[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2423) checkEntityPermission only checks one method
Keith Naas (JIRA)
jira-events at lists.jboss.org
Sun Feb 24 21:06:42 EST 2008
[ http://jira.jboss.com/jira/browse/JBSEAM-2423?page=comments#action_12400427 ]
Keith Naas commented on JBSEAM-2423:
------------------------------------
Looking deeper in CallbackResolver, it definitely does not allow for multiple methods. This line seals the deal
throw new PersistenceException("You can only annotate one callback method with " + annotation.getName() + " in bean class: " + beanClass.getName());
This bug should likely be closed since Hibernate does not even allow for this behavior. If other JPA implementations support it, then they are either doing it as an extension to JPA, or its completely accidental.
> checkEntityPermission only checks one method
> --------------------------------------------
>
> Key: JBSEAM-2423
> URL: http://jira.jboss.com/jira/browse/JBSEAM-2423
> Project: JBoss Seam
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.0.1.CR1
> Environment: JPA on tomcat6
> Reporter: Andrew
> Assigned To: Shane Bryzak
> Priority: Critical
>
> If an entity has more than one method marked as @PrePersist, only one method is used to check for security. All methods should be considered and the result "anded" together.
> Code in the Identity bean only checks for a @Restrict on the first method found. In my case, I extend an object with a @PrePersist with no @Restrict. My entity has a method:
> @PrePersist @PreUpdate @PreRemove @Restrict
> public void beforeChange() {}
> (everything is restricted except for read access)
> According to the PrePersist documentation, multiple PrePersist methods are valid. There are workarounds, but this is dangerous code. If it were not for my unit tests it could have slipped through. The seam documentation does not mention this limitation
> I marked this as critical as it creates security holes in the application.
> Here is the relevant code:
> public void checkEntityPermission(Object entity, EntityAction action)
> {
> isLoggedIn(true);
>
> PersistenceProvider provider = PersistenceProvider.instance();
> Class beanClass = provider.getBeanClass(entity);
>
> if (beanClass != null)
> {
> String name = Seam.getComponentName(entity.getClass());
> if (name == null) name = beanClass.getName();
>
> Method m = null;
> switch (action)
> {
> case READ:
> m = provider.getPostLoadMethod(beanClass);
> break;
> case INSERT:
> m = provider.getPrePersistMethod(beanClass);
> break;
> case UPDATE:
> m = provider.getPreUpdateMethod(beanClass);
> break;
> case DELETE:
> m = provider.getPreRemoveMethod(beanClass);
> }
>
> Restrict restrict = null;
>
> if (m != null && m.isAnnotationPresent(Restrict.class))
> {
> restrict = m.getAnnotation(Restrict.class);
> }
> else if (entity.getClass().isAnnotationPresent(Restrict.class))
> {
> restrict = entity.getClass().getAnnotation(Restrict.class);
> }
> if (restrict != null)
> {
> if (Strings.isEmpty(restrict.value()))
> {
> checkPermission(name, action.toString(), entity);
> }
> else
> {
> checkRestriction(restrict.value());
> }
> }
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list