[jboss-jira] [JBoss JIRA] (WFCORE-1448) AttributeParser for ObjectListAttributeDefinitions doesn't differentiate between empty and absent object lists

Brian Stansberry (JIRA) issues at jboss.org
Tue May 10 16:00:01 EDT 2016 

     [ https://issues.jboss.org/browse/WFCORE-1448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Stansberry updated WFCORE-1448:
-------------------------------------
    Fix Version/s: 2.2.0.CR1


> AttributeParser for ObjectListAttributeDefinitions doesn't differentiate between empty and absent object lists
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: WFCORE-1448
>                 URL: https://issues.jboss.org/browse/WFCORE-1448
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Domain Management
>    Affects Versions: 2.1.0.Final
>            Reporter: Tomaz Cerar
>            Assignee: Tomaz Cerar
>             Fix For: 2.2.0.CR1, 3.0.0.Alpha1
>
>
> Attributes of type ObjectList are left undefined when their enclosing element is empty, which makes it impossible to differentiate an empty object list from an unspecified one.
> The ability to distinguish the two scenarios is important in the security manager subsystem. Consider this configuration:
> {code:xml}
> <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
>     <deployment-permissions>
>         <mininum-set>
>              ....
>         </minimum-set>
>     </deployment-permissions>
> </subsystem>
> {code}
> The maximum-set is absent and this case we want to use a default set with AllPermission. Now consider another configuration:
> {code:xml}
> <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
>     <deployment-permissions>
>         <mininum-set/>
>         <maximum-set/>
>     </deployment-permissions>
> </subsystem>
> {code}
> In this case, maximum-set has been specified but it is empty, which means the admin/user deliberately wants to use an emtpy set, possibly to enforce that no deployments with special permissions requirements get deployed.
> The problem is that both scenarios result in an undefined attribute for the maximum-set, which means that the default AllPermission set ends up being used in both cases. The parser doesn't initialize the attribute with an empty list when the enclosing element is present but is empty. So in the end, both approaches result in an undefined attribute.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list