Uploaded image for project: 'Causeway'
  1. Causeway
  2. CAUSEWAY-3618

Secman should copy the user's roles into the UserMemento (as obtained via UserService).

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.0.0-RC2
    • 2.0.0-RC3
    • Ext Sec Secman
    • None

    Description

      The `UserService#getUser()` returns a `UserMemento`, which is a representation of the current user's roles and context (locale, time, timezone etc).  This is independent of security mechanism configured.

      The `UserMemento.AUTHORIZED_USER_ROLE` (String constant) is used by the Wicket viewer as a required role for protected pages ; it's the responsibility of the security mechanism to add this role during login.  If Spring is used for authentication, then this is done within `SpringSecurityFilter`.  Thus, when querying `UserService#getUser()` with Spring, the only role we see on `UserMemento` is this one.

      The UserMementoRefiner SPI allows security mechanisms to fine-tune this `UserMemento`.  Secman already has an implementation of this (`UserMementoRefinerFromApplicationUser`), which adjusts the timezone etc, but it currently does not yet copy over the secman-defined roles.  It should do this as well.

      Attachments

        Issue Links

          Activity

            There are no comments yet on this issue.

            People

              danhaywood Daniel Keir Haywood
              danhaywood Daniel Keir Haywood
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: