[jboss-cvs] JBossAS SVN: r81923 - in projects/security/security-jboss-sx/trunk/jbosssx/src: test/java/org/jboss/test/security/helpers and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Dec 1 15:48:18 EST 2008
Author: anil.saldhana at jboss.com
Date: 2008-12-01 15:48:17 -0500 (Mon, 01 Dec 2008)
New Revision: 81923
Modified:
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/javaee/EJBAuthorizationHelper.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/javaee/WebAuthorizationHelper.java
projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/security/helpers/EJBAuthorizationHelperUnitTestCase.java
projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/security/helpers/WebAuthorizationHelperUnitTestCase.java
Log:
SECURITY-336: sanitize inputs
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/javaee/EJBAuthorizationHelper.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/javaee/EJBAuthorizationHelper.java 2008-12-01 20:39:01 UTC (rev 81922)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/javaee/EJBAuthorizationHelper.java 2008-12-01 20:48:17 UTC (rev 81923)
@@ -66,11 +66,21 @@
String contextID,
RoleGroup methodRoles)
{
+ if(ejbName == null)
+ throw new IllegalArgumentException("ejbName is null");
+ if(ejbMethod == null)
+ throw new IllegalArgumentException("ejbMethod is null");
+ if(ejbCS == null)
+ throw new IllegalArgumentException("EJB CodeSource is null");
if(contextID == null)
- throw new IllegalArgumentException("ContextID is null");
+ throw new IllegalArgumentException("ContextID is null");
+ if(callerSubject == null)
+ throw new IllegalArgumentException("callerSubject is null");
AuthorizationManager am = securityContext.getAuthorizationManager();
-
+ if(am == null)
+ throw new IllegalStateException("Authorization Manager is null");
+
HashMap<String,Object> map = new HashMap<String,Object>();
try
{
@@ -136,8 +146,14 @@
public boolean isCallerInRole(String roleName, String ejbName, Principal ejbPrincipal, Subject callerSubject,
String contextID, Set<SecurityRoleRef> securityRoleRefs, boolean enforceEJBRestrictions)
{
+ if(roleName == null)
+ throw new IllegalArgumentException("roleName is null");
+ if(ejbName == null)
+ throw new IllegalArgumentException("ejbName is null");
if(contextID == null)
throw new IllegalArgumentException("ContextID is null");
+ if(callerSubject == null)
+ throw new IllegalArgumentException("callerSubject is null");
boolean isAuthorized = false;
AuthorizationManager am = securityContext.getAuthorizationManager();
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/javaee/WebAuthorizationHelper.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/javaee/WebAuthorizationHelper.java 2008-12-01 20:39:01 UTC (rev 81922)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/javaee/WebAuthorizationHelper.java 2008-12-01 20:48:17 UTC (rev 81923)
@@ -64,9 +64,20 @@
{
if(contextID == null)
throw new IllegalArgumentException("ContextID is null");
+ if(callerSubject == null)
+ throw new IllegalArgumentException("callerSubject is null");
+ if(request == null)
+ throw new IllegalArgumentException("request is null");
+ if(response == null)
+ throw new IllegalArgumentException("response is null");
+ if(canonicalRequestURI == null)
+ throw new IllegalArgumentException("canonicalRequestURI is null");
AuthorizationManager authzMgr = securityContext.getAuthorizationManager();
+ if(authzMgr == null)
+ throw new IllegalStateException("Authorization Manager is null");
+
boolean isAuthorized = false;
WebResource webResource = new WebResource(Collections.unmodifiableMap(contextMap));
@@ -107,13 +118,18 @@
String contextID,
Subject callerSubject)
{
+ if(roleName == null)
+ throw new IllegalArgumentException("roleName is null");
if(contextID == null)
throw new IllegalArgumentException("ContextID is null");
+ if(callerSubject == null)
+ throw new IllegalArgumentException("callerSubject is null");
+
