[aerogear-dev] [Unified Push Server] Roles structure & password management
Matthias Wessendorf
matzew at apache.org
Tue Nov 5 14:33:55 EST 2013
On Tue, Nov 5, 2013 at 8:28 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
> As far as I recall (because we discussed it a long time ago). But I
> think you are talking about the following piece of code, right? I think
> the method below is still handy.
>
> /**
> * Role validation against the IDM
> *
> * @param roles roles to be checked
> * @return returns true if the current logged in has roles at the
> IDM, false otherwise
> */
> @Override
> public boolean hasRoles(Set<String> roles) {
>
> if (identity.isLoggedIn()) {
> for (String role : roles) {
> Role retrievedRole = BasicModel.getRole(identityManager,
> role);
> if (retrievedRole != null &&
> BasicModel.hasRole(partitionManager.createRelationshipManager(),
> identity.getAccount(), retrievedRole)) {
> return true;
> }
> }
> }
> return false;
> }
>
> Speaking about the interceptor, here comes some criticism about what I did:
>
> private void authorize(Set<String> roles) {
> boolean hasRoles = identityManagement.hasRoles(roles);
>
> if (!hasRoles)
> throw new
> AeroGearSecurityException(HttpStatus.CREDENTIAL_NOT_AUTHORIZED);
> }
>
> The code above doesn't open a security flaw, but being completely
> paranoid that should be refactored to authorize accept a single role (I
> can be wrong). But think about the following scenario (out of the UPS
> box). If the developer mistakenly add "simple", "admin" to the some
> method (is not impossible) which does some sensitive operation, this
> might be a problem.
>
correct - if you add incorrect roles, that causes problems;
> As I told you guys, I'm not against it, but my job is to be picky and
> raise some concerns. AG Sec is not the holy grail of security and must
> be improved.
>
> Sebastien Blanc wrote:
> > But that is already something that we can do with AG PL , adding
> > multiple roles to the secure annotation. You said we should maybe
> > remove this from ag-pl ?
>
> --
> abstractj
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131105/7bc986fe/attachment.html
More information about the aerogear-dev
mailing list