[seam-issues] [JBoss JIRA] (SEAMSECURITY-108) Discrepancies in User and Group management API in Seam Security 3

Discrepancies in User and Group management API in Seam Security 3 ----------------------------------------------------------------- Key: SEAMSECURITY-108 URL: https://issues.jboss.org/browse/SEAMSECURITY-108 Project: Seam Security Issue Type: Bug Affects Versions: 3.1.0.Beta3 Environment: Seam 3.1.0.Beta2 JBoss AS 7 idmconsole Reporter: Luca Cavagnoli Priority: Minor Labels: idmconsole, picketlink, seam-security The method: {code:java} Group groupName = pm.createGroup("Group name", "Group type"); {code} just adds a row in IdentityObject with the following values: {code:sql} ('Group name', SELECT id FROM IdentityObjectType WHERE name = 'Group type') {code} if IdentityObjectType doesn't already have a row with name = "Group type", the IDENTITY_OBJECT_TYPE_ID in the new IdentityObject row is set to null, instead of adding a new row in IdentityObjectType for the new group type. The method {code:java} PersistenceManager.createGroup(String groupName, String groupType) {code} can also be abused by creating a group with 'USER' as groupType, despite 'USER' was the identity object type chosen to represent users, not groups. The method {code:java} Collection<Group> PersistenceManager.findGroup(String groupType) {code} performs no check about the groupType parameter. One could invoke it as follows: {code:java} findGroup("USER") {code} and the result would be a list of groups which are actually users. 'USER' should be excluded from the list of types that are searched for.