[
https://issues.apache.org/jira/browse/CXF-3655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aki Yoshida resolved CXF-3655.
------------------------------
Resolution: Fixed
> Role based authorization not working with DefaultSecurityContext (i.e., when
> using JAASLoginInterceptor with non-prefixed role names)
> -------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-3655
> URL: https://issues.apache.org/jira/browse/CXF-3655
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.4.1
> Reporter: Aki Yoshida
> Assignee: Aki Yoshida
> Priority: Minor
> Fix For: 2.4.2, 2.5
>
>
> org.apache.cxf.interceptor.security.DefaultSecurityContext's
> isUserInRole(String) is not working with jetty's nor virgo's role
> configuration. This method assumes a role principal to have interface
> java.security.acl.Group.
> However, both jetty and virgo represent role principals using their own
> principal classes
> org.eclipse.jetty.plus.jaas.JAASRole or
> org.eclipse.virgo.kernel.authentication.Role, respectively.
> And these role classes do not implement java.security.acl.Group.
> So, in order to check if the specified role matches the role-principals
> assigned to the current context, the specified role must be compared against
> those principals set in the subject that are not equal to the user principal.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
