Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-03-01 19:09:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2023: AccessControlListTag again supports bitmasks

Browse Source 
Spring Security 3.1 has a regression i the AccessControlListTag
which should support using the bitmask in hasPermission.

Now hasPermission supports bit masks again.
This commit is contained in:
Rob Winch 2012-08-02 09:42:59 -05:00
parent b481a6c1ad
commit 4b86d49a9a
2 changed files with 54 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
taglibs/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java
View File

@ -87,8 +87,8 @@ public class AccessControlListTag extends TagSupport {
return skipBody(); return skipBody();
} }
String[] requiredPermissions = hasPermission.split(","); List<Object> requiredPermissions = parseHasPermission(hasPermission);
for(String requiredPermission : requiredPermissions) { for(Object requiredPermission : requiredPermissions) {
if (!permissionEvaluator.hasPermission(authentication, domainObject, requiredPermission)) { if (!permissionEvaluator.hasPermission(authentication, domainObject, requiredPermission)) {
return skipBody(); return skipBody();
} }
@ -97,6 +97,19 @@ public class AccessControlListTag extends TagSupport {
return evalBody(); return evalBody();
} }
private List<Object> parseHasPermission(String hasPermission) {
String[] requiredPermissions = hasPermission.split(",");
List<Object> parsedPermissions = new ArrayList<Object>(requiredPermissions.length);
for(String permissionToParse : requiredPermissions) {
Object parsedPermission = permissionToParse;
try {
parsedPermission = Integer.parseInt(permissionToParse);
}catch(NumberFormatException notBitMask) {}
parsedPermissions.add(parsedPermission);
}
return parsedPermissions;
}
private int skipBody() { private int skipBody() {
if (var != null) { if (var != null) {
pageContext.setAttribute(var, Boolean.FALSE, PageContext.PAGE_SCOPE); pageContext.setAttribute(var, Boolean.FALSE, PageContext.PAGE_SCOPE);

39
taglibs/src/test/java/org/springframework/security/taglibs/authz/AccessControlListTagTests.java
View File

@ -100,6 +100,45 @@ public class AccessControlListTagTests {
verifyNoMoreInteractions(pe); verifyNoMoreInteractions(pe);
} }
// SEC-2023
@Test
public void hasPermissionsBitMaskSupported() throws Exception {
Object domainObject = new Object();
when(pe.hasPermission(bob, domainObject, 1)).thenReturn(true);
when(pe.hasPermission(bob, domainObject, 2)).thenReturn(true);
tag.setDomainObject(domainObject);
tag.setHasPermission("1,2");
tag.setVar("allowed");
assertSame(domainObject, tag.getDomainObject());
assertEquals("1,2", tag.getHasPermission());
assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
assertTrue((Boolean)pageContext.getAttribute("allowed"));
verify(pe).hasPermission(bob, domainObject, 1);
verify(pe).hasPermission(bob, domainObject, 2);
verifyNoMoreInteractions(pe);
}
@Test
public void hasPermissionsMixedBitMaskSupported() throws Exception {
Object domainObject = new Object();
when(pe.hasPermission(bob, domainObject, 1)).thenReturn(true);
when(pe.hasPermission(bob, domainObject, "WRITE")).thenReturn(true);
tag.setDomainObject(domainObject);
tag.setHasPermission("1,WRITE");
tag.setVar("allowed");
assertSame(domainObject, tag.getDomainObject());
assertEquals("1,WRITE", tag.getHasPermission());
assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
assertTrue((Boolean)pageContext.getAttribute("allowed"));
verify(pe).hasPermission(bob, domainObject, 1);
verify(pe).hasPermission(bob, domainObject, "WRITE");
verifyNoMoreInteractions(pe);
}
@Test @Test
public void bodyIsSkippedIfAclDeniesAccess() throws Exception { public void bodyIsSkippedIfAclDeniesAccess() throws Exception {
Object domainObject = new Object(); Object domainObject = new Object();