[
https://issues.apache.org/jira/browse/JS2-21?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ate Douma closed JS2-21.
------------------------
Resolution: Fixed
Fix Version/s: (was: 2.2)
2.1.3
Assignee: Woonsan Ko (was: David Sean Taylor)
Already fixed by Woonsan and by default enabled now since Jetspeed 2.1.3
> Missing Security Feature: Check roles assigned to any group to user belongs
> ---------------------------------------------------------------------------
>
> Key: JS2-21
> URL: https://issues.apache.org/jira/browse/JS2-21
> Project: Jetspeed 2
> Issue Type: New Feature
> Components: Security
> Affects Versions: 2.0-FINAL, 2.1
> Reporter: David Le Strat
> Assignee: Woonsan Ko
> Fix For: 2.1.3
>
>
> Reported by Ate Douma:
> o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
> missing a required feature.
> A User can be part of a Group which can have Roles just like the User itself.
> The isUserInRole() method currently only checks if the specified role is
> assigned to the user, not if it is assigned to one of the groups the user
> belongs to.
> The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet
> PLT.20.2 also applies for portlets) specifies that a user is in a specific
> role either when assigned directly to the user or
> when assigned to a group the user belongs to.
> Thus according to this definition the RoleManagerImpl.isUserInRole()
> should also check the roles assigned to any group to user belongs to.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
