Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-495

AuthorizingRealm permission matching hard to override

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.2.3
    • None
    • Realms
    • None

    Description

      The class AuthorizingRealm implements the Authorizer interface. That interface defines 10 permission-based methods which are all implemented to delegate down to a single isPermitted(Permission,AuthorizationInfo) method.

      Unfortunately, the isPermitted(Permission,AuthorizationInfo) method is defined as private. As such, subclass Realm implementations cannot override the permission evaluation to implement their own logic (which I want to do right now).

      There is no security issue with making the method protected, as it is possible to override each of the 10 public methods in the subclass. Its simply the case that overriding 10 methods to behave exactly the same as AuthorizingRealm simply because the single central method is not protected is dumb.

      Please change the isPermitted(Permission,AuthorizationInfo) method from private scope to protected scope. I would provide a patch, but its such a simple change its just not worth it I've classified it as a bug because it looks like a simple oversight when reviewing the rest of the class.

      The workaround is to define implementations of Permission and PermissionResolver, which is a more complex solution.

      Attachments

        Activity

          People

            Unassigned Unassigned
            scolebourne Stephen Colebourne
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: