10:07 p.m.
checkEntityPermission only checks one method
--------------------------------------------
Key: JBSEAM-2423
URL: http://jira.jboss.com/jira/browse/JBSEAM-2423
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.1.CR1
Environment: JPA on tomcat6
Reporter: Andrew
Priority: Critical
If an entity has more than one method marked as @PrePersist, only one method is used to
check for security. All methods should be considered and the result "anded"
together.
Code in the Identity bean only checks for a @Restrict on the first method found. In my
case, I extend an object with a @PrePersist with no @Restrict. My entity has a method:
@PrePersist @PreUpdate @PreRemove @Restrict
public void beforeChange() {}
(everything is restricted except for read access)
According to the PrePersist documentation, multiple PrePersist methods are valid. There
are workarounds, but this is dangerous code. If it were not for my unit tests it could
have slipped through. The seam documentation does not mention this limitation
I marked this as critical as it creates security holes in the application.
Here is the relevant code:
public void checkEntityPermission(Object entity, EntityAction action)
{
isLoggedIn(true);
PersistenceProvider provider = PersistenceProvider.instance();
Class beanClass = provider.getBeanClass(entity);
if (beanClass != null)
{
String name = Seam.getComponentName(entity.getClass());
if (name == null) name = beanClass.getName();
Method m = null;
switch (action)
{
case READ:
m = provider.getPostLoadMethod(beanClass);
break;
case INSERT:
m = provider.getPrePersistMethod(beanClass);
break;
case UPDATE:
m = provider.getPreUpdateMethod(beanClass);
break;
case DELETE:
m = provider.getPreRemoveMethod(beanClass);
}
Restrict restrict = null;
if (m != null && m.isAnnotationPresent(Restrict.class))
{
restrict = m.getAnnotation(Restrict.class);
}
else if (entity.getClass().isAnnotationPresent(Restrict.class))
{
restrict = entity.getClass().getAnnotation(Restrict.class);
}
if (restrict != null)
{
if (Strings.isEmpty(restrict.value()))
{
checkPermission(name, action.toString(), entity);
}
else
{
checkRestriction(restrict.value());
}
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:31 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Assigned: (JBSEAM-2423) checkEntityPermission only checks one method
[ http://jira.jboss.com/jira/browse/JBSEAM-2423?page=all ]
Shane Bryzak reassigned JBSEAM-2423:
------------------------------------
Assignee: Shane Bryzak
checkEntityPermission only checks one method
--------------------------------------------
Key: JBSEAM-2423
URL: http://jira.jboss.com/jira/browse/JBSEAM-2423
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.1.CR1
Environment: JPA on tomcat6
Reporter: Andrew
Assigned To: Shane Bryzak
Priority: Critical
If an entity has more than one method marked as @PrePersist, only one method is used to
check for security. All methods should be considered and the result "anded"
together.
Code in the Identity bean only checks for a @Restrict on the first method found. In my
case, I extend an object with a @PrePersist with no @Restrict. My entity has a method:
@PrePersist @PreUpdate @PreRemove @Restrict
public void beforeChange() {}
(everything is restricted except for read access)
According to the PrePersist documentation, multiple PrePersist methods are valid. There
are workarounds, but this is dangerous code. If it were not for my unit tests it could
have slipped through. The seam documentation does not mention this limitation
I marked this as critical as it creates security holes in the application.
Here is the relevant code:
public void checkEntityPermission(Object entity, EntityAction action)
{
isLoggedIn(true);
PersistenceProvider provider = PersistenceProvider.instance();
Class beanClass = provider.getBeanClass(entity);
if (beanClass != null)
{
String name = Seam.getComponentName(entity.getClass());
if (name == null) name = beanClass.getName();
Method m = null;
switch (action)
{
case READ:
m = provider.getPostLoadMethod(beanClass);
break;
case INSERT:
m = provider.getPrePersistMethod(beanClass);
break;
case UPDATE:
m = provider.getPreUpdateMethod(beanClass);
break;
case DELETE:
m = provider.getPreRemoveMethod(beanClass);
}
Restrict restrict = null;
if (m != null && m.isAnnotationPresent(Restrict.class))
{
restrict = m.getAnnotation(Restrict.class);
}
else if (entity.getClass().isAnnotationPresent(Restrict.class))
{
restrict = entity.getClass().getAnnotation(Restrict.class);
}
if (restrict != null)
{
if (Strings.isEmpty(restrict.value()))
{
checkPermission(name, action.toString(), entity);
}
else
{
checkRestriction(restrict.value());
}
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:22 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2423) checkEntityPermission only checks one method
[ http://jira.jboss.com/jira/browse/JBSEAM-2423?page=comments#action_12400425 ]
Keith Naas commented on JBSEAM-2423:
------------------------------------
According to the orm xsd at http://java.sun.com/xml/ns/persistence/orm_1_0.xsd, a
lifecycle method can only be applied to one method. It doesn't mention anything about
Annotation limitations, of course.
Hibernate's EntityCallbackHandler does appear to support the use of multiple methods
on a class having the same lifecycle annotation. Because of this, it might be a good idea
to support the use of the same lifecycle annotation on multiple methods within Seam's
Entity class.
