1 Reply Latest reply on Mar 19, 2008 11:24 AM by Adrian Brock

    Field access restriction

    Ales Justin Master

       


      Also I don't see a test in the kernel project that is validating
      that you can't use the xml deployment (or programmatic deployment)
      to bypass the private field access.

      e.g. See the AccessControlTestCase that validates
      that somebody can't use the MC to get access the system properties if they
      don't have the right to do so.

      Looking at that test, plus trying the 'suck it and see' principle with setting up the FieldAccess test, I fail to get it to fail on access restriction.

      My bean looks like this:
      public class AccessBean
      {
       @SuppressWarnings("unused")
       private String priString;
       protected String protString;
       public String pubString;
      }
      

      and the test class extends AbstractDeploymentTest which enables security.
       public static AbstractTestDelegate getDelegate(Class<?> clazz) throws Exception
       {
       AbstractTestDelegate delegate = MicrocontainerTest.getDelegate(clazz);
       delegate.enableSecurity = true;
       return delegate;
       }
      


      While trying this:
       <bean name="private" class="org.jboss.test.kernel.deployment.support.AccessBean" access-mode="ALL">
       <property name="priString">foobar</property>
       </bean>
      
       <bean name="protected" class="org.jboss.test.kernel.deployment.support.AccessBean" access-mode="ALL">
       <property name="protString">foobar</property>
       </bean>
      


      both beans get normally installed.

      What am I missing?
      Since 'enableSecurity=true' does the trick on PropertyField2DependencyTestCase (where I had to disable it in order to test what I wanted to test).

        • 1. Re: Field access restriction
          Adrian Brock Master

           

          "alesj" wrote:

          both beans get normally installed.

          What am I missing?


          They shouldn't be!!!!

          If your the test deploys the xml manually, it should throw a SecurityException.

          It doesn't have the authority to access though fields, so it shouldn't gain
          the authority via deploying xml file.

          If the xml is deployed during the bootstrap then it runs under the MC's ALL authority
          and would allow it.