[
https://jira.jboss.org/jira/browse/DNA-372?page=com.atlassian.jira.plugin...
]
Brian Carothers updated DNA-372:
--------------------------------
Attachment: DNA-372_idtrust_auth_auth.patch
Added DNA-372_idtrust_auth_auth.patch that replaces the previous patch. This adds all of
the functionality of the previous patch plus authorization (i.e.,
JcrSession.checkPermission now works). Tests were modified accordingly.
The patch uses JBoss IDTrust to declaratively add a (configurable) login manager from
InMemoryRepositoryStub. The InMemoryRepositoryStub uses
/src/test/resources/security/jaas.config.xml as the configuration file of choice. The
test implementation of this file specifies a JBoss UsersRolesLoginModule, that loads its
users from /src/test/resources/security/tck_users.properties. Each property name in this
file represents a valid user and each property value represents their passwordl The
UsersRolesLoginModule also specifies a file of user roles -
/src/test/resources/security/tck_roles.properties. Each property name is a user name
(which must match a user from tck_users.properties) and each property value is a
comma-delimited list of assigned roles for the user. All of this code (and the IDTrust
dependencies) are in test scope.
JcrSession loads the roles for the JAAS subject in its contstructor and stores them in a
set ("entitlements"). It expects roles named "readonly",
"readwrite", "readonly.<workspaceName>", or
"readwrite.<workspaceName>". The former two formats imply a global
permission that is assigned to the user for all workspaces. JcrSession.checkPermission
determines if the permission to be checked is a read permission or if it requires
readwrite access and checks to see if the JAAS subject has a role with the naming pattern
above assigned. This introduces a dependency on JBoss SX. Per-path permissions are not
supported at this time. Finer-grained access ("add_node" vs.
"set_property" vs. "remove") are not supported at this time. Better
authorization implementations are always welcome.
Since this patch is security-related, I'm leaving it uncommitted until someone else
(Randall?) gets a chance to review it. I'm opening another defect to track adding the
checkPermission calls into the appropriate places in the library to start enforcing
security.
Session.impersonate and Session.checkPermission Are Not Implemented
-------------------------------------------------------------------
Key: DNA-372
URL:
https://jira.jboss.org/jira/browse/DNA-372
Project: DNA
Issue Type: Bug
Components: JCR
Affects Versions: 0.3
Reporter: Brian Carothers
Assignee: Brian Carothers
Fix For: 0.5
Attachments: DNA-372_idtrust_auth_auth.patch, DNA-372_idtrust_impersonate.patch
Both methods need to be implemented to pass all of the JR TCK L2 tests.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira