[jira] [Resolved] (CXF-5536) JAASAuthenticationFilter can only filter users from groups/roles based on one classname.

Tue, 18 Sep 2018 03:03:23 -0700 


     [ 
https://issues.apache.org/jira/browse/CXF-5536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved CXF-5536.
--------------------------------------
    Resolution: Won't Fix

See Sergey's comment.

> JAASAuthenticationFilter can only filter users from groups/roles based on one 
> classname.
> ----------------------------------------------------------------------------------------
>
>                 Key: CXF-5536
>                 URL: https://issues.apache.org/jira/browse/CXF-5536
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.7.8
>            Reporter: Paul Adams
>            Priority: Minor
>
> This is related to:
> https://issues.apache.org/jira/browse/CXF-5484
> The RolePrefixSecurityContextImpl class and users of it are only allowed to 
> pass a single String is as a "role classifier".  This is fine assuming that a 
> system only has one other java principal type other than a "user principal" 
> but many have multiple principal types.  For instance it's common to have 
> Users, Groups and Roles.
> In such situations the existing code cannot adequately separate what is a 
> user from what is something else (a group or role).
> Multiple qualifiers should be supported OR the reverse logic might actually 
> be more simplistic.  That is today you pass in a string that is intended to 
> indicate what is a "role" and the code then thinks that if it's not a role it 
> must be a user.  Perhaps it would be more straight forward to ask what's a 
> "user" (since in a set of Principals there will only be one of those) and 
> then assume everything else is a "role".
> At any rate if I configure karaf with a realm that uses 
> org.apache.karaf.jaas.modules.properties.PropertiesLoginModule 
> (http://karaf.apache.org/manual/latest/users-guide/security.html) and then 
> configure that properties file to specify both groups and roles then CXF may 
> think that a "group" is a "user" and more often than not improperly 
> identifies a group has being the user principal.
> To work around this I plan to not use groups so that I only have User and 
> Role Principals but it would certainly be nicer if CXF could deal with both.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to