[seam-issues] [JBoss JIRA] (SEAMSECURITY-108) Discrepancies in User and Group management API in Seam Security 3

Luca Cavagnoli (Issue Comment Edited) (JIRA) jira-events at lists.jboss.org
Wed Oct 5 19:48:16 EDT 2011

Previous message: [seam-issues] [JBoss JIRA] (SEAMSECURITY-108) Discrepancies in User and Group management API in Seam Security 3
Next message: [seam-issues] [JBoss JIRA] (SEAMSECURITY-108) Discrepancies in User and Group management API in Seam Security 3
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [ https://issues.jboss.org/browse/SEAMSECURITY-108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12632614#comment-12632614 ] 

Luca Cavagnoli edited comment on SEAMSECURITY-108 at 10/5/11 7:47 PM:
----------------------------------------------------------------------

I explored the source code and I found this:

The method

{code:java}
org.picketlink.idm.api Group org.picketlink.idm.impl.api.session.managers.PersistenceManagerImpl.createGroup(String groupName, String groupType) 
{code}

tries to find the Identity Object Type "groupType" with the following instruction:

{code:java}{code:java}IdentityObjectType iot = getIdentityObjectType(groupType);{code:java}

Which causes a call to:

org.picketlink.idm.impl.api.session.mapper

{code:java}
org.picketlink.idm.spi.model IdentityObjectType org.picketlink.idm.impl.api.session.mapper.IdentityObjectTypeMapperImpl.getIdentityObjectType(String groupType)
{code}

Which matches the given groupType against a Map representing the existing group types. If no match is found, it returns null.

After that, PersistenceManagerImpl has the following line:

{code:java}
IdentityObject identityObject = getRepository().createIdentityObject(getInvocationContext(), groupName, iot);
{code}

with a nul "iot" parameter.

What I find weird is that the following line in JpaIdentityStore:

{code:java}
typeProp.setValue(identityInstance, identityObjectType.getName());
{code}

doesn't throw a NullPointerException.
                
      was (Author: lucaster):
    I explored the source code and I found this:

The method

{code:java}
org.picketlink.idm.api Group org.picketlink.idm.impl.api.session.managers.PersistenceManagerImpl.createGroup(String groupName, String groupType) 
{code}

tries to find the Identity Object Type "groupType" with the following instruction:

{code:java}IdentityObjectType iot = getIdentityObjectType(groupType);{code:java}

Which causes a call to:

org.picketlink.idm.impl.api.session.mapper

{code:java}
org.picketlink.idm.spi.model IdentityObjectType org.picketlink.idm.impl.api.session.mapper.IdentityObjectTypeMapperImpl.getIdentityObjectType(String groupType)
{code}

Which matches the given groupType against a Map representing the existing group types. If no match is found, it returns null.

After that, PersistenceManagerImpl has the following line:

{code:java}
IdentityObject identityObject = getRepository().createIdentityObject(getInvocationContext(), groupName, iot);
{code}

with a nul "iot" parameter.

What I find weird is that the following line in JpaIdentityStore:

{code:java}
typeProp.setValue(identityInstance, identityObjectType.getName());
{code}

doesn't throw a NullPointerException.
                  
> Discrepancies in User and Group management API in Seam Security 3
> -----------------------------------------------------------------
>
>                 Key: SEAMSECURITY-108
>                 URL: https://issues.jboss.org/browse/SEAMSECURITY-108
>             Project: Seam Security
>          Issue Type: Bug
>    Affects Versions: 3.1.0.Beta3
>         Environment: Seam 3.1.0.Beta2
> JBoss AS 7
> idmconsole
>            Reporter: Luca Cavagnoli
>            Assignee: Shane Bryzak
>            Priority: Minor
>              Labels: idmconsole, picketlink, seam-security
>
> The method:
> {code:java}
> Group groupName = pm.createGroup("Group name", "Group type");
> {code}
> just adds a row in IdentityObject with the following values:
> {code:sql}
> ('Group name', SELECT id FROM IdentityObjectType WHERE name = 'Group type')
> {code}
> if IdentityObjectType doesn't already have a row with name = "Group type", the IDENTITY_OBJECT_TYPE_ID in the new IdentityObject row is set to null, instead of adding a new row in IdentityObjectType for the new group type.
> The method 
> {code:java}
> PersistenceManager.createGroup(String groupName, String groupType)
> {code}
> can also be abused by creating a group with 'USER' as groupType, despite 'USER' was the identity object type chosen to represent users, not groups. 
> The method
> {code:java}
> Collection<Group> PersistenceManager.findGroup(String groupType)
> {code}
> performs no check about the groupType parameter. One could invoke it as follows:
> {code:java}
> findGroup("USER")
> {code}
> and the result would be a list of groups which are actually users.
> 'USER' should be excluded from the list of types that are searched for.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Previous message: [seam-issues] [JBoss JIRA] (SEAMSECURITY-108) Discrepancies in User and Group management API in Seam Security 3
Next message: [seam-issues] [JBoss JIRA] (SEAMSECURITY-108) Discrepancies in User and Group management API in Seam Security 3
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the seam-issues mailing list