SecurityFilter - multiple Principals [message #1491912] |
Sat, 29 November 2014 10:53 |
Rene Eigenheer Messages: 109 Registered: July 2009 |
Senior Member |
|
|
Hi all
As described on WIKI I authenticate the users against a LDAP server. This works fine.
Now I try to use the Roles/Groups to which a user is assigned in LDAP as base for the Permission Assignment in the Scout AccessControlService. The intention is, to map LDAP Roles to Scout PermissionClasses (i.e. using a database table) and use org.eclipse.scout.rt.shared.services.common.security.AccessControlUtility.createPermissions(Object[][] permissionData).
The problem which I'm struggling is the transfer of the user's assigned LDAP Roles/Groups from the security filter to the AccessControlService.
Based on https://docs.oracle.com/cd/E21764_01/core.1111/e10043/introroles.htm#JISEC2259 I thought the best/correct approach would be to add multiple Principals to the subject (one for the user and one per assigned role/group).
But the problem with this approach is, that the method org.eclipse.scout.rt.server.commons.servletfilter.security.AbstractChainableSecurityFilter.negotiate(HttpServletRequest req, HttpServletResponse resp, PrincipalHolder holder) uses a PrincipalHolder wrapper which can only hold ONE Principal and not a Set of Principals as the Subject.
Is this "single principal" mechanism intentional? What are the reasons for?
Do I missunderstand something?
BTW: In the meantime, as a workaround, I uses a custom Principal class which holds also a set of roles and use this in the AccessControlService - but I think this is not in accordance with the above mentioned Oracle document.
-rene
|
|
|
Powered by
FUDForum. Page generated in 0.03348 seconds