Uploaded image for project: 'Jetspeed 2 (Retired)'
  1. Jetspeed 2 (Retired)
  2. JS2-21

Missing Security Feature: Check roles assigned to any group to user belongs

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.0-FINAL, 2.1
    • 2.1.3
    • Security
    • None

    Description

      Reported by Ate Douma:

      o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is
      missing a required feature.
      A User can be part of a Group which can have Roles just like the User itself.
      The isUserInRole() method currently only checks if the specified role is assigned to the user, not if it is assigned to one of the groups the user belongs to.
      The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also applies for portlets) specifies that a user is in a specific role either when assigned directly to the user or
      when assigned to a group the user belongs to.
      Thus according to this definition the RoleManagerImpl.isUserInRole()
      should also check the roles assigned to any group to user belongs to.

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. JS2-151 Security enhancements for password validation and enable/disable principals

          • Major - Major loss of function.
          • Closed

          Activity

            People

              woon_san Woonsan Ko
              dlestrat David LeStrat
              Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: