Andrei Shakirin created CXF-4495:
------------------------------------
Summary: Extend SimpleAuthorizingInterceptor to check only
configured roles
Key: CXF-4495
URL: https://issues.apache.org/jira/browse/CXF-4495
Project: CXF
Issue Type: Improvement
Components: Core
Reporter: Andrei Shakirin
Priority: Minor
Hi,
Actually SimpleAuthorizingInterceptor works only with prepared SecurityContext
(with resolved roles). Configured user roles map is checked only additionally
to roles in context. It is possible to restrict access in configuration, but
not extend it.
I see some use cases, where checking only configured roles also makes sense in
SimpleAuthorizingInterceptor. Sample is authentication using SAML assertion
without role assertion attribute and without TLS.
Proposal is to introduce boolean property "checkConfiguredRolesOnly" in
SimpleAuthorizingInterceptor. If property is true, only configured roles will
be checked, isUserInRole for SecurityContext will not be called.
By default property will be deactivated.
Patch is attached.
Regards,
Andrei.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
