Closed ujibang closed 1 year ago
The jwtTokenManager returns the account as a PwdCredentialAccount even if the MongoRealmAuthenticator or FileRealmAuthenticator are used.
PwdCredentialAccount
MongoRealmAuthenticator
FileRealmAuthenticator
These authenticators are able to hold more account properties that can be used in the ACL permissions.
ThejwtTokenManager should be configurable add selected properties to the signed token.
jwtTokenManager
ThejwtTokenManager returns the account as a PwdCredentialAccount. This does not allow storing additional properties.
If the ACL uses a predicate on a user property, such as:
{ "mongo": { "readFilter": { "tenants": { "_$exists": true, "$in": "@user.tenants" } } }
The predicate will fail because the property tenants is not available.
tenants
affected version: RESTHeart 7.1
fixed by 23ae157a37057b30e89aa5777179cea8f9cec130
will be in 7.4
The jwtTokenManager returns the account as a
PwdCredentialAccount
even if theMongoRealmAuthenticator
orFileRealmAuthenticator
are used.These authenticators are able to hold more account properties that can be used in the ACL permissions.
Expected Behavior
The
jwtTokenManager
should be configurable add selected properties to the signed token.Current Behavior
The
jwtTokenManager
returns the account as aPwdCredentialAccount
. This does not allow storing additional properties.Context
If the ACL uses a predicate on a user property, such as:
The predicate will fail because the property
tenants
is not available.Environment
affected version: RESTHeart 7.1