Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-685

Potential NullPointerException if PermissionResolver return null/empty string

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Resolved
    • Affects Version/s: None
    • Fix Version/s: 1.5.0
    • Component/s: None
    • Labels:
      None

      Description

      Reported via email on a private list

      Email contents:

        When judging whether a person has permission or not, if null or ""
      in the permissionSet, it throws new Illegal ArgumentException ("
      Wildcard string cannot be null or empty. Make sure permission strings
      are properly formatted "). but if null or "" in the roleSet, it's no
      problem

        so i suggest yours to adding a judgement (I'm sorry that I had
      create a new file in github because I can't find a page to submit
      issues. I'm sorry for the trouble)

        Here is the code(Code
      address:org.apache.shiro.realm.AuthorizingRealm, method:private
      Collection<Permission> resolvePermissions(Collection<String>
      stringPerms)):

        --------------------------------------The original
      code:--------------------------------------

        private Collection<Permission> resolvePermissions(Collection<String>
      stringPerms)
        {
          Collection<Permission> perms = Collections.emptySet();
          PermissionResolver resolver = getPermissionResolver();
          if ((resolver != null) && (!CollectionUtils.isEmpty(stringPerms)))
          {
            perms = new LinkedHashSet(stringPerms.size());
            for (String strPermission : stringPerms)
            {
              Permission permission = resolver.resolvePermission(strPermission);
              perms.add(permission);
            }
          }
          return perms;
        }
      

        --------------------------------------my code1(I suggest this
      way):--------------------------------------

        private Collection<Permission> resolvePermissions(Collection<String>
      stringPerms)
        {
          Collection<Permission> perms = Collections.emptySet();
          PermissionResolver resolver = getPermissionResolver();
          if ((resolver != null) && (!CollectionUtils.isEmpty(stringPerms)))
          {
            perms = new LinkedHashSet(stringPerms.size());
            for (String strPermission : stringPerms)
            {
          //对数据库中的permission进行判断,因为WildcardPermission中的setParts里StringUtils.clean(wildcardString);会把""转为null
           if(StringUtils.isBlank(strPermission))
           continue;
              Permission permission = resolver.resolvePermission(strPermