[seam-issues] [JBoss JIRA] (SEAM-102) Discrepancies in User and Group management API in Seam Security 3
Luca Cavagnoli (Created) (JIRA)
jira-events at lists.jboss.org
Tue Oct 4 21:28:15 EDT 2011
Discrepancies in User and Group management API in Seam Security 3
-----------------------------------------------------------------
Key: SEAM-102
URL: https://issues.jboss.org/browse/SEAM-102
Project: Seam 3 Distribution
Issue Type: Bug
Affects Versions: 3.0.0.Final
Environment: Seam 3.1.0.Beta2
JBoss AS 7
Reporter: Luca Cavagnoli
Priority: Minor
The method:
{code:java}
Group groupName = pm.createGroup("Group name", "Group type");
{code}
just adds a row in IdentityObject with the following values:
{code:sql}
('Group name', SELECT id FROM IdentityObjectType WHERE name = 'Group type')
{code}
if IdentityObjectType doesn't already have a row with name = "Group type", the IDENTITY_OBJECT_TYPE_ID in the new IdentityObject row is set to null, instead of adding a new row in IdentityObjectType for the new group type.
The method
{code:java}
PersistenceManager.createGroup(String groupName, String groupType)
{code}
can also be abused by creating a group with 'USER' as groupType, despite 'USER' was the identity object type chosen to represent users, not groups.
The method
{code:java}
Collection<Group> PersistenceManager.findGroup(String groupType)
{code}
performs no check about the groupType parameter. One could invoke it as follows:
{code:java}
findGroup("USER")
{code}
and the result would be a list of groups which are actually users.
'USER' should be excluded from the list of types that are searched for.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list