Skip to content

Fix: extend adminGroup ROLE_ADMIN assignment to X509 cert auth#70

Open
milne1282 wants to merge 1 commit into
TAK-Product-Center:mainfrom
milne1282:feature/x509-admin-group
Open

Fix: extend adminGroup ROLE_ADMIN assignment to X509 cert auth#70
milne1282 wants to merge 1 commit into
TAK-Product-Center:mainfrom
milne1282:feature/x509-admin-group

Conversation

@milne1282

Copy link
Copy Markdown

The adminGroup LDAP config attribute was only checked in OAuthAuthenticator (OAuth/JWT token flow), but not in X509Authenticator (certificate-based auth on the HTTPS connector). As a result, users authenticating via X.509 client certificate were never granted ROLE_ADMIN based on LDAP group membership, even when correctly configured.

Add the same adminGroup check to X509Authenticator's LDAP group lookup path, mirroring the existing logic in OAuthAuthenticator. After LDAP group info is retrieved and processed through groupPrefix and groupNameExtractorRegex, if the resulting group set contains the configured adminGroup value, ROLE_ADMIN is added to the user's authorities.

The adminGroup LDAP config attribute was only checked in OAuthAuthenticator
(OAuth/JWT token flow), but not in X509Authenticator (certificate-based auth
on the HTTPS connector). As a result, users authenticating via X.509 client
certificate were never granted ROLE_ADMIN based on LDAP group membership,
even when correctly configured.

Add the same adminGroup check to X509Authenticator's LDAP group lookup path,
mirroring the existing logic in OAuthAuthenticator. After LDAP group info is
retrieved and processed through groupPrefix and groupNameExtractorRegex, if
the resulting group set contains the configured adminGroup value, ROLE_ADMIN
is added to the user's authorities.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant