Bug 778261 (SOA-761)

Summary: Add Authorization to Security support
Product: [JBoss] JBoss Enterprise SOA Platform 4 Reporter: Jeff DeLong <jdelong>
Component: SecurityAssignee: Daniel Bevenius <daniel.bevenius>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 4.3 IR4   
Target Milestone: ---   
Target Release: 4.3 IR5   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-761
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-07 04:53:41 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jeff DeLong 2008-09-08 16:11:48 UTC 
Date of First Response: 2008-10-07 00:53:41
project_key: SOA

The current ESB security support provides for authentication, but not authorization. It will authenticate a user before allowing access to a service, but not check that the user is authorized to access the service. The security implementation does not access role information. It will add roles to the security context based on run-as property (when using SIngelSingOn), but not check the initial roles assigned to the user. Nor does the security implementation check that the user is in the role (this is left to the developer to check in a custom action).

The security implementation should be extended to check a users role. If the using SingleSignOn, the roles information should be added to the security context. Furthermore, the security implementation should allow the user to specify a role associated with the service (through WS-Policy for example), and validate that the user has this role before allowing access to the service.
Comment 1 Kevin Conner 2008-09-10 14:16:54 UTC 
Link: Added: This issue depends JBESB-2007
Comment 2 Jiri Pechanec 2008-10-07 04:53:41 UTC 
Verified in IR5