[
https://issues.apache.org/jira/browse/CXF-4495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Beryozkin resolved CXF-4495.
-----------------------------------
Resolution: Fixed
Fix Version/s: 2.7.0
2.6.3
Assignee: Sergey Beryozkin
> Extend SimpleAuthorizingInterceptor to check only configured roles
> ------------------------------------------------------------------
>
> Key: CXF-4495
> URL: https://issues.apache.org/jira/browse/CXF-4495
> Project: CXF
> Issue Type: Improvement
> Components: Core
> Reporter: Andrei Shakirin
> Assignee: Sergey Beryozkin
> Priority: Minor
> Fix For: 2.6.3, 2.7.0
>
> Attachments: cxf-rt-core-SimpleAuthorizingInInterceptor.patch
>
>
> Hi,
> Actually SimpleAuthorizingInterceptor works only with prepared
> SecurityContext (with resolved roles). Configured user roles map is checked
> only additionally to roles in context. It is possible to restrict access in
> configuration, but not extend it.
> I see some use cases, where checking only configured roles also makes sense
> in SimpleAuthorizingInterceptor. Sample is authentication using SAML
> assertion without role assertion attribute and without TLS.
> Proposal is to introduce boolean property "checkConfiguredRolesOnly" in
> SimpleAuthorizingInterceptor. If property is true, only configured roles will
> be checked, isUserInRole for SecurityContext will not be called.
> By default property will be deactivated.
> Patch is attached.
> Regards,
> Andrei.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
