صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
github
/
spring-security
mirrorاز https://github.com/spring-projects/spring-security
2
0
انشعاب 0
پرونده‌ها مشکلات 0 ویکی
فهرست منبع

SEC-951: Overcome serialization error caused by BasicLookupStrategy failing to modify AccessControlEntryImpl.acl field to the replacement AclImpl (previously old references to StubAclParent were retained).

Ben Alex 17 سال پیش
والد
0f8ea229c2
کامیت
c45b4e0989
1فایلهای تغییر یافته به همراه26 افزوده شده و 5 حذف شده
مشاهده تقسیم شده نمایش آمار تفاوت ها
  1. 26 5
      acl/src/main/java/org/springframework/security/acls/jdbc/BasicLookupStrategy.java

+ 26 - 5
acl/src/main/java/org/springframework/security/acls/jdbc/BasicLookupStrategy.java
مشاهده فایل 

@@ -18,12 +18,14 @@ import java.lang.reflect.Field;
 
 import java.sql.PreparedStatement;
 
 import java.sql.ResultSet;
 
 import java.sql.SQLException;
 
+import java.util.ArrayList;
 
 import java.util.HashMap;
 
 import java.util.HashSet;
 
 import java.util.Iterator;
 
 import java.util.List;
 
 import java.util.Map;
 
 import java.util.Set;
 
+import java.util.Vector;
 
 
 import javax.sql.DataSource;
 
 
@@ -173,14 +175,33 @@ public final class BasicLookupStrategy implements LookupStrategy {
 
                 auditLogger, parent, null, inputAcl.isEntriesInheriting(), inputAcl.getOwner());
 
 
         // Copy the "aces" from the input to the destination
 
-        Field field = FieldUtils.getField(AclImpl.class, "aces");
 
-
 
+        Field fieldAces = FieldUtils.getField(AclImpl.class, "aces");
 
+        Field fieldAcl = FieldUtils.getField(AccessControlEntryImpl.class, "acl");
 
+        
         try {
 
-            field.setAccessible(true);
 
-            field.set(result, field.get(inputAcl));
 
+         	fieldAces.setAccessible(true);
 
+            fieldAcl.setAccessible(true);
 
+
 
+            // Obtain the "aces" from the input ACL
 
+            Iterator i = ((List) fieldAces.get(inputAcl)).iterator();
 
+
 
+            // Create a list in which to store the "aces" for the "result" AclImpl instance
 
+            List acesNew = new ArrayList();
 
+
 
+            // Iterate over the "aces" input and replace each nested AccessControlEntryImpl.getAcl() with the new "result" AclImpl instance
 
+            // This ensures StubAclParent instances are removed, as per SEC-951
 
+            while(i.hasNext()) {
 
+	            AccessControlEntryImpl ace = (AccessControlEntryImpl) i.next();
 
+	            fieldAcl.set(ace, result);
 
+	            acesNew.add(ace);
 
+            }
 
+            
+            // Finally, now that the "aces" have been converted to have the "result" AclImpl instance, modify the "result" AclImpl instance
 
+            fieldAces.set(result, acesNew);
 
         } catch (IllegalAccessException ex) {
 
-            throw new IllegalStateException("Could not obtain or set AclImpl.ace field");
 
+            throw new IllegalStateException("Could not obtain or set AclImpl or AccessControlEntryImpl fields");
 
         }
 
+        
 
         return result;
 
     }