[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-2423) checkEntityPermission only checks one method

Andrew (JIRA) jira-events at lists.jboss.org
Fri Dec 21 23:07:43 EST 2007 

checkEntityPermission only checks one method
--------------------------------------------

                 Key: JBSEAM-2423
                 URL: http://jira.jboss.com/jira/browse/JBSEAM-2423
             Project: JBoss Seam
          Issue Type: Bug
          Components: Security
    Affects Versions: 2.0.1.CR1
         Environment: JPA on tomcat6
            Reporter: Andrew
            Priority: Critical


If an entity has more than one method marked as @PrePersist, only one method is used to check for security. All methods should be considered and the result "anded" together. 

Code in the Identity bean only checks for a @Restrict on the first method found. In my case, I extend an object with a @PrePersist with no @Restrict. My entity has a method:
  @PrePersist @PreUpdate @PreRemove @Restrict
  public void beforeChange() {}

(everything is restricted except for read access)

According to the PrePersist documentation, multiple PrePersist methods are valid. There are workarounds, but this is dangerous code. If it were not for my unit tests it could have slipped through. The seam documentation does not mention this limitation

I marked this as critical as it creates security holes in the application.

Here is the relevant code:
   public void checkEntityPermission(Object entity, EntityAction action)
   {      
      isLoggedIn(true);
      
      PersistenceProvider provider = PersistenceProvider.instance(); 
      Class beanClass = provider.getBeanClass(entity);
      
      if (beanClass != null)
      {
         String name = Seam.getComponentName(entity.getClass());
         if (name == null) name = beanClass.getName();  
         
         Method m = null;
         switch (action)
         {
            case READ:
               m = provider.getPostLoadMethod(beanClass);
               break;
            case INSERT:
               m = provider.getPrePersistMethod(beanClass);
               break;
            case UPDATE:
               m = provider.getPreUpdateMethod(beanClass);
               break;
            case DELETE:
               m = provider.getPreRemoveMethod(beanClass);
         }
         
         Restrict restrict = null;
         
         if (m != null && m.isAnnotationPresent(Restrict.class))
         {
            restrict = m.getAnnotation(Restrict.class);
         }
         else if (entity.getClass().isAnnotationPresent(Restrict.class))
         {
            restrict = entity.getClass().getAnnotation(Restrict.class);
         }

         if (restrict != null)
         {
            if (Strings.isEmpty(restrict.value()))
            {
               checkPermission(name, action.toString(), entity);
            }
            else
            {
               checkRestriction(restrict.value());
            }
         }
      }

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list