[ https://issues.apache.org/jira/browse/QPID-8374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16982371#comment-16982371 ]
ASF subversion and git services commented on QPID-8374: ------------------------------------------------------- Commit 005ba4184de60a02824038648f3584332f861de1 in qpid-broker-j's branch refs/heads/master from Stanislav Khomytskyi [ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=005ba41 ] QPID-8374: [Broker-J][ACL] Allow case insensitive mapping of group members to groups in existing GroupProvider > [Broker-J][ACL] Allow case insensitive mapping of group members to groups in > existing GroupProvider > --------------------------------------------------------------------------------------------------- > > Key: QPID-8374 > URL: https://issues.apache.org/jira/browse/QPID-8374 > Project: Qpid > Issue Type: Improvement > Components: Broker-J > Reporter: Alex Rudyy > Priority: Major > > The user groups currently identified by exact equality of authenticated > principal name and group member name. (See > {{org.apache.qpid.server.security.group.GroupProviderImpl#getGroupPrincipalsForUser}} > and > {{org.apache.qpid.server.model.adapter.FileBasedGroupProviderImpl#getGroupPrincipalsForUser}}.) > The user groups are used in in ACL to define rules applicable to multiple > users belonging to the same group. The ACL identities are case insensitive. > As result, any letter case can be used in identities to express the ACL rule. > In many cases, when authenticated principals are coming from external systems > like LDAP, OAUTH2 based providers, etc, and they are case insensitive, it is > desired to have group mapping case insensitive as well, as it is quite easy > to make a mistake and specify the group member using upper cased letters > rather than lower cased, for example, {{cn=Alex,ou=users,dc=qpid,dc=org}} vs > {{cn=alex,ou=users,dc=qpid,dc=org}}. > The existing GroupProviders can be modified to allow case insensitive mapping > of group members to groups. Though, the existing case sensitive group mapping > behaviour should be preserved for backward compatibility reasons. It should > be enabled by default. A special switch (either attribute or/and context > variable ) could be provided to make group mapping case insensitive if > desired. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org