portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Frerich (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Commented: (JS2-21) Missing Security Feature: Check roles assigned to any group to user belongs
Date Tue, 09 Jan 2007 17:08:27 GMT

    [ https://issues.apache.org/jira/browse/JS2-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12463344

Stefan Frerich commented on JS2-21:

It seems that a solution to this issue was close at hand in Dec 2005. Is there currently any
work in progress?
@Ate: Could you provide more detailed information, what the problem was in your last fix?
Thanks in advance!

> Missing Security Feature: Check roles assigned to any group to user belongs
> ---------------------------------------------------------------------------
>                 Key: JS2-21
>                 URL: https://issues.apache.org/jira/browse/JS2-21
>             Project: Jetspeed 2
>          Issue Type: New Feature
>          Components: Security
>    Affects Versions: 2.0-FINAL
>            Reporter: David Le Strat
>         Assigned To: Ate Douma
> Reported by Ate Douma:
> o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
> missing a required feature.
> A User can be part of a Group which can have Roles just like the User itself.
> The isUserInRole() method currently only checks if the specified role is assigned to
the user, not if it is assigned to one of the groups the user belongs to.
> The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also
applies for portlets) specifies that a user is in a specific role either when assigned directly
to the user or
> when assigned to a group the user belongs to.
> Thus according to this definition the RoleManagerImpl.isUserInRole() 
> should also check the roles assigned to any group to user belongs to.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message