[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3941) IdentityMaanger: extend permission checks to allow user to modify his own password

Raimund Hölle (JIRA) jira-events at lists.jboss.org
Sun Feb 8 07:35:44 EST 2009

IdentityMaanger: extend permission checks to allow user to modify his own password

                 Key: JBSEAM-3941
                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3941
             Project: Seam
          Issue Type: Feature Request
          Components: Security
    Affects Versions: 2.1.1.GA, 2.1.1.CR2, 2.1.1.CR1, 2.1.0.SP1
            Reporter: Raimund Hölle
            Priority: Minor

Because IdentityManager.changePassword() requires the permission ("seam.user", "update"), it is not possible to use that method to change the password of the authenticated user itself without granting that permission to him.

But granting that means, the user is able to modify _any_ user.

I'm suggest to add a new permission target (or maybe a new action) and extend the changePassword() method:

  public static final String OWNPASSWORD_PERMISSION_NAME = "seam.user.ownpassword";
  public boolean changePassword(String name, String password) {
    Identity identity = Identity.instance();
    try {
      identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
    } catch (AuthorizationException e) {
      if ( identity.isLoggedIn() && identity.getCredentials().getUsername().equals(name) ) {
        Identity.instance().checkPermission(OWNPASSWORD_PERMISSION_NAME, PERMISSION_UPDATE);
      } else {
        throw e;
    return identityStore.changePassword(name, password);

Or maybe a specialized method?

Many regards,

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the seam-issues mailing list