Home Esplora Aiuto
Registrati Accedi
github
/
spring-security
mirror da https://github.com/spring-projects/spring-security
2
0
Forka 0
File Problemi 0 Wiki
Sfoglia il codice sorgente

SEC-2023: AccessControlListTag again supports bitmasks

Spring Security 3.1 has a regression i the AccessControlListTag
which should support using the bitmask in hasPermission.

Now hasPermission supports bit masks again.
Rob Winch 13 anni fa
parent
b481a6c1ad
commit
4b86d49a9a
2 ha cambiato i file con 54 aggiunte e 2 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 15 2
      taglibs/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java
  2. 39 0
      taglibs/src/test/java/org/springframework/security/taglibs/authz/AccessControlListTagTests.java

+ 15 - 2
taglibs/src/main/java/org/springframework/security/taglibs/authz/AccessControlListTag.java
Vedi File 

@@ -87,8 +87,8 @@ public class AccessControlListTag extends TagSupport {
 
             return skipBody();
 
         }
 
 
-        String[] requiredPermissions = hasPermission.split(",");
 
-        for(String requiredPermission : requiredPermissions) {
 
+        List<Object> requiredPermissions = parseHasPermission(hasPermission);
 
+        for(Object requiredPermission : requiredPermissions) {
 
             if (!permissionEvaluator.hasPermission(authentication, domainObject, requiredPermission)) {
 
                 return skipBody();
 
             }
 
@@ -97,6 +97,19 @@ public class AccessControlListTag extends TagSupport {
 
         return evalBody();
 
     }
 
 
+    private List<Object> parseHasPermission(String hasPermission) {
 
+        String[] requiredPermissions = hasPermission.split(",");
 
+        List<Object> parsedPermissions = new ArrayList<Object>(requiredPermissions.length);
 
+        for(String permissionToParse : requiredPermissions) {
 
+            Object parsedPermission = permissionToParse;
 
+            try {
 
+                parsedPermission = Integer.parseInt(permissionToParse);
 
+            }catch(NumberFormatException notBitMask) {}
 
+            parsedPermissions.add(parsedPermission);
 
+        }
 
+        return parsedPermissions;
 
+    }
 
+
 
     private int skipBody() {
 
         if (var != null) {
 
             pageContext.setAttribute(var, Boolean.FALSE, PageContext.PAGE_SCOPE);

+ 39 - 0
taglibs/src/test/java/org/springframework/security/taglibs/authz/AccessControlListTagTests.java
Vedi File 

@@ -100,6 +100,45 @@ public class AccessControlListTagTests {
 
         verifyNoMoreInteractions(pe);
 
     }
 
 
+    // SEC-2023
 
+    @Test
 
+    public void hasPermissionsBitMaskSupported() throws Exception {
 
+        Object domainObject = new Object();
 
+        when(pe.hasPermission(bob, domainObject, 1)).thenReturn(true);
 
+        when(pe.hasPermission(bob, domainObject, 2)).thenReturn(true);
 
+
 
+        tag.setDomainObject(domainObject);
 
+        tag.setHasPermission("1,2");
 
+        tag.setVar("allowed");
 
+        assertSame(domainObject, tag.getDomainObject());
 
+        assertEquals("1,2", tag.getHasPermission());
 
+
 
+        assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
 
+        assertTrue((Boolean)pageContext.getAttribute("allowed"));
 
+        verify(pe).hasPermission(bob, domainObject, 1);
 
+        verify(pe).hasPermission(bob, domainObject, 2);
 
+        verifyNoMoreInteractions(pe);
 
+    }
 
+
 
+    @Test
 
+    public void hasPermissionsMixedBitMaskSupported() throws Exception {
 
+        Object domainObject = new Object();
 
+        when(pe.hasPermission(bob, domainObject, 1)).thenReturn(true);
 
+        when(pe.hasPermission(bob, domainObject, "WRITE")).thenReturn(true);
 
+
 
+        tag.setDomainObject(domainObject);
 
+        tag.setHasPermission("1,WRITE");
 
+        tag.setVar("allowed");
 
+        assertSame(domainObject, tag.getDomainObject());
 
+        assertEquals("1,WRITE", tag.getHasPermission());
 
+
 
+        assertEquals(Tag.EVAL_BODY_INCLUDE, tag.doStartTag());
 
+        assertTrue((Boolean)pageContext.getAttribute("allowed"));
 
+        verify(pe).hasPermission(bob, domainObject, 1);
 
+        verify(pe).hasPermission(bob, domainObject, "WRITE");
 
+        verifyNoMoreInteractions(pe);
 
+    }
 
+
 
     @Test
 
     public void bodyIsSkippedIfAclDeniesAccess() throws Exception {
 
         Object domainObject = new Object();