AuthorizationManager authzMgr = securityContext.getAuthorizationManager();
+ if(authzMgr == null)
+ throw new IllegalStateException("Authorization Manager is null");
- if(callerSubject == null)
- throw new IllegalArgumentException("callerSubject is null");
boolean hasTheRole = false;
Map<String,Object> map = new HashMap<String,Object>();
map.put(ResourceKeys.ROLENAME, roleName);
@@ -159,8 +175,16 @@
{
if(contextID == null)
throw new IllegalArgumentException("ContextID is null");
+ if(callerSubject == null)
+ throw new IllegalArgumentException("callerSubject is null");
+ if(request == null)
+ throw new IllegalArgumentException("request is null");
+ if(response == null)
+ throw new IllegalArgumentException("response is null");
AuthorizationManager authzMgr = securityContext.getAuthorizationManager();
+ if(authzMgr == null)
+ throw new IllegalStateException("Authorization Manager is null");
boolean hasPerm = false;
contextMap.put(ResourceKeys.POLICY_REGISTRATION, getPolicyRegistration());
@@ -192,4 +216,4 @@
}
return hasPerm;
}
-}
+}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/security/helpers/EJBAuthorizationHelperUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/security/helpers/EJBAuthorizationHelperUnitTestCase.java 2008-12-01 20:39:01 UTC (rev 81922)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/security/helpers/EJBAuthorizationHelperUnitTestCase.java 2008-12-01 20:48:17 UTC (rev 81923)
@@ -75,7 +75,7 @@
DummyClass.class.getMethod("someMethod", new Class[0]),
ejbPrincipal,
"void someMethod",
- null,
+ this.getClass().getProtectionDomain().getCodeSource(),
callerSubject,
null,
"ejb.jar",
@@ -98,8 +98,8 @@
boolean result = eah.authorize("TestEJB",
DummyClass.class.getMethod("someMethod", new Class[0]),
ejbPrincipal,
- "void someMethod",
- null,
+ "void someMethod",
+ this.getClass().getProtectionDomain().getCodeSource(),
callerSubject,
null,
"ejb.jar",
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/security/helpers/WebAuthorizationHelperUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/security/helpers/WebAuthorizationHelperUnitTestCase.java 2008-12-01 20:39:01 UTC (rev 81922)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/security/helpers/WebAuthorizationHelperUnitTestCase.java 2008-12-01 20:48:17 UTC (rev 81923)
@@ -21,10 +21,15 @@
*/
package org.jboss.test.security.helpers;
+import java.io.IOException;
+import java.io.PrintWriter;
import java.util.HashMap;
+import java.util.Locale;
import java.util.Map;
import javax.security.auth.Subject;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import junit.framework.TestCase;
@@ -80,7 +85,7 @@
boolean result = wah.checkResourcePermission(contextMap,
request,
- null,
+ getDummyResponse(),
new Subject(),
"web.jar",
"/someuri");
@@ -103,11 +108,83 @@
boolean result = wah.checkResourcePermission(contextMap,
request,
- null,
+ getDummyResponse(),
new Subject(),
"web.jar",
"/someuri");
assertFalse("Invalid Web Authz", result);
}
+
+ private ServletResponse getDummyResponse()
+ {
+ return new ServletResponse()
+ {
+ public void flushBuffer() throws IOException
+ {
+ }
+
+ public int getBufferSize()
+ {
+ return 0;
+ }
+
+ public String getCharacterEncoding()
+ {
+ return null;
+ }
+
+ public String getContentType()
+ {
+ return null;
+ }
+
+ public Locale getLocale()
+ {
+ return null;
+ }
+
+ public ServletOutputStream getOutputStream() throws IOException
+ {
+ return null;
+ }
+
+ public PrintWriter getWriter() throws IOException
+ {
+ return null;
+ }
+
+ public boolean isCommitted()
+ {
+ return false;
+ }
+
+ public void reset()
+ {
+ }
+
+ public void resetBuffer()
+ {
+ }
+
+ public void setBufferSize(int arg0)
+ {
+ }
+
+ public void setCharacterEncoding(String arg0)
+ {
+ }
+
+ public void setContentLength(int arg0)
+ {
+ }
+
+ public void setContentType(String arg0)
+ {
+ }
+
+ public void setLocale(Locale arg0)
+ {
+ }};
+ }
}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list