mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: dc1ad3 | patch | commitdiff
neil_a_wilson
01.43.2007 212c466106004fd6723dfe4f6cd574ab51a8fba3
refs
author neil_a_wilson <neil_a_wilson@localhost>
Friday, June 1, 2007 21:43 +0200
committer neil_a_wilson <neil_a_wilson@localhost>
Friday, June 1, 2007 21:43 +0200
commit212c466106004fd6723dfe4f6cd574ab51a8fba3
tree 962d37b6bfc4bd7175a82f584319b71104932098 tree | zip | gz
parent dc1ad38fcb4e0f33f0a6a974ad1ce17e9f5b34e2 view | diff 
Update the way that privileges are evaluated by the server.  Previously, they were
always based on the authentication identity rather than the authorization identity.  This
means that when the two are different, the result could be incorrect.  One key example of
this is the use of the proxied authorization control by a root user.  In this case, the
proxied authorization would not be subject to access control because the authenticated
user (but not the authorized user) had the bypass-acl privilege.

This change ensures that the proxied-auth privilege is always evaluated as the
authentication identity, but all other priviliges are always evaluated as the
authorization identity.

I have also updated a number of test cases that were incorrectly depending on the
former behavior.

OpenDS Issue Number:  1749
5 files modified
181 ■■■■ changed files
opendj-sdk/opends/src/server/org/opends/server/api/ClientConnection.java 110 ●●●● diff | view | raw | blame | history
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciContainer.java 5 ●●●● diff | view | raw | blame | history
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/core/CompareOperationTestCase.java 10 ●●●● diff | view | raw | blame | history
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/core/TestModifyDNOperation.java 16 ●●●●● diff | view | raw | blame | history
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/types/PrivilegeTestCase.java 40 ●●●● diff | view | raw | blame | history