Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1198

MethodSecurityPriviligeEvaluator Returns True When Principal Does Not Have Required Role

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: 2.0.5
    • Fix Version/s: 3.0.0 M2
    • Component/s: Core
    • Labels:
      None

      Description

      We've implemented an IAuthorizationService.isCallable(Object object, String methodName) service.

      The isCallable method looks up the object's security interceptor in a map and then sets the security interceptor on the MethodInvocationPriviliegeEvaluator instance. MethodInvocationPriviliegeEvaluator is then called to see whether the method invocation is allowed.

      True is returned regardless of whether the authentication has the required role or not.

      I'm attaching a maven project with all source code and tests.

      The test to look at is:
      spring.security.jira/src/test/java/com/example/security/authorization/tests/AuthorizationServiceTest.java

      SIDE NOTE:
      I believe the method MethodInvocationPriviliegeEvaluator currently requires a MethodSecurityInterceptor instance for it's initialization. This required us to wire in "Dummy" classes just to get the container to start up. When isCallable is called, we replace the "Dummy" MethodSecurityInterceptor instance with the instance the container created for the secured object.

        Activity

        Hide
        luke Luke Taylor added a comment -

        You can either inject the interceptor directly into it if you have configured the inteceptor explicitly, autowire it by type or use a BeanPostProcessor to configure it.

        Show
        luke Luke Taylor added a comment - You can either inject the interceptor directly into it if you have configured the inteceptor explicitly, autowire it by type or use a BeanPostProcessor to configure it.
        Hide
        ole.ersoy Ole Ersoy added a comment -

        It's just that the service as is currently chooses which security interceptor to use during the isCallable method invocation, so all the service needs is a "vanilla" MethodInvocationPriviligeEvaluator.

        Show
        ole.ersoy Ole Ersoy added a comment - It's just that the service as is currently chooses which security interceptor to use during the isCallable method invocation, so all the service needs is a "vanilla" MethodInvocationPriviligeEvaluator.
        Hide
        ole.ersoy Ole Ersoy added a comment -

        That might be a moo point though, if proper framework way to do it is to either use <global-method-security> or manually configure a single method security interceptor that gets applied via aop. If I understand correctly in both of these cases there will only be a single security interceptor, so one might as well just wire it during startup?

        Show
        ole.ersoy Ole Ersoy added a comment - That might be a moo point though, if proper framework way to do it is to either use <global-method-security> or manually configure a single method security interceptor that gets applied via aop. If I understand correctly in both of these cases there will only be a single security interceptor, so one might as well just wire it during startup?
        Hide
        luke Luke Taylor added a comment -

        There isn't really a "proper" way to do it. It depends on your requirements. If a single interceptor is sufficient (and often it will be), then there's no reason why you can't just define the MethodInvocationPrivilegeEvaluator in the app context and inject the interceptor. If for some reason you need more than one interceptor then you can have multiple MethodInvocationPrivilegeEvaluators too.

        Show
        luke Luke Taylor added a comment - There isn't really a "proper" way to do it. It depends on your requirements. If a single interceptor is sufficient (and often it will be), then there's no reason why you can't just define the MethodInvocationPrivilegeEvaluator in the app context and inject the interceptor. If for some reason you need more than one interceptor then you can have multiple MethodInvocationPrivilegeEvaluators too.
        Hide
        issuemaster Spring Issuemaster added a comment -
        Show
        issuemaster Spring Issuemaster added a comment - This issue has been migrated to https://github.com/spring-projects/spring-security/issues/1446

          People

          • Assignee:
            luke Luke Taylor
            Reporter:
            ole.ersoy Ole Ersoy
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development