[
https://issues.jboss.org/browse/SEAMSECURITY-108?page=com.atlassian.jira....
]
Luca Cavagnoli edited comment on SEAMSECURITY-108 at 10/5/11 7:50 PM:
----------------------------------------------------------------------
I explored the source code and I found this:
The method
{code:java}
org.picketlink.idm.api Group
org.picketlink.idm.impl.api.session.managers.PersistenceManagerImpl.createGroup(String
groupName, String groupType)
{code}
tries to find the Identity Object Type "groupType" with the following
instruction:
{code:java}
IdentityObjectType iot = getIdentityObjectType(groupType);
{code}
Which causes a call to:
{code:java}
org.picketlink.idm.spi.model IdentityObjectType
org.picketlink.idm.impl.api.session.mapper.IdentityObjectTypeMapperImpl.getIdentityObjectType(String
groupType)
{code}
Which matches the given groupType against a Map representing the existing group types. If
no match is found, it returns null.
After that, PersistenceManagerImpl has the following line:
{code:java}
IdentityObject identityObject =
getRepository().createIdentityObject(getInvocationContext(), groupName, iot);
{code}
with a nul "iot" parameter.
What I find weird is that the following line in JpaIdentityStore:
{code:java}
typeProp.setValue(identityInstance, identityObjectType.getName());
{code}
doesn't throw a NullPointerException.
was (Author: lucaster):
I explored the source code and I found this:
The method
{code:java}
org.picketlink.idm.api Group
org.picketlink.idm.impl.api.session.managers.PersistenceManagerImpl.createGroup(String
groupName, String groupType)
{code}
tries to find the Identity Object Type "groupType" with the following
instruction:
{code:java}
IdentityObjectType iot = getIdentityObjectType(groupType);
{code}
Which causes a call to:
org.picketlink.idm.impl.api.session.mapper
{code:java}
org.picketlink.idm.spi.model IdentityObjectType
org.picketlink.idm.impl.api.session.mapper.IdentityObjectTypeMapperImpl.getIdentityObjectType(String
groupType)
{code}
Which matches the given groupType against a Map representing the existing group types. If
no match is found, it returns null.
After that, PersistenceManagerImpl has the following line:
{code:java}
IdentityObject identityObject =
getRepository().createIdentityObject(getInvocationContext(), groupName, iot);
{code}
with a nul "iot" parameter.
What I find weird is that the following line in JpaIdentityStore:
{code:java}
typeProp.setValue(identityInstance, identityObjectType.getName());
{code}
doesn't throw a NullPointerException.
Discrepancies in User and Group management API in Seam Security 3
-----------------------------------------------------------------
Key: SEAMSECURITY-108
URL:
https://issues.jboss.org/browse/SEAMSECURITY-108
Project: Seam Security
Issue Type: Bug
Affects Versions: 3.1.0.Beta3
Environment: Seam 3.1.0.Beta2
JBoss AS 7
idmconsole
Reporter: Luca Cavagnoli
Assignee: Shane Bryzak
Priority: Minor
Labels: idmconsole, picketlink, seam-security
The method:
{code:java}
Group groupName = pm.createGroup("Group name", "Group type");
{code}
just adds a row in IdentityObject with the following values:
{code:sql}
('Group name', SELECT id FROM IdentityObjectType WHERE name = 'Group
type')
{code}
if IdentityObjectType doesn't already have a row with name = "Group type",
the IDENTITY_OBJECT_TYPE_ID in the new IdentityObject row is set to null, instead of
adding a new row in IdentityObjectType for the new group type.
The method
{code:java}
PersistenceManager.createGroup(String groupName, String groupType)
{code}
can also be abused by creating a group with 'USER' as groupType, despite
'USER' was the identity object type chosen to represent users, not groups.
The method
{code:java}
Collection<Group> PersistenceManager.findGroup(String groupType)
{code}
performs no check about the groupType parameter. One could invoke it as follows:
{code:java}
findGroup("USER")
{code}
and the result would be a list of groups which are actually users.
'USER' should be excluded from the list of types that are searched for.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira