[jbosstools-issues] [JBoss JIRA] (JBIDE-23173) Missing validation of @SecurityParameterBinding

Lukáš Valach (JIRA) issues at jboss.org
Thu Sep 15 08:56:00 EDT 2016 

Lukáš Valach created JBIDE-23173:
------------------------------------

             Summary: Missing validation of @SecurityParameterBinding
                 Key: JBIDE-23173
                 URL: https://issues.jboss.org/browse/JBIDE-23173
             Project: Tools (JBoss Tools)
          Issue Type: Bug
          Components: cdi-extensions
    Affects Versions: 4.4.1.Final
            Reporter: Lukáš Valach
         Attachments: SecurityBindingType-Log.txt, securityParameterBinding.zip

CDI extension DeltaSpike allows to create custom @SecurityParameterBinding types. 
These types allows to inject parameters values from the method invocation to authorizer bean. (See [documentation of Deltaspike/Security Module|https://deltaspike.apache.org/documentation/security.html#Simpleinterceptor-styleauthorization]).

When I create my own security parameter
{code:java}
@SecurityParameterBinding
public @interface MySecurityParameter {
}
{code}

...and authorizer
{code:java}
public class CustomAuthorizer {
    
    @Secures
    @CustomSecurityBinding()
    public boolean check(@MySecurityParameter String parameter) {       
        return true;
    }
}
{code}

...then I can secure some methods, but these methods must have appropriate input parameter with correct type and with the annotation 

{code:java}
public class SecuredBean {

	//OK
	@CustomSecurityBinding()
    public SecuredBean doSomething(@MySecurityParameter String parameter) {
        return null;
    }
	
	//Not-OK (Missing @MySecurityParameter annotation)
	@CustomSecurityBinding()
    public SecuredBean doSomething2(String parameter) {
        return null;
    }
	
	//Not-OK (Bad type - Integer)
	@CustomSecurityBinding()
    public SecuredBean doSomething3(@MySecurityParameter Integer parameter) {
        return null;
    }
}
{code}

Methods doSomething 2 and 3 cause an exception "SecurityDefinitionException: No matching authorizer found for security". Validator doesn't detect any problems.

The attached project can be use to reproduce this issue [^securityParameterBinding.zip].





--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jbosstools-issues mailing list