[aerogear-dev] [Unified Push Server] Roles structure & password management
Bruno Oliveira
bruno at abstractj.org
Tue Nov 5 13:27:46 EST 2013
Unless you guys are planning to change UPS server only, I can't see atm
how to add multiple roles without open new vulnerabilities like people
escalating privileges.
Matthias Wessendorf wrote:
> yep - that endpoint would be never annotated w/ "simple";
Indeed, that's the reason why we currently support a single role.
>
> I think the problem if the annotation contains "incorrect" roles or
> not is not a problem on the UPS.
Sure, on the other hand have multiple roles is a requirement coming from
UPS, right? This change is not about UPS only, think about it.
>
> It's more an issue w/ the underlying security framework:
> E.g. how can I specify that someone with the role "simple" NEVER is
> able to (deep in the stack) can call entityManger.delete();
Not annotating the method with that role, as we already do.
--
abstractj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131105/70ce9516/attachment.bin
More information about the aerogear-dev
mailing list