[
https://issues.apache.org/jira/browse/SOLR-14430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17097524#comment-17097524
]
Mike Drob commented on SOLR-14430:
----------------------------------
I think that's definitely movement in the right direction. I'd like to reuse as
much of the servlet spec as we can without creating our own way of handling it
since I believe it will be less surprising for the next dev to come along, and
might make it easier for them to integrate with frameworks that are relatively
standards conforming. After your changes, it seems like {{isUserInRole}} would
be easy to implement by delegating to
{{getVerifiedRoles().contains(getUserPrincipal().getName())}}. Happy to see
that as part of the other patch, or we can address it here as follow on, no
real preference.
> Authorization plugins should check roles from request
> -----------------------------------------------------
>
> Key: SOLR-14430
> URL: https://issues.apache.org/jira/browse/SOLR-14430
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Mike Drob
> Priority: Major
>
> The AuthorizationContext exposes {{getUserPrincipal}} to the plugin, but it
> does not allow the plugin to interrogate the request for {{isUserInRole}}. If
> we trust the request enough to get a principal from it, then we should trust
> it enough to ask about roles, as those could have been defined and verified
> by an authentication plugin.
> This model would be an alternative to the current model where
> RuleBasedAuthorizationPlugin maintains its own user->role mapping.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
