Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4117

RolesInterceptor ignores disallowedRoles when allowedRoles are configured

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.3.16
    • Core Interceptors
    • None
    • Patch

    Description

      The isAllowed method of RolesInterceptor does not enforce the disallowedRoles when allowedRoles are configured. ex:

          
      <interceptor-ref name="roles">
        <param name="allowedRoles">authenticated</param>
        <param name="disallowedRoles">restrictedUser</param>
      </interceptor-ref>
      

      With the above configuration a user with the roles "authenticated", and "restrictedUser" would be granted access.

      Attachments

        1. patch.txt
          9 kB
          Cam Morris

        Issue Links

          Activity

            People

              lukaszlenart Lukasz Lenart
              cmorris_partnet Cam Morris
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: