[jbosstools-issues] [JBoss JIRA] (JBIDE-23173) Missing validation of @SecurityParameterBinding
Dmitrii Bocharov (JIRA)
issues at jboss.org
Wed Aug 16 11:20:09 EDT 2017
[ https://issues.jboss.org/browse/JBIDE-23173?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dmitrii Bocharov updated JBIDE-23173:
-------------------------------------
Fix Version/s: 4.5.x
(was: 4.4.x)
> Missing validation of @SecurityParameterBinding
> -----------------------------------------------
>
> Key: JBIDE-23173
> URL: https://issues.jboss.org/browse/JBIDE-23173
> Project: Tools (JBoss Tools)
> Issue Type: Bug
> Components: cdi-extensions
> Affects Versions: 4.4.1.Final
> Reporter: Lukáš Valach
> Fix For: 4.5.x
>
> Attachments: SecurityBindingType-Log.txt, securityParameterBinding.zip
>
>
> CDI extension DeltaSpike allows to create custom @SecurityParameterBinding types.
> These types allows to inject parameters values from the method invocation to authorizer bean. (See [documentation of Deltaspike/Security Module|https://deltaspike.apache.org/documentation/security.html#Simpleinterceptor-styleauthorization]).
> When I create my own security parameter
> {code:java}
> @SecurityParameterBinding
> public @interface MySecurityParameter {
> }
> {code}
> ...and authorizer
> {code:java}
> public class CustomAuthorizer {
>
> @Secures
> @CustomSecurityBinding()
> public boolean check(@MySecurityParameter String parameter) {
> return true;
> }
> }
> {code}
> ...then I can secure some methods, but these methods must have appropriate input parameter with correct type and with the annotation
> {code:java}
> public class SecuredBean {
> //OK
> @CustomSecurityBinding()
> public SecuredBean doSomething(@MySecurityParameter String parameter) {
> return null;
> }
>
> //Not-OK (Missing @MySecurityParameter annotation)
> @CustomSecurityBinding()
> public SecuredBean doSomething2(String parameter) {
> return null;
> }
>
> //Not-OK (Bad type - Integer)
> @CustomSecurityBinding()
> public SecuredBean doSomething3(@MySecurityParameter Integer parameter) {
> return null;
> }
> }
> {code}
> Methods doSomething 2 and 3 cause an exception "SecurityDefinitionException: No matching authorizer found for security". Validator doesn't detect any problems.
> The attached project can be use to reproduce this issue [^securityParameterBinding.zip].
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jbosstools-issues
mailing list