SEC-2023: AccessControlListTag again supports bitmasks

Spring Security 3.1 has a regression i the AccessControlListTag which should support using the bitmask in hasPermission. Now hasPermission supports bit masks again.
2025-03-01 10:59:16 +00:00 · 2012-08-02 09:42:59 -05:00 · 2012-08-02 09:42:59 -05:00 · 4b86d49a9a
commit 4b86d49a9a
parent b481a6c1ad
2 changed files with 54 additions and 2 deletions
--- a/taglibs/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java
+++ b/taglibs/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java
@ -87,8 +87,8 @@ public class AccessControlListTag extends TagSupport {
            return skipBody();
        }

-        String[] requiredPermissions = hasPermission.split(",");
-        for(String requiredPermission : requiredPermissions) {
+        List<Object> requiredPermissions = parseHasPermission(hasPermission);
+        for(Object requiredPermission : requiredPermissions) {
            if (!permissionEvaluator.hasPermission(authentication, domainObject, requiredPermission)) {
                return skipBody();
            }
@ -97,6 +97,19 @@ public class AccessControlListTag extends TagSupport {
        return evalBody();
    }

+    private List<Object> parseHasPermission(String hasPermission) {
+        String[] requiredPermissions = hasPermission.split(",");
+        List<Object> parsedPermissions = new ArrayList<Object>(requiredPermissions.length);
+        for(String permissionToParse : requiredPermissions) {
+            Object parsedPermission = permissionToParse;
+            try {
+                parsedPermission = Integer.parseInt(permissionToParse);
+            }catch(NumberFormatException notBitMask) {}
+            parsedPermissions.add(parsedPermission);
+        }
+        return parsedPermissions;
+    }
+
    private int skipBody() {
        if (var != null) {
            pageContext.setAttribute(var, Boolean.FALSE, PageContext.PAGE_SCOPE);
--- a/taglibs/src/test/java/org/springframework/security/taglibs/authz/AccessControlListTagTests.java
+++ b/taglibs/src/test/java/org/springframework/security/taglibs/authz/AccessControlListTagTests.java
@ -100,6 +100,45 @@ public class AccessControlListTagTests {
        verifyNoMoreInteractions(pe);
    }

+    // SEC-2023
+    @Test
+    public void hasPermissionsBitMaskSupported() throws Exception {
+        Object domainObject = new Object();
+        when(pe.hasPermission(bob, domainObject, 1)).thenReturn(true);
+        when(pe.hasPermission(bob, domainObject, 2)).thenReturn(true);
+
+        tag.setDomainObject(domainObject);
+        tag.setHasPermission("1,2");
+        tag.setVar("allowed");
+        assertSame(domainObject, tag.getDomainObject());
+        assertEquals("1,2", tag.getHasPermission());
+
+        assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
+        assertTrue((Boolean)pageContext.getAttribute("allowed"));
+        verify(pe).hasPermission(bob, domainObject, 1);
+        verify(pe).hasPermission(bob, domainObject, 2);
+        verifyNoMoreInteractions(pe);
+    }
+
+    @Test
+    public void hasPermissionsMixedBitMaskSupported() throws Exception {
+        Object domainObject = new Object();
+        when(pe.hasPermission(bob, domainObject, 1)).thenReturn(true);
+        when(pe.hasPermission(bob, domainObject, "WRITE")).thenReturn(true);
+
+        tag.setDomainObject(domainObject);
+        tag.setHasPermission("1,WRITE");
+        tag.setVar("allowed");
+        assertSame(domainObject, tag.getDomainObject());
+        assertEquals("1,WRITE", tag.getHasPermission());
+
+        assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
+        assertTrue((Boolean)pageContext.getAttribute("allowed"));
+        verify(pe).hasPermission(bob, domainObject, 1);
+        verify(pe).hasPermission(bob, domainObject, "WRITE");
+        verifyNoMoreInteractions(pe);
+    }
+
    @Test
    public void bodyIsSkippedIfAclDeniesAccess() throws Exception {
        Object domainObject = new Object();