-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No way to get all declared roles from SecurityContext #203
Comments
I had initially added this to the SecurityContext, but it indeed never made it into the API. For the coming version it might be a good idea to add it indeed. Note that there's generally a couple of ways to go about this. In the presence of a custom authorization module, the roles may be dynamic and there may be no support to get them all (or they may be near infinite). That's why in Soteria they are called declared roles. See also https://arjan-tijms.omnifaces.org/2014/03/implementing-container-authorization-in.html#all-roles The other option would be to have functionality (typically called a role mapper) that is capable to read roles from the current Subject. We essentially need that one anyway to strengthen Jakarta Authorization. |
I have 2 scenarios:
In both cases roles are finite and like Soteria does there should be a way to access them as a Set |
The way we have handled this within our own APIs and SPIs within WildFly is to make sure our roles representation is Iterable, this way the SPI is not forcing implementations to load all at once when it may not be appropriate to proactively load all at once. |
We could make the API return an Though if the API is about guaranteeing only "declared" roles (roles appearing in |
Yeah if this is about a finite set based on the configuration and the annotations maybe being iterable is not needed. |
We should put a clarification in the javadoc that it only returns roles that have in some way been declared (giving the examples above), and not roles that have been dynamically added in some way. Underlying things like The question is whether we also need a method supporting dynamic roles, which should then return in Iterable? |
Signed-off-by: Arjan Tijms <[email protected]>
Add method to get all declared roles as per #203
Presently there is no way to get Set of groups that were set during credential validation.
Soteria has this method but it's not present in API
https://github.com/javaee/security-soteria/blob/master/impl/src/main/java/org/glassfish/soteria/SecurityContextImpl.java
Because of that redundant database lookup is required during login process.
The text was updated successfully, but these errors were encountered: