[
https://issues.apache.org/jira/browse/CXF-4495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13448633#comment-13448633
]
Sergey Beryozkin commented on CXF-4495:
---------------------------------------
Hi,
Patch has been applied, thanks. I did a minor update to the abstract
interceptor to enforce that SecurityContext is available and has Principal set,
as a sanity check
Cheers, Sergey
> Extend SimpleAuthorizingInterceptor to check only configured roles
> ------------------------------------------------------------------
>
> Key: CXF-4495
> URL: https://issues.apache.org/jira/browse/CXF-4495
> Project: CXF
> Issue Type: Improvement
> Components: Core
> Reporter: Andrei Shakirin
> Priority: Minor
> Attachments: cxf-rt-core-SimpleAuthorizingInInterceptor.patch
>
>
> Hi,
> Actually SimpleAuthorizingInterceptor works only with prepared
> SecurityContext (with resolved roles). Configured user roles map is checked
> only additionally to roles in context. It is possible to restrict access in
> configuration, but not extend it.
> I see some use cases, where checking only configured roles also makes sense
> in SimpleAuthorizingInterceptor. Sample is authentication using SAML
> assertion without role assertion attribute and without TLS.
> Proposal is to introduce boolean property "checkConfiguredRolesOnly" in
> SimpleAuthorizingInterceptor. If property is true, only configured roles will
> be checked, isUserInRole for SecurityContext will not be called.
> By default property will be deactivated.
> Patch is attached.
> Regards,
> Andrei.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
