[jbossseam-issues] [JBoss JIRA] Assigned: (JBSEAM-3947) Seam PersistentPermissionResolver do not recognizes roles created by RunAsOperation when checking 'hasPermission' method
Shane Bryzak (JIRA)
jira-events at lists.jboss.org
Thu Apr 16 20:10:22 EDT 2009
[ https://jira.jboss.org/jira/browse/JBSEAM-3947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shane Bryzak reassigned JBSEAM-3947:
------------------------------------
Assignee: Shane Bryzak
> Seam PersistentPermissionResolver do not recognizes roles created by RunAsOperation when checking 'hasPermission' method
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: JBSEAM-3947
> URL: https://jira.jboss.org/jira/browse/JBSEAM-3947
> Project: Seam
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.1.1.GA
> Environment: Any
> Reporter: douglas carvalho
> Assignee: Shane Bryzak
>
> When trying to register a new user by using persistent permission utilities of seam, we use RunAsOperation:
> new RunAsOperation() {
> public void execute() {
> identityManager.createUser(user.getUsername(), user.getPassword());
> identityManager.grantRole(user.getUsername(), "user");
> }
> }.addRole("admin").run();
> RunAsOperation class adds the role "admin" to a SimpleGroup and put it in subject property. Then it calls run(), wich one calls runAs() in current session identity object. This one, by itself, get the Principal object from the RunAsOperation object passed as parameter. Since the RunAsOperation was just constructed, it 'principal's name is NULL. Execute() method we created calls createUser, wich one calls, before anything, the hasPermission() method from PersistentPermissionResolver.
> In hasPermission() method of PersistentPermissionResolver, it gets the name of the current principal:
> " String username = identity.getPrincipal().getName(); "
> Since we are in the context execution of the RunAsOperation, as I sayd the getPrincipal().getName() returns NULL.
> Now username is NULL.
> A bit more forward, we have an iterator, passing by each of the permissions got from the database with the specified target and action.
> The problem comes at exacly here:
> It only checks the permission for the user got from the Principal. And since the real role asked to be the owner of the security checking is in 'subject' property of the identity, inside of a SimpleGroup, as a member of this one, and not in the 'principal' property, the seam code do the check over a NULL recipient, resulting in a NullPointerException.
> if (permission.getRecipient() instanceof SimplePrincipal && username.equals(permission.getRecipient().getName())){
> iter.remove();
> break;
> }
> I modified some code to fix that:
> for (Permission permission : permissions) {
> try {
> for (Principal grupo : identity.getSubject().getPrincipals()) {
> if (grupo instanceof SimpleGroup) {
> SimpleGroup grupoSimples = (SimpleGroup) grupo;
> if (grupoSimples.isMember(new SimplePrincipal(permission.getRecipient().getName()))) {
> return true;
> }
> }
> }
> if (permission.getRecipient() instanceof SimplePrincipal && username.equals(permission.getRecipient().getName())) {
> return true;
> }
> if (permission.getRecipient() instanceof Role) {
> Role role = (Role) permission.getRecipient();
> if (role.isConditional()) {
> RuleBasedPermissionResolver resolver = RuleBasedPermissionResolver.instance();
> if (resolver.checkConditionalRole(role.getName(), target, action))
> return true;
> } else if (identity.hasRole(role.getName())) {
> return true;
> }
> }
> } catch (NullPointerException e) {
> // Log or do something
> }
> }
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list