Paul Adams created CXF-5536:
-------------------------------
Summary: JAASAuthenticationFilter can only filter users from
groups/roles based on one classname.
Key: CXF-5536
URL: https://issues.apache.org/jira/browse/CXF-5536
Project: CXF
Issue Type: Improvement
Components: Core
Affects Versions: 2.7.8
Reporter: Paul Adams
Priority: Minor
This is related to:
https://issues.apache.org/jira/browse/CXF-5484
The RolePrefixSecurityContextImpl class and users of it are only allowed to
pass a single String is as a "role classifier". This is fine assuming that a
system only has one other java principal type other than a "user principal" but
many have multiple principal types. For instance it's common to have Users,
Groups and Roles.
In such situations the existing code cannot adequately separate what is a user
from what is something else (a group or role).
Multiple qualifiers should be supported OR the reverse logic might actually be
more simplistic. That is today you pass in a string that is intended to
indicate what is a "role" and the code then thinks that if it's not a role it
must be a user. Perhaps it would be more straight forward to ask what's a
"user" (since in a set of Principals there will only be one of those) and then
assume everything else is a "role".
At any rate if I configure karaf with a realm that uses
org.apache.karaf.jaas.modules.properties.PropertiesLoginModule
(http://karaf.apache.org/manual/latest/users-guide/security.html) and then
configure that properties file to specify both groups and roles then CXF may
think that a "group" is a "user" and more often than not improperly identifies
a group has being the user principal.
To work around this I plan to not use groups so that I only have User and Role
Principals but it would certainly be nicer if CXF could deal with both.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
