[ http://issues.apache.org/jira/browse/JS2-21?page=all ] Ate Douma reopened JS2-21: --------------------------
Going to rollback the changes I made for this solution as its *not* working as it should. This feature is *only* meant for the Servlet and Portlet isUserInRole(roleName) check. My current implementation is merging the Roles in the User as returned from the UserManager.getUser(name). The solution is to *only* merge (enabled) Roles from (enabled) Groups in the DefaultLoginModule. I'm already working on that (together with the enabling/disabling of Users, Roles and Groups for JS2-27). Almost finished, so this issue will be fixed shortly again. > Missing Security Feature: Check roles assigned to any group to user belongs > --------------------------------------------------------------------------- > > Key: JS2-21 > URL: http://issues.apache.org/jira/browse/JS2-21 > Project: Jetspeed 2 > Type: New Feature > Components: Security > Versions: 2.0-FINAL > Reporter: David Le Strat > Assignee: Ate Douma > Fix For: 2.0-FINAL > > Reported by Ate Douma: > o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is > missing a required feature. > A User can be part of a Group which can have Roles just like the User itself. > The isUserInRole() method currently only checks if the specified role is > assigned to the user, not if it is assigned to one of the groups the user > belongs to. > The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet > PLT.20.2 also applies for portlets) specifies that a user is in a specific > role either when assigned directly to the user or > when assigned to a group the user belongs to. > Thus according to this definition the RoleManagerImpl.isUserInRole() > should also check the roles assigned to any group to user belongs to. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
