[seam-issues] [JBoss JIRA] (SEAM-102) Discrepancies in User and Group management API in Seam Security 3
Luca Cavagnoli (Updated) (JIRA)
jira-events at lists.jboss.org
Tue Oct 4 21:34:16 EDT 2011
[ https://issues.jboss.org/browse/SEAM-102?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Luca Cavagnoli updated SEAM-102:
--------------------------------
Labels: idmconsole picketlink seam-security (was: picketlink seam-security)
Environment:
Seam 3.1.0.Beta2
JBoss AS 7
idmconsole
was:
Seam 3.1.0.Beta2
JBoss AS 7
Workaround Description: (was: Create all the IdentityObjectType entries that your application is going to be using up front. (partial workaround))
Component/s: Shared Examples
Forum Reference: http://seamframework.org/Community/PerplexitiesAboutSeam3AndPicketlink (was: http://seamframework.org/Community/PerplexitiesAboutSeam3AndPicketlink)
When filing this JIRA, I choose 3.0.0.Final as affeted version because it didn't allow me to choose 3.1.0.Beta2, which I am actually using.
I'm using 3.1.0.Beta2 because with 3.0.0.Final the idmconsole example doesn't work with JBoss AS 7.
> Discrepancies in User and Group management API in Seam Security 3
> -----------------------------------------------------------------
>
> Key: SEAM-102
> URL: https://issues.jboss.org/browse/SEAM-102
> Project: Seam 3 Distribution
> Issue Type: Bug
> Components: Shared Examples
> Affects Versions: 3.0.0.Final
> Environment: Seam 3.1.0.Beta2
> JBoss AS 7
> idmconsole
> Reporter: Luca Cavagnoli
> Priority: Minor
> Labels: idmconsole, picketlink, seam-security
>
> The method:
> {code:java}
> Group groupName = pm.createGroup("Group name", "Group type");
> {code}
> just adds a row in IdentityObject with the following values:
> {code:sql}
> ('Group name', SELECT id FROM IdentityObjectType WHERE name = 'Group type')
> {code}
> if IdentityObjectType doesn't already have a row with name = "Group type", the IDENTITY_OBJECT_TYPE_ID in the new IdentityObject row is set to null, instead of adding a new row in IdentityObjectType for the new group type.
> The method
> {code:java}
> PersistenceManager.createGroup(String groupName, String groupType)
> {code}
> can also be abused by creating a group with 'USER' as groupType, despite 'USER' was the identity object type chosen to represent users, not groups.
> The method
> {code:java}
> Collection<Group> PersistenceManager.findGroup(String groupType)
> {code}
> performs no check about the groupType parameter. One could invoke it as follows:
> {code:java}
> findGroup("USER")
> {code}
> and the result would be a list of groups which are actually users.
> 'USER' should be excluded from the list of types that are searched for.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list