Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-4495

Extend SimpleAuthorizingInterceptor to check only configured roles

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6.3, 2.7
    • Component/s: Core
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Hi,

      Actually SimpleAuthorizingInterceptor works only with prepared SecurityContext (with resolved roles). Configured user roles map is checked only additionally to roles in context. It is possible to restrict access in configuration, but not extend it.

      I see some use cases, where checking only configured roles also makes sense in SimpleAuthorizingInterceptor. Sample is authentication using SAML assertion without role assertion attribute and without TLS.

      Proposal is to introduce boolean property "checkConfiguredRolesOnly" in SimpleAuthorizingInterceptor. If property is true, only configured roles will be checked, isUserInRole for SecurityContext will not be called.
      By default property will be deactivated.

      Patch is attached.

      Regards,
      Andrei.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sergey_beryozkin Sergey Beryozkin
                Reporter:
                ashakirin Andrei Shakirin
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: