portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Randy Watler (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Commented: (JS2-21) Missing Security Feature: Check roles assigned to any group to user belongs
Date Thu, 04 May 2006 19:35:18 GMT
    [ http://issues.apache.org/jira/browse/JS2-21?page=comments#action_12377877 ] 

Randy Watler commented on JS2-21:
---------------------------------

Ralph... do you need PSML constraints/permissions or isUserInRole() to function correctly?

I know that having it all function correctly would be ideal, but I might be able to add support
in the PageManager/PSML more directly than fixing isUserInRole().

> Missing Security Feature: Check roles assigned to any group to user belongs
> ---------------------------------------------------------------------------
>
>          Key: JS2-21
>          URL: http://issues.apache.org/jira/browse/JS2-21
>      Project: Jetspeed 2
>         Type: New Feature

>   Components: Security
>     Versions: 2.0-FINAL
>     Reporter: David Le Strat
>     Assignee: Ate Douma
>      Fix For: 2.1

>
> Reported by Ate Douma:
> o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
> missing a required feature.
> A User can be part of a Group which can have Roles just like the User itself.
> The isUserInRole() method currently only checks if the specified role is assigned to
the user, not if it is assigned to one of the groups the user belongs to.
> The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also
applies for portlets) specifies that a user is in a specific role either when assigned directly
to the user or
> when assigned to a group the user belongs to.
> Thus according to this definition the RoleManagerImpl.isUserInRole() 
> should also check the roles assigned to any group to user belongs to.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message