Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-06 18:52:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2022: AccessControlListTag again supports , separated list of permissions

Browse Source 
Spring Security 3.0.x allowed developers to pass in a , separated list of permissions.
However, this functionality was accidentally removed in SEC-1560.

The AcessControlListTag now splits the permissions using , as a delimiter
which fixes this passivity issue.
This commit is contained in:
Rob Winch 2012-08-02 09:02:44 -05:00
parent e6593151fc
commit b481a6c1ad
2 changed files with 43 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
taglibs/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java
View File

@ -18,6 +18,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContext;
import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.taglibs.TagLibConfig; import org.springframework.security.taglibs.TagLibConfig;
import org.springframework.web.context.support.WebApplicationContextUtils; import org.springframework.web.context.support.WebApplicationContextUtils;
@ -43,6 +44,7 @@ import java.util.*;
* *
* @author Ben Alex * @author Ben Alex
* @author Luke Taylor * @author Luke Taylor
* @author Rob Winch
*/ */
public class AccessControlListTag extends TagSupport { public class AccessControlListTag extends TagSupport {
//~ Static fields/initializers ===================================================================================== //~ Static fields/initializers =====================================================================================
@ -75,7 +77,8 @@ public class AccessControlListTag extends TagSupport {
return evalBody(); return evalBody();
} }
if (SecurityContextHolder.getContext().getAuthentication() == null) { Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null) {
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug( logger.debug(
"SecurityContextHolder did not return a non-null Authentication object, so skipping tag body"); "SecurityContextHolder did not return a non-null Authentication object, so skipping tag body");
@ -84,12 +87,14 @@ public class AccessControlListTag extends TagSupport {
return skipBody(); return skipBody();
} }
if (permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), String[] requiredPermissions = hasPermission.split(",");
domainObject, hasPermission)) { for(String requiredPermission : requiredPermissions) {
return evalBody(); if (!permissionEvaluator.hasPermission(authentication, domainObject, requiredPermission)) {
return skipBody();
}
} }
return skipBody(); return evalBody();
} }
private int skipBody() { private int skipBody() {

33
taglibs/src/test/java/org/springframework/security/taglibs/authz/AccessControlListTagTests.java
View File

@ -1,3 +1,15 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.taglibs.authz; package org.springframework.security.taglibs.authz;
import static org.junit.Assert.*; import static org.junit.Assert.*;
@ -20,6 +32,7 @@ import java.util.*;
/** /**
* *
* @author Luke Taylor * @author Luke Taylor
* @author Rob Winch
* @since 3.0 * @since 3.0
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
@ -67,6 +80,26 @@ public class AccessControlListTagTests {
assertTrue((Boolean)pageContext.getAttribute("allowed")); assertTrue((Boolean)pageContext.getAttribute("allowed"));
} }
// SEC-2022
@Test
public void multiHasPermissionsAreSplit() throws Exception {
Object domainObject = new Object();
when(pe.hasPermission(bob, domainObject, "READ")).thenReturn(true);
when(pe.hasPermission(bob, domainObject, "WRITE")).thenReturn(true);
tag.setDomainObject(domainObject);
tag.setHasPermission("READ,WRITE");
tag.setVar("allowed");
assertSame(domainObject, tag.getDomainObject());
assertEquals("READ,WRITE", tag.getHasPermission());
assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
assertTrue((Boolean)pageContext.getAttribute("allowed"));
verify(pe).hasPermission(bob, domainObject, "READ");
verify(pe).hasPermission(bob, domainObject, "WRITE");
verifyNoMoreInteractions(pe);
}
@Test @Test
public void bodyIsSkippedIfAclDeniesAccess() throws Exception { public void bodyIsSkippedIfAclDeniesAccess() throws Exception {
Object domainObject = new Object(); Object domainObject = new Object();