portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Updated: (JS2-21) Missing Security Feature: Check roles assigned to any group to user belongs
Date Wed, 26 Oct 2005 13:27:56 GMT
     [ http://issues.apache.org/jira/browse/JS2-21?page=all ]

Ate Douma updated JS2-21:
-------------------------

    Fix Version: 2.0-FINAL
    Description: 
Reported by Ate Douma:

o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
missing a required feature.
A User can be part of a Group which can have Roles just like the User itself.
The isUserInRole() method currently only checks if the specified role is assigned to the user,
not if it is assigned to one of the groups the user belongs to.
The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also applies
for portlets) specifies that a user is in a specific role either when assigned directly to
the user or
when assigned to a group the user belongs to.
Thus according to this definition the RoleManagerImpl.isUserInRole() 
should also check the roles assigned to any group to user belongs to.


  was:
Reported by Ate Douma:

o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
missing a required feature.
A User can be part of a Group which can have Roles just like the User itself.
The isUserInRole() method currently only checks if the specified role is assigned to the user,
not if it is assigned to one of the groups the user belongs to.
The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also applies
for portlets) specifies that a user is in a specific role either when assigned directly to
the user or
when assigned to a group the user belongs to.
Thus according to this definition the RoleManagerImpl.isUserInRole() 
should also check the roles assigned to any group to user belongs to.


        Version: 2.0-FINAL
                     (was: 2.0-a1)
    Environment: 

I'm going to implement this feature, together with JS2-27, independent of JS2-151 to be able
to get it into 2.0-FINAL release.
I already have it working locally, but I need more time to add a proper testcase for it before
I can commit it.

> Missing Security Feature: Check roles assigned to any group to user belongs
> ---------------------------------------------------------------------------
>
>          Key: JS2-21
>          URL: http://issues.apache.org/jira/browse/JS2-21
>      Project: Jetspeed 2
>         Type: New Feature
>   Components: Security
>     Versions: 2.0-FINAL
>     Reporter: David Le Strat
>     Assignee: Ate Douma
>      Fix For: 2.0-FINAL

>
> Reported by Ate Douma:
> o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
> missing a required feature.
> A User can be part of a Group which can have Roles just like the User itself.
> The isUserInRole() method currently only checks if the specified role is assigned to
the user, not if it is assigned to one of the groups the user belongs to.
> The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also
applies for portlets) specifies that a user is in a specific role either when assigned directly
to the user or
> when assigned to a group the user belongs to.
> Thus according to this definition the RoleManagerImpl.isUserInRole() 
> should also check the roles assigned to any group to user belongs to.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message