Issue Details (XML | Word | Printable)

Key: JS2-21
Type: New Feature New Feature
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Woonsan Ko
Reporter: David Le Strat
Votes: 3
Watchers: 3
Operations

If you were logged in you would be able to see more operations.
Jetspeed 2

Missing Security Feature: Check roles assigned to any group to user belongs

Created: 26/Apr/04 01:12 PM   Updated: 25/Sep/08 10:37 PM
Return to search
Component/s: Security
Affects Version/s: 2.0-FINAL, 2.1
Fix Version/s: 2.1.3

Time Tracking:
Not Specified

Issue Links:
Reference
 

Resolution Date: 25/Sep/08 10:37 PM


 Description  « Hide
Reported by Ate Douma:

o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
missing a required feature.
A User can be part of a Group which can have Roles just like the User itself.
The isUserInRole() method currently only checks if the specified role is assigned to the user, not if it is assigned to one of the groups the user belongs to.
The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also applies for portlets) specifies that a user is in a specific role either when assigned directly to the user or
when assigned to a group the user belongs to.
Thus according to this definition the RoleManagerImpl.isUserInRole()
should also check the roles assigned to any group to user belongs to.

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Ate Douma added a comment - 21/Oct/04 06:05 PM
I haven't checked yet if this issue is still valid but if it is, I will fix it while working on the security issue JS2-151.

[ Permlink | « Hide ]
Ate Douma added a comment - 26/Oct/05 10:26 PM
I'm going to implement this feature, together with JS2-27, independent of JS2-151 to be able to get it into 2.0-FINAL release.
I already have it working locally, but I need more time to add a proper testcase for it before I can commit it.

[ Permlink | « Hide ]
Ate Douma added a comment - 07/Dec/05 04:53 AM
Fully implemented!

You can now maintain both users and roles assignments to a group.
When a user is assigned to a group which has roles assigned also,
the user automatically will have each of those roles (request.isUserInRole(roleName).

This allows for very flexible authorization configurations like temporarily disabling a certain role based access by removing the role from a group.

[ Permlink | « Hide ]
Ate Douma added a comment - 07/Dec/05 01:33 PM
Going to rollback the changes I made for this solution as its *not* working as it should.
This feature is *only* meant for the Servlet and Portlet isUserInRole(roleName) check.
My current implementation is merging the Roles in the User as returned from the UserManager.getUser(name).
The solution is to *only* merge (enabled) Roles from (enabled) Groups in the DefaultLoginModule.
I'm already working on that (together with the enabling/disabling of Users, Roles and Groups for JS2-27).
Almost finished, so this issue will be fixed shortly again.

[ Permlink | « Hide ]
Ate Douma added a comment - 07/Dec/05 04:22 PM
I have to rollback my initial checkin for the security component as it turns out its not 100% fixable in time before the 2.0-FINAL release.
I leave the gui part in though as that's working as it should.
Same thing for JS2-27 although I hadn't committed those changes yet.
These issues will be picked up again after ApacheCON, so hopefully version 2.1 will have thes features.

[ Permlink | « Hide ]
Ralph Goers added a comment - 03/May/06 07:30 AM
Has any work been done on this? This is one feature we really need working in 2.0 so I'd appreciate any gudance on what the fix should do.

[ Permlink | « Hide ]
Randy Watler added a comment - 05/May/06 02:34 AM
Ralph... do you need PSML constraints/permissions or isUserInRole() to function correctly?

I know that having it all function correctly would be ideal, but I might be able to add support in the PageManager/PSML more directly than fixing isUserInRole().

[ Permlink | « Hide ]
Ralph Goers added a comment - 05/May/06 04:28 AM
Unfortunately, both. We have some portlets that will either be completely enabled or disabled in some roles and have extra functionality in others (as well as being enabled of course).

[ Permlink | « Hide ]
Ate Douma added a comment - 16/Sep/06 01:34 PM
Resolution will take too much time to make it for the 2.1 release

[ Permlink | « Hide ]
Stefan Frerich added a comment - 09/Jan/07 05:07 PM
It seems that a solution to this issue was close at hand in Dec 2005. Is there currently any work in progress?
@Ate: Could you provide more detailed information, what the problem was in your last fix? Thanks in advance!

[ Permlink | « Hide ]
Prasanna added a comment - 31/Oct/07 03:42 PM
We need this feature of retrieving the roles based on the group assigned to user.

I am planning to modify the o.a.j.security.impl.DefaultSecurityMappingHandler getRolePrincipals(username) to retrieve the groups from the user first and then roles from that group.

In my custom SecurityMappingHandler, I am able to retrieve the Roles from a Group assigned to User and its working fine.

Am I missing anything as I dont want to break some other functionality related to this getRolePrincipals() If I make the same modification in the DefaultSecurityMappingHandler

I really appreciate any help regarding this.
Prasanna

[ Permlink | « Hide ]
Ate Douma added a comment - 25/Sep/08 10:37 PM
Already fixed by Woonsan and by default enabled now since Jetspeed 2.1.3


Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators