[jira] Commented: (JS2-21) Missing Security Feature: Check roles assigned to any group to user belongs

Wed, 31 Oct 2007 07:43:17 -0800 

    [ 
https://issues.apache.org/jira/browse/JS2-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12539103
 ] 

Prasanna commented on JS2-21:
-----------------------------

We need this feature of retrieving the roles based on the group assigned to 
user.

I am planning to modify the o.a.j.security.impl.DefaultSecurityMappingHandler 
getRolePrincipals(username) to retrieve the groups from the user first and then 
roles from that group.

In my custom SecurityMappingHandler, I am able to retrieve the Roles from a 
Group assigned to User and its working fine.

Am I missing anything as I dont want to break some other functionality related 
to this getRolePrincipals() If I make the same modification in the 
DefaultSecurityMappingHandler

I really appreciate any help regarding this.
Prasanna


> Missing Security Feature: Check roles assigned to any group to user belongs
> ---------------------------------------------------------------------------
>
>                 Key: JS2-21
>                 URL: https://issues.apache.org/jira/browse/JS2-21
>             Project: Jetspeed 2
>          Issue Type: New Feature
>          Components: Security
>    Affects Versions: 2.0-FINAL, 2.1
>            Reporter: David Le Strat
>            Assignee: Ate Douma
>             Fix For: 2.2
>
>
> Reported by Ate Douma:
> o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
> missing a required feature.
> A User can be part of a Group which can have Roles just like the User itself.
> The isUserInRole() method currently only checks if the specified role is 
> assigned to the user, not if it is assigned to one of the groups the user 
> belongs to.
> The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet 
> PLT.20.2 also applies for portlets) specifies that a user is in a specific 
> role either when assigned directly to the user or
> when assigned to a group the user belongs to.
> Thus according to this definition the RoleManagerImpl.isUserInRole() 
> should also check the roles assigned to any group to user belongs to.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to