[jbosstools-issues] [JBoss JIRA] (JBIDE-23173) Missing validation of @SecurityParameterBinding

Jeff MAURY (JIRA) issues at jboss.org
Wed Apr 18 12:13:11 EDT 2018 

     [ https://issues.jboss.org/browse/JBIDE-23173?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jeff MAURY updated JBIDE-23173:
-------------------------------
    Fix Version/s: 4.6.x
                       (was: 4.5.x)


> Missing validation of @SecurityParameterBinding
> -----------------------------------------------
>
>                 Key: JBIDE-23173
>                 URL: https://issues.jboss.org/browse/JBIDE-23173
>             Project: Tools (JBoss Tools)
>          Issue Type: Bug
>          Components: cdi-extensions
>    Affects Versions: 4.4.1.Final
>            Reporter: Lukáš Valach
>             Fix For: 4.6.x
>
>         Attachments: SecurityBindingType-Log.txt, securityParameterBinding.zip
>
>
> CDI extension DeltaSpike allows to create custom @SecurityParameterBinding types. 
> These types allows to inject parameters values from the method invocation to authorizer bean. (See [documentation of Deltaspike/Security Module|https://deltaspike.apache.org/documentation/security.html#Simpleinterceptor-styleauthorization]).
> When I create my own security parameter
> {code:java}
> @SecurityParameterBinding
> public @interface MySecurityParameter {
> }
> {code}
> ...and authorizer
> {code:java}
> public class CustomAuthorizer {
>     
>     @Secures
>     @CustomSecurityBinding()
>     public boolean check(@MySecurityParameter String parameter) {       
>         return true;
>     }
> }
> {code}
> ...then I can secure some methods, but these methods must have appropriate input parameter with correct type and with the annotation 
> {code:java}
> public class SecuredBean {
> 	//OK
> 	@CustomSecurityBinding()
>     public SecuredBean doSomething(@MySecurityParameter String parameter) {
>         return null;
>     }
> 	
> 	//Not-OK (Missing @MySecurityParameter annotation)
> 	@CustomSecurityBinding()
>     public SecuredBean doSomething2(String parameter) {
>         return null;
>     }
> 	
> 	//Not-OK (Bad type - Integer)
> 	@CustomSecurityBinding()
>     public SecuredBean doSomething3(@MySecurityParameter Integer parameter) {
>         return null;
>     }
> }
> {code}
> Methods doSomething 2 and 3 cause an exception "SecurityDefinitionException: No matching authorizer found for security". Validator doesn't detect any problems.
> The attached project can be use to reproduce this issue [^securityParameterBinding.zip].



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jbosstools-issues mailing list