Re: [aerogear-dev] [Unified Push Server] Roles structure & password management
Unless you guys are planning to change UPS server only, I can't see atm
how to add multiple roles without open new vulnerabilities like people
escalating privileges.
Matthias Wessendorf wrote:
yep - that endpoint would be never annotated w/ "simple";
Indeed, that's the reason why we currently support a single role.
I think the problem if the annotation contains "incorrect" roles or
not is not a problem on the UPS.
Sure, on the other hand have multiple roles is a
requirement coming from
UPS, right? This change is not about UPS only, think about it.
It's more an issue w/ the underlying security framework:
E.g. how can I specify that someone with the role "simple" NEVER is
able to (deep in the stack) can call entityManger.delete();
Not annotating the
method with that role, as we already do.
--
abstractj
Attachments:
- signature.asc (application/pgp-signature — 495 bytes)