Skip to content

NXCALS-4751 Fixed group service access for not registered users

Merge request template

When a user is not registered in NXCALS, we cannot obtain his details (org.springframework.security.core.userdetails.UserDetails) from the UserPrincipalService and are using standard RBAC principal (java.security.Principal) to put them into the authentication object. Later on, when trying to determine whether groups are visible or not to the user, a wrong assumption is done: we are trying to cast a principal object from authentication to the UserDetails, though RBAC principal object (java.security.Principal) is not an instance of that class. In this MR the next strategy is implemented:

  1. if a user is registered in NXCALS, Group service will return all groups that are visible to that user
  2. if user is not registered in NXCALS (authenticated via RBAC), Group service will return all groups that are publicly visible

In the long-term, there are 2 options available:

  1. Refactor our security to be based on the RBAC roles (some discussion were already present in the past)
  2. Request RBAC team to provide a way to build org.springframework.security.core.userdetails.UserDetails object from RBAC token.

COMPATIBILITY NOTE

Please make sure that this change is BACKWARDS COMPATIBLE and a new server will work correctly with clients using old APIs versions.

It may be that data sent in the new format will break the old clients.

In case of any potential incompatibility we have to inform our clients and schedule release & deployment with them.


@acc-logging-team - please have a look for approval.

Please describe the merge request here.

Closes NXCALS-4751

Merge request reports

Loading