Bug in PortalSecurityPermissionCollection?
al_kiev Feb 26, 2006 3:19 AMHi guys,
i might be mistaken but it seems like PortalSecurityPermissionCollection has a bug in loadPermission method.
The error conditions are as follows
when a user is a memeber of several roles the loadPermission method constructs permissions list which corresponds to the Role that appears to be first in the set ("Roles" principal). As a result, if "Admin" is NOT the first role returned, the user will not have the permissions granted to Admin role.
I've fixed this error in my source but not very clear where should I post(publish) the fix.
below is the fixed loadPermission method
protected void loadPermission(String permType, String uri) throws Exception { String rootP = "/portalobject/"; if (PermissionTypes.INSTANCE.equals(permType)) { rootP = "/instance/"; } Enumeration roles = this.getAllRoles(); this.permissionsList.clear(); MBeanServer server = MBeanServerLocator.locateJBoss(); ObjectName oname = new ObjectName("portal:service=TreeCache,type=persistent"); Fqn fqn = Fqn.fromString(rootP + uri); ObjectEntry oe = (ObjectEntry) server.invoke(oname, "get", new Object[] { fqn, "constraints" }, new String[] { "org.jboss.cache.Fqn", "java.lang.Object" }); if (oe != null) { Set constraints = (Set) oe.getValue(); int len = constraints != null ? constraints.size() : 0; Object[] scarr = constraints.toArray(); // check if at lest one user Role has permissions fo the uri if (roles != null) { while (roles.hasMoreElements()) { Principal rolePrincipal = (Principal) roles.nextElement(); String role = rolePrincipal.getName(); for (int i1 = 0; i1 < len; i1++) { SecurityConstraint sc = (SecurityConstraint) scarr[i1]; String scrole = sc.getRole(); if (scrole.equals(SecurityConstants.UNCHECKED_ROLE_NAME) == false && !role.equals(scrole)) continue; Iterator iter = sc.getActions().iterator(); while (iter.hasNext()) { String actionstr = (String) iter.next(); this.permissionsList.add(getPortalPermission(permType, actionstr, uri)); } } } } } } private Enumeration getAllRoles() throws Exception { Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container"); log.debug("Subject=" + subject); Enumeration roles; List uncheckedRole = new LinkedList(); uncheckedRole.add(new SimpleGroup(SecurityConstants.UNCHECKED_ROLE_NAME)); roles = Collections.enumeration(uncheckedRole); if (subject != null) { Set principals = subject.getPrincipals(); Iterator iter = principals != null ? principals.iterator() : null; while (iter != null && iter.hasNext()) { Principal p = (Principal) iter.next(); if (p instanceof Group) { Group gp = (Group) p; if ("Roles".equals(gp.getName()) == false) continue; roles = gp.members(); break; } } } return roles; }