[jira] Commented: (JS2-21) Missing Security Feature: Check roles assigned to any group to user belongs

Thu, 21 Oct 2004 11:05:16 -0700 

The following comment has been added to this issue:

     Author: Ate Douma
    Created: Thu, 21 Oct 2004 11:05 AM
       Body:
I haven't checked yet if this issue is still valid but if it is, I will fix it while 
working on the security issue JS2-151.
---------------------------------------------------------------------
View this comment:
  http://issues.apache.org/jira/browse/JS2-21?page=comments#action_54442

---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/JS2-21

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: JS2-21
    Summary: Missing Security Feature: Check roles assigned to any group to user 
belongs
       Type: New Feature

     Status: Open
   Priority: Major

    Project: Jetspeed 2
 Components: 
             Security
   Versions:
             2.0-a1

   Assignee: Ate Douma
   Reporter: David Le Strat

    Created: Mon, 26 Apr 2004 6:12 AM
    Updated: Thu, 21 Oct 2004 11:05 AM

Description:
Reported by Ate Douma:

o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
missing a required feature.
A User can be part of a Group which can have Roles just like the User itself.
The isUserInRole() method currently only checks if the specified role is assigned to 
the user, not if it is assigned to one of the groups the user belongs to.
The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also 
applies for portlets) specifies that a user is in a specific role either when assigned 
directly to the user or
when assigned to a group the user belongs to.
Thus according to this definition the RoleManagerImpl.isUserInRole() 
should also check the roles assigned to any group to user belongs to.



---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to