[
https://issues.apache.org/jira/browse/FC-74?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shawn McKinney resolved FC-74.
------------------------------
Resolution: Fixed
Problem was caused by bug. Previously the code broke out of the loop anytime
found match between role and parent role. Now only break if exceeds
cardinality meaning the assigned role is removed from activated session list.
if ( map.contains( parentRole ) )
{
if ( matchCount >= dsd.getCardinality() )
{
String warning = "...
rc = GlobalErrIds.ACTV_FAILED_DSD;
// remove the assigned role from session (not the authorized role):
activatedRoles.remove();
session.setWarning(... );
LOG.warn( warning );
// Breaking loop because assigned role has been removed from session.
break;
}
}
> DSD checking on hierarchical relationships incorrect
> ----------------------------------------------------
>
> Key: FC-74
> URL: https://issues.apache.org/jira/browse/FC-74
> Project: FORTRESS
> Issue Type: Bug
> Affects Versions: 1.0.0-RC39
> Reporter: Shawn McKinney
> Fix For: 1.0.0-RC40
>
>
> Manually testing of fortress detected that did constraints between roles can
> be bypassed via inheritance.
> For example this constraint:
> sdset name="Demo2DSD"
> description="ROLE_TEST DATA roles are mutually exclusive" cardinality="2"
> setType="DYNAMIC"
> setmembers="PAGE1_123,PAGE1_456,PAGE1_789,
> PAGE2_123,PAGE2_456,PAGE2_789,
> PAGE3_123,PAGE3_456,PAGE3_789"/>
> can be bypassed thru these inheritance relationships:
> <relationship child="PERSON1" parent="ROLE_PAGE1"/>
> <relationship child="PERSON1" parent="PAGE1_123"/>
> <relationship child="PERSON1" parent="PAGE1_456"/>
> <relationship child="PERSON1" parent="PAGE1_789"/>
> and then assigning to user:
> userrole userId="anyuser" name="PERSON1"
> when user 'any user' logs on, and activate person1 role, which bypasses the
> constraint checks for dad on the roles person1 inherits.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
