[CXF-4495] Extend SimpleAuthorizingInterceptor to check only configured roles - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.6.3, 2.7
Component/s: Core
Labels:
None

Estimated Complexity:
Unknown

Description

Hi,

Actually SimpleAuthorizingInterceptor works only with prepared SecurityContext (with resolved roles). Configured user roles map is checked only additionally to roles in context. It is possible to restrict access in configuration, but not extend it.

I see some use cases, where checking only configured roles also makes sense in SimpleAuthorizingInterceptor. Sample is authentication using SAML assertion without role assertion attribute and without TLS.

Proposal is to introduce boolean property "checkConfiguredRolesOnly" in SimpleAuthorizingInterceptor. If property is true, only configured roles will be checked, isUserInRole for SecurityContext will not be called.
By default property will be deactivated.

Patch is attached.

Regards,
Andrei.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

cxf-rt-core-SimpleAuthorizingInInterceptor.patch
03/Sep/12 15:20
4 kB
Andrei Shakirin

Issue Links

breaks

CXF-5864 Anonymous users are denied to call unprotected methods since 2.6.3

Closed

Activity

People

Assignee:: Sergey Beryozkin

Reporter:: Andrei Shakirin

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 03/Sep/12 15:19

Updated:: 09/Jul/14 10:49

Resolved:: 05/Sep/12 15:09