[jbossseam-issues] [JBoss JIRA] Assigned: (JBSEAM-2423) checkEntityPermission only checks one method
Shane Bryzak (JIRA)
jira-events at lists.jboss.org
Sun Feb 3 22:31:03 EST 2008
[ http://jira.jboss.com/jira/browse/JBSEAM-2423?page=all ]
Shane Bryzak reassigned JBSEAM-2423:
------------------------------------
Assignee: Shane Bryzak
> checkEntityPermission only checks one method
> --------------------------------------------
>
> Key: JBSEAM-2423
> URL: http://jira.jboss.com/jira/browse/JBSEAM-2423
> Project: JBoss Seam
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.0.1.CR1
> Environment: JPA on tomcat6
> Reporter: Andrew
> Assigned To: Shane Bryzak
> Priority: Critical
>
> If an entity has more than one method marked as @PrePersist, only one method is used to check for security. All methods should be considered and the result "anded" together.
> Code in the Identity bean only checks for a @Restrict on the first method found. In my case, I extend an object with a @PrePersist with no @Restrict. My entity has a method:
> @PrePersist @PreUpdate @PreRemove @Restrict
> public void beforeChange() {}
> (everything is restricted except for read access)
> According to the PrePersist documentation, multiple PrePersist methods are valid. There are workarounds, but this is dangerous code. If it were not for my unit tests it could have slipped through. The seam documentation does not mention this limitation
> I marked this as critical as it creates security holes in the application.
> Here is the relevant code:
> public void checkEntityPermission(Object entity, EntityAction action)
> {
> isLoggedIn(true);
>
> PersistenceProvider provider = PersistenceProvider.instance();
> Class beanClass = provider.getBeanClass(entity);
>
> if (beanClass != null)
> {
> String name = Seam.getComponentName(entity.getClass());
> if (name == null) name = beanClass.getName();
>
> Method m = null;
> switch (action)
> {
> case READ:
> m = provider.getPostLoadMethod(beanClass);
> break;
> case INSERT:
> m = provider.getPrePersistMethod(beanClass);
> break;
> case UPDATE:
> m = provider.getPreUpdateMethod(beanClass);
> break;
> case DELETE:
> m = provider.getPreRemoveMethod(beanClass);
> }
>
> Restrict restrict = null;
>
> if (m != null && m.isAnnotationPresent(Restrict.class))
> {
> restrict = m.getAnnotation(Restrict.class);
> }
> else if (entity.getClass().isAnnotationPresent(Restrict.class))
> {
> restrict = entity.getClass().getAnnotation(Restrict.class);
> }
> if (restrict != null)
> {
> if (Strings.isEmpty(restrict.value()))
> {
> checkPermission(name, action.toString(), entity);
> }
> else
> {
> checkRestriction(restrict.value());
> }
> }
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list