Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Noncompliant Code Example

      In a Spring-security web application:

      • the vote method of an AccessDecisionVoter type is not compliant when it returns only an affirmative decision (ACCESS_GRANTED) or abstains to make a decision (ACCESS_ABSTAIN):
        public class WeakNightVoter implements AccessDecisionVoter {
            @Override
            public int vote(Authentication authentication, Object object, Collection collection) {  // Noncompliant
            
              Calendar calendar = Calendar.getInstance();
              
              int currentHour = calendar.get(Calendar.HOUR_OF_DAY);
              
              if(currentHour >= 8 && currentHour <= 19) {
                return ACCESS_GRANTED; // Noncompliant
              }
              
              // when users connect during the night, do not make decision
              return ACCESS_ABSTAIN; // Noncompliant
            }
        }
        
      • the hasPermission method of a PermissionEvaluator type is not compliant when it doesn't return false:
        public class MyPermissionEvaluator implements PermissionEvaluator {
            @Override
            public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
                //Getting subject
                Object user = authentication.getPrincipal();
                
                if(user.getRole().equals(permission)) {
                      return true; // Noncompliant
                }
                
                return true;  // Noncompliant
            }
        } 
        

      Compliant Solution

      In a Spring-security web application:

      • the vote method of an AccessDecisionVoter type should return a negative decision (ACCESS_DENIED):
        public class StrongNightVoter implements AccessDecisionVoter {
            @Override
            public int vote(Authentication authentication, Object object, Collection collection) {
            
              Calendar calendar = Calendar.getInstance();
              
              int currentHour = calendar.get(Calendar.HOUR_OF_DAY);
              
              if(currentHour >= 8 && currentHour <= 19) {
                return ACCESS_GRANTED;
              }
              
              // users are not allowed to connect during the night
              return ACCESS_DENIED; // Compliant
            }
        }
        
      • the hasPermission method of a PermissionEvaluator type should return false:
        public class MyPermissionEvaluator implements PermissionEvaluator {
            @Override
            public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
                //Getting subject
                Object user = authentication.getPrincipal();
                
                if(user.getRole().equals(permission)) {
                      return true;
                }
                
                return false; // Compliant
            }
        } 
        

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eric.therond Eric Therond
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: