[ http://issues.apache.org/jira/browse/JS2-21?page=comments#action_12377877 ]
Randy Watler commented on JS2-21: --------------------------------- Ralph... do you need PSML constraints/permissions or isUserInRole() to function correctly? I know that having it all function correctly would be ideal, but I might be able to add support in the PageManager/PSML more directly than fixing isUserInRole(). > Missing Security Feature: Check roles assigned to any group to user belongs > --------------------------------------------------------------------------- > > Key: JS2-21 > URL: http://issues.apache.org/jira/browse/JS2-21 > Project: Jetspeed 2 > Type: New Feature > Components: Security > Versions: 2.0-FINAL > Reporter: David Le Strat > Assignee: Ate Douma > Fix For: 2.1 > > Reported by Ate Douma: > o.a.j.security.impl.RoleManagerImpl.isUserInRole() implementation is > missing a required feature. > A User can be part of a Group which can have Roles just like the User itself. > The isUserInRole() method currently only checks if the specified role is > assigned to the user, not if it is assigned to one of the groups the user > belongs to. > The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet > PLT.20.2 also applies for portlets) specifies that a user is in a specific > role either when assigned directly to the user or > when assigned to a group the user belongs to. > Thus according to this definition the RoleManagerImpl.isUserInRole() > should also check the roles assigned to any group to user belongs to. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
