mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: 49c1f2 | patch | commitdiff
neil_a_wilson
01.43.2007 7484dbaeab8ee29d545dcea8d1a2d38414c799c2
refs
author neil_a_wilson <neil_a_wilson@localhost>
Friday, June 1, 2007 21:43 +0200
committer neil_a_wilson <neil_a_wilson@localhost>
Friday, June 1, 2007 21:43 +0200
commit7484dbaeab8ee29d545dcea8d1a2d38414c799c2
tree 57b89bf987f27d1eaf6945726dbfae9674832967 tree | zip | gz
parent 49c1f2519d0d9700bd6201b2807897f792fd80a0 view | diff 
Update the way that privileges are evaluated by the server.  Previously, they were
always based on the authentication identity rather than the authorization identity.  This
means that when the two are different, the result could be incorrect.  One key example of
this is the use of the proxied authorization control by a root user.  In this case, the
proxied authorization would not be subject to access control because the authenticated
user (but not the authorized user) had the bypass-acl privilege.

This change ensures that the proxied-auth privilege is always evaluated as the
authentication identity, but all other priviliges are always evaluated as the
authorization identity.

I have also updated a number of test cases that were incorrectly depending on the
former behavior.

OpenDS Issue Number:  1749
5 files modified
181 ■■■■ changed files
opends/src/server/org/opends/server/api/ClientConnection.java 110 ●●●● diff | view | raw | blame | history
opends/src/server/org/opends/server/authorization/dseecompat/AciContainer.java 5 ●●●● diff | view | raw | blame | history
opends/tests/unit-tests-testng/src/server/org/opends/server/core/CompareOperationTestCase.java 10 ●●●● diff | view | raw | blame | history
opends/tests/unit-tests-testng/src/server/org/opends/server/core/TestModifyDNOperation.java 16 ●●●●● diff | view | raw | blame | history
opends/tests/unit-tests-testng/src/server/org/opends/server/types/PrivilegeTestCase.java 40 ●●●● diff | view | raw | blame | history