Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4117

RolesInterceptor ignores disallowedRoles when allowedRoles are configured

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.3.16
    • Core Interceptors
    • None
    • Patch

    Description

      The isAllowed method of RolesInterceptor does not enforce the disallowedRoles when allowedRoles are configured. ex:

          
<interceptor-ref name="roles">
  <param name="allowedRoles">authenticated</param>
  <param name="disallowedRoles">restrictedUser</param>
</interceptor-ref>

      With the above configuration a user with the roles "authenticated", and "restrictedUser" would be granted access.

      Attachments

        1. patch.txt
          9 kB
          Cam Morris

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. WW-4118 Allow RolesInterceptor to validate role names

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              lukaszlenart Lukasz Lenart
              cmorris_partnet Cam Morris
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: