[
https://issues.apache.org/jira/browse/CAUSEWAY-3618?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Keir Haywood resolved CAUSEWAY-3618.
-------------------------------------------
Resolution: Fixed
> Secman should copy the user's roles into the UserMemento (as obtained via
> UserService).
> ---------------------------------------------------------------------------------------
>
> Key: CAUSEWAY-3618
> URL: https://issues.apache.org/jira/browse/CAUSEWAY-3618
> Project: Causeway
> Issue Type: Improvement
> Components: Ext Sec Secman
> Affects Versions: 2.0.0-RC2
> Reporter: Daniel Keir Haywood
> Assignee: Daniel Keir Haywood
> Priority: Minor
> Fix For: 2.0.0-RC3
>
>
> The `UserService#getUser()` returns a `UserMemento`, which is a
> representation of the current user's roles and context (locale, time,
> timezone etc). This is independent of security mechanism configured.
> The `UserMemento.AUTHORIZED_USER_ROLE` (String constant) is used by the
> Wicket viewer as a required role for protected pages ; it's the
> responsibility of the security mechanism to add this role during login. If
> Spring is used for authentication, then this is done within
> `SpringSecurityFilter`. Thus, when querying `UserService#getUser()` with
> Spring, the only role we see on `UserMemento` is this one.
> The UserMementoRefiner SPI allows security mechanisms to fine-tune this
> `UserMemento`. Secman already has an implementation of this
> (`UserMementoRefinerFromApplicationUser`), which adjusts the timezone etc,
> but it currently does not yet copy over the secman-defined roles. It should
> do this as well.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
