Role based authorization not working with DefaultSecurityContext (i.e., when
using JAASLoginInterceptor with non-prefixed role names)
-------------------------------------------------------------------------------------------------------------------------------------
Key: CXF-3655
URL: https://issues.apache.org/jira/browse/CXF-3655
Project: CXF
Issue Type: Bug
Components: Core
Affects Versions: 2.4.1
Reporter: Aki Yoshida
Assignee: Aki Yoshida
Priority: Minor
Fix For: 2.4.2, 2.5
org.apache.cxf.interceptor.security.DefaultSecurityContext's
isUserInRole(String) is not working with jetty's nor virgo's role
configuration. This method assumes a role principal to have interface
java.security.acl.Group.
However, both jetty and virgo represent role principals using their own
principal classes
org.eclipse.jetty.plus.jaas.JAASRole or
org.eclipse.virgo.kernel.authentication.Role, respectively.
And these role classes do not implement java.security.acl.Group.
So, in order to check if the specified role matches the role-principals
assigned to the current context, the specified role must be compared against
those principals set in the subject that are not equal to the user principal.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