See
http://anonsvn.jboss.org/repos/hibernate/entitymanager/trunk/src/java/org...
and
http://anonsvn.jboss.org/repos/hibernate/entitymanager/trunk/src/java/org...
checkEntityPermission only checks one method
--------------------------------------------
Key: JBSEAM-2423
URL: http://jira.jboss.com/jira/browse/JBSEAM-2423
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.1.CR1
Environment: JPA on tomcat6
Reporter: Andrew
Assigned To: Shane Bryzak
Priority: Critical
If an entity has more than one method marked as @PrePersist, only one method is used to
check for security. All methods should be considered and the result "anded"
together.
Code in the Identity bean only checks for a @Restrict on the first method found. In my
case, I extend an object with a @PrePersist with no @Restrict. My entity has a method:
@PrePersist @PreUpdate @PreRemove @Restrict
public void beforeChange() {}
(everything is restricted except for read access)
According to the PrePersist documentation, multiple PrePersist methods are valid. There
are workarounds, but this is dangerous code. If it were not for my unit tests it could
have slipped through. The seam documentation does not mention this limitation
I marked this as critical as it creates security holes in the application.
Here is the relevant code:
public void checkEntityPermission(Object entity, EntityAction action)
{
isLoggedIn(true);
PersistenceProvider provider = PersistenceProvider.instance();
Class beanClass = provider.getBeanClass(entity);
if (beanClass != null)
{
String name = Seam.getComponentName(entity.getClass());
if (name == null) name = beanClass.getName();
Method m = null;
switch (action)
{
case READ:
m = provider.getPostLoadMethod(beanClass);
break;
case INSERT:
m = provider.getPrePersistMethod(beanClass);
break;
case UPDATE:
m = provider.getPreUpdateMethod(beanClass);
break;
case DELETE:
m = provider.getPreRemoveMethod(beanClass);
}
Restrict restrict = null;
if (m != null && m.isAnnotationPresent(Restrict.class))
{
restrict = m.getAnnotation(Restrict.class);
}
else if (entity.getClass().isAnnotationPresent(Restrict.class))
{
restrict = entity.getClass().getAnnotation(Restrict.class);
}
if (restrict != null)
{
if (Strings.isEmpty(restrict.value()))
{
checkPermission(name, action.toString(), entity);
}
else
{
checkRestriction(restrict.value());
}
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:06 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2423) checkEntityPermission only checks one method
[ http://jira.jboss.com/jira/browse/JBSEAM-2423?page=comments#action_12400427 ]
Keith Naas commented on JBSEAM-2423:
------------------------------------
Looking deeper in CallbackResolver, it definitely does not allow for multiple methods.
This line seals the deal
throw new PersistenceException("You can only annotate one callback method with "
+ annotation.getName() + " in bean class: " + beanClass.getName());
This bug should likely be closed since Hibernate does not even allow for this behavior.
If other JPA implementations support it, then they are either doing it as an extension to
JPA, or its completely accidental.
checkEntityPermission only checks one method
--------------------------------------------
Key: JBSEAM-2423
URL: http://jira.jboss.com/jira/browse/JBSEAM-2423
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.1.CR1
Environment: JPA on tomcat6
Reporter: Andrew
Assigned To: Shane Bryzak
Priority: Critical
If an entity has more than one method marked as @PrePersist, only one method is used to
check for security. All methods should be considered and the result "anded"
together.
Code in the Identity bean only checks for a @Restrict on the first method found. In my
case, I extend an object with a @PrePersist with no @Restrict. My entity has a method:
@PrePersist @PreUpdate @PreRemove @Restrict
public void beforeChange() {}
(everything is restricted except for read access)
According to the PrePersist documentation, multiple PrePersist methods are valid. There
are workarounds, but this is dangerous code. If it were not for my unit tests it could
have slipped through. The seam documentation does not mention this limitation
I marked this as critical as it creates security holes in the application.
Here is the relevant code:
public void checkEntityPermission(Object entity, EntityAction action)
{
isLoggedIn(true);
PersistenceProvider provider = PersistenceProvider.instance();
Class beanClass = provider.getBeanClass(entity);
if (beanClass != null)
{
String name = Seam.getComponentName(entity.getClass());
if (name == null) name = beanClass.getName();
Method m = null;
switch (action)
{
case READ:
m = provider.getPostLoadMethod(beanClass);
break;
case INSERT:
m = provider.getPrePersistMethod(beanClass);
break;
case UPDATE:
m = provider.getPreUpdateMethod(beanClass);
break;
case DELETE:
m = provider.getPreRemoveMethod(beanClass);
}
Restrict restrict = null;
if (m != null && m.isAnnotationPresent(Restrict.class))
{
restrict = m.getAnnotation(Restrict.class);
}
else if (entity.getClass().isAnnotationPresent(Restrict.class))
{
restrict = entity.getClass().getAnnotation(Restrict.class);
}
if (restrict != null)
{
if (Strings.isEmpty(restrict.value()))
{
checkPermission(name, action.toString(), entity);
}
else
{
checkRestriction(restrict.value());
}
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:52 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2423) checkEntityPermission only checks one method
[ http://jira.jboss.com/jira/browse/JBSEAM-2423?page=comments#action_12400430 ]
Andrew commented on JBSEAM-2423:
--------------------------------
Okay, but odd, as it has been working with hibernate, but if the EM spec is to only have
one then I should fix my code
checkEntityPermission only checks one method
--------------------------------------------
Key: JBSEAM-2423
URL: http://jira.jboss.com/jira/browse/JBSEAM-2423
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.1.CR1
Environment: JPA on tomcat6
Reporter: Andrew
Assigned To: Shane Bryzak
Priority: Critical
If an entity has more than one method marked as @PrePersist, only one method is used to
check for security. All methods should be considered and the result "anded"
together.
