[jbosstools-issues] [JBoss JIRA] (JBIDE-23173) Missing validation of @SecurityParameterBinding
Lukáš Valach (JIRA)
issues at jboss.org
Thu Sep 15 08:56:00 EDT 2016
Lukáš Valach created JBIDE-23173:
------------------------------------
Summary: Missing validation of @SecurityParameterBinding
Key: JBIDE-23173
URL: https://issues.jboss.org/browse/JBIDE-23173
Project: Tools (JBoss Tools)
Issue Type: Bug
Components: cdi-extensions
Affects Versions: 4.4.1.Final
Reporter: Lukáš Valach
Attachments: SecurityBindingType-Log.txt, securityParameterBinding.zip
CDI extension DeltaSpike allows to create custom @SecurityParameterBinding types.
These types allows to inject parameters values from the method invocation to authorizer bean. (See [documentation of Deltaspike/Security Module|https://deltaspike.apache.org/documentation/security.html#Simpleinterceptor-styleauthorization]).
When I create my own security parameter
{code:java}
@SecurityParameterBinding
public @interface MySecurityParameter {
}
{code}
...and authorizer
{code:java}
public class CustomAuthorizer {
@Secures
@CustomSecurityBinding()
public boolean check(@MySecurityParameter String parameter) {
return true;
}
}
{code}
...then I can secure some methods, but these methods must have appropriate input parameter with correct type and with the annotation
{code:java}
public class SecuredBean {
//OK
@CustomSecurityBinding()
public SecuredBean doSomething(@MySecurityParameter String parameter) {
return null;
}
//Not-OK (Missing @MySecurityParameter annotation)
@CustomSecurityBinding()
public SecuredBean doSomething2(String parameter) {
return null;
}
//Not-OK (Bad type - Integer)
@CustomSecurityBinding()
public SecuredBean doSomething3(@MySecurityParameter Integer parameter) {
return null;
}
}
{code}
Methods doSomething 2 and 3 cause an exception "SecurityDefinitionException: No matching authorizer found for security". Validator doesn't detect any problems.
The attached project can be use to reproduce this issue [^securityParameterBinding.zip].
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jbosstools-issues
mailing list