You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-dev@portals.apache.org by "Stefan Frerich (JIRA)" <je...@portals.apache.org> on 2007/01/09 18:08:27 UTC

[jira] Commented: (JS2-21) Missing Security Feature: Check roles assigned to any group to user belongs

    [ https://issues.apache.org/jira/browse/JS2-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12463344 ] 

Stefan Frerich commented on JS2-21:
-----------------------------------

It seems that a solution to this issue was close at hand in Dec 2005. Is there currently any work in progress?
@Ate: Could you provide more detailed information, what the problem was in your last fix? Thanks in advance!

> Missing Security Feature: Check roles assigned to any group to user belongs
> ---------------------------------------------------------------------------
>
>                 Key: JS2-21
>                 URL: https://issues.apache.org/jira/browse/JS2-21
>             Project: Jetspeed 2
>          Issue Type: New Feature
>          Components: Security
>    Affects Versions: 2.0-FINAL
>            Reporter: David Le Strat
>         Assigned To: Ate Douma
>
> Reported by Ate Douma:
> o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
> missing a required feature.
> A User can be part of a Group which can have Roles just like the User itself.
> The isUserInRole() method currently only checks if the specified role is assigned to the user, not if it is assigned to one of the groups the user belongs to.
> The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also applies for portlets) specifies that a user is in a specific role either when assigned directly to the user or
> when assigned to a group the user belongs to.
> Thus according to this definition the RoleManagerImpl.isUserInRole() 
> should also check the roles assigned to any group to user belongs to.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org