Hi!
I stumbled upon a problem(?) with security once again. The problem is that
SecurityInterceptor only checks permissions if method permissions (set of
roles, who can call the method) are present (NOT null, at least one role is
allows to call this method):
"
..
if (methodPermissions != null && !realmMapping.doesUserHaveRole( principal,
methodPermissions ))
?^^^^^^^^^^^^^^^^^^^^^^^?
{
// should log illegal access
throw new java.rmi.RemoteException("checkSecurityAssociation", new
SecurityException("Illegal access exception"));
}
..
"
My question is, why is this check for "null" required? According to the
spec, if no roles are allowed to call a method, it cannot be called. This
code, although, does allow. Can this be, that if method is not allowed to be
called at all, methodPermissions set should be EMPTY, NOT NULL? In this
case, the problem is elsewhere -- where this set is created.
Alexander Klyubin
- Re: [jBoss-Dev] Re: [jBoss-Use... Luke Taylor
- Re: [jBoss-Dev] Re: [jBoss-Use... Luke Taylor
- Re[2]: [jBoss-Dev] Re: [jBoss-... Oleg Nitz
- Re: [jBoss-Dev] Re: [jBoss-Use... Luke Taylor
- Re: [jBoss-Dev] Re: [jBoss-Use... Rickard �berg
- Re: [jBoss-Dev] Re: [jBoss-Use... Luke Taylor
- Re: [jBoss-Dev] Re: [jBoss-Use... Rickard �berg
- Re[2]: [jBoss-Dev] Re: [jBoss-... Oleg Nitz
- Re: [jBoss-Dev] Re: [jBoss-Use... Luke Taylor
- Re: [jBoss-Dev] Re: [jBoss-Use... Oleg Nitz
- Re: [jBoss-Dev] SecurityInterceptor Alexander Klyubin
- Re: [jBoss-Dev] SecurityInterceptor Scott M Stark
- RE: [jBoss-Dev] Re: [jBoss-User] jaas Jay Walters
- RE: [jBoss-Dev] Re: [jBoss-User] jaas Kenworthy, Edward
- Re: [jBoss-Dev] Re: [jBoss-User] jaas Rickard �berg
- RE: [jBoss-Dev] Re: [jBoss-User] jaas Mathew Mathew
- Off-topic, Re: [jBoss-Dev] Re: [jBoss-User]... Rickard �berg
- Re: [jBoss-Dev] Re: [jBoss-User] jaas Juha-P Lindfors
- RE: [jBoss-Dev] Re: [jBoss-User] jaas Kenworthy, Edward
- Re: [jBoss-Dev] Re: [jBoss-User] jaas Rickard �berg
- RE: [jBoss-Dev] Re: [jBoss-User] jaas Kenworthy, Edward