Code in the Identity bean only checks for a @Restrict on the first method found. In my
case, I extend an object with a @PrePersist with no @Restrict. My entity has a method:
@PrePersist @PreUpdate @PreRemove @Restrict
public void beforeChange() {}
(everything is restricted except for read access)
According to the PrePersist documentation, multiple PrePersist methods are valid. There
are workarounds, but this is dangerous code. If it were not for my unit tests it could
have slipped through. The seam documentation does not mention this limitation
I marked this as critical as it creates security holes in the application.
Here is the relevant code:
public void checkEntityPermission(Object entity, EntityAction action)
{
isLoggedIn(true);
PersistenceProvider provider = PersistenceProvider.instance();
Class beanClass = provider.getBeanClass(entity);
if (beanClass != null)
{
String name = Seam.getComponentName(entity.getClass());
if (name == null) name = beanClass.getName();
Method m = null;
switch (action)
{
case READ:
m = provider.getPostLoadMethod(beanClass);
break;
case INSERT:
m = provider.getPrePersistMethod(beanClass);
break;
case UPDATE:
m = provider.getPreUpdateMethod(beanClass);
break;
case DELETE:
m = provider.getPreRemoveMethod(beanClass);
}
Restrict restrict = null;
if (m != null && m.isAnnotationPresent(Restrict.class))
{
restrict = m.getAnnotation(Restrict.class);
}
else if (entity.getClass().isAnnotationPresent(Restrict.class))
{
restrict = entity.getClass().getAnnotation(Restrict.class);
}
if (restrict != null)
{
if (Strings.isEmpty(restrict.value()))
{
checkPermission(name, action.toString(), entity);
}
else
{
checkRestriction(restrict.value());
}
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:03 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-2423) checkEntityPermission only checks one method
[ http://jira.jboss.com/jira/browse/JBSEAM-2423?page=all ]
Shane Bryzak closed JBSEAM-2423.
--------------------------------
Resolution: Won't Fix
Closing this issue then.
checkEntityPermission only checks one method
--------------------------------------------
Key: JBSEAM-2423
URL: http://jira.jboss.com/jira/browse/JBSEAM-2423
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.1.CR1
Environment: JPA on tomcat6
Reporter: Andrew
Assigned To: Shane Bryzak
Priority: Critical
If an entity has more than one method marked as @PrePersist, only one method is used to
check for security. All methods should be considered and the result "anded"
together.
Code in the Identity bean only checks for a @Restrict on the first method found. In my
case, I extend an object with a @PrePersist with no @Restrict. My entity has a method:
@PrePersist @PreUpdate @PreRemove @Restrict
public void beforeChange() {}
(everything is restricted except for read access)
According to the PrePersist documentation, multiple PrePersist methods are valid. There
are workarounds, but this is dangerous code. If it were not for my unit tests it could
have slipped through. The seam documentation does not mention this limitation
I marked this as critical as it creates security holes in the application.
Here is the relevant code:
public void checkEntityPermission(Object entity, EntityAction action)
{
isLoggedIn(true);
PersistenceProvider provider = PersistenceProvider.instance();
Class beanClass = provider.getBeanClass(entity);
if (beanClass != null)
{
String name = Seam.getComponentName(entity.getClass());
if (name == null) name = beanClass.getName();
Method m = null;
switch (action)
{
case READ:
m = provider.getPostLoadMethod(beanClass);
break;
case INSERT:
m = provider.getPrePersistMethod(beanClass);
break;
case UPDATE:
m = provider.getPreUpdateMethod(beanClass);
break;
case DELETE:
m = provider.getPreRemoveMethod(beanClass);
}
Restrict restrict = null;
if (m != null && m.isAnnotationPresent(Restrict.class))
{
restrict = m.getAnnotation(Restrict.class);
}
else if (entity.getClass().isAnnotationPresent(Restrict.class))
{
restrict = entity.getClass().getAnnotation(Restrict.class);
}
if (restrict != null)
{
if (Strings.isEmpty(restrict.value()))
{
checkPermission(name, action.toString(), entity);
}
else
{
checkRestriction(restrict.value());
}
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6165
days inactive
6230
days old
5 comments
3 participants
participants (3)
-
Andrew (JIRA) -
Keith Naas (JIRA)
-
Shane Bryzak (JIRA)