[
https://issues.apache.org/jira/browse/SHIRO-629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17401129#comment-17401129
]
Benjamin Marwell commented on SHIRO-629:
----------------------------------------
Hi [~pkriens], thanks for reporting. While browsing, I decided to take a deeper
look into this for Shiro 2.x.
For 1.x, the best bet is to stick to ASCII characters for now.
> WildcardPermission syntax
> -------------------------
>
> Key: SHIRO-629
> URL: https://issues.apache.org/jira/browse/SHIRO-629
> Project: Shiro
> Issue Type: Question
> Components: Authorization (access control)
> Reporter: Peter Kriens
> Priority: Critical
>
> While looking at the WildcardPermission I see it allows a much wider range of
> usage then used in all the examples I've seen. Looking at the implementation
> I notice it is not verifying. I also noted that there is no escaping for
> matching the [*:,] tokens in the target permission. I think the examples
> follow the grammar like:
> permission ::= part ( ':' part ) *
> part ::= wildcard | options
> wildcard ::= '*'
> options ::= literal ( ',' literal )
> literal ::= [^*:,]+
> This should disallow permissions like "abc*def", "abc:def,*:foo", "abc:",
> "x:::::::::::::::". However, the implementation seems to more or less allow
> anything without warnings or errors. Is this intentional?
> Last, the implementation looks quite expensive since it requires for each
> construction numerous lists, sets, and arrays. It also executes n*m a regular
> expression operations for the split. Since the target permission could be
> constructed frequently since it contains the parameters this is imho very
> costly.
> Therefore it would be nice if a formal grammar including the character set
> and escaping.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
