Story #2639
daisy-chain equivalent identities causes problems with transitivity
100%
Description
at least in the metacat implementation of isAuthorize, and the derived AuthUtils.authorizedClientSubjects()in d1_common_java, when person X is mapped to Y, and Y is mapped to Z, X does not get Z's verification status, nor Z's group subjects when processing the subjectInfo.
This situation may or may not occur, depending on whether cn.getSubjectInfo fills in missing mapped identities.
The valid situation where a user cannot close the loop on missing mappings, is where an administratively-added, legacy subject is mapped to a ci-logon-supported identity. The user cannot effectively confirm a mapped Identity request as the legacy subject for after-the-fact additions of mapped identities.
Subtasks
History
#1 Updated by Rob Nahf about 12 years ago
- Status changed from New to Closed
implementation of the AuthUtils methods by metacat solved this problem.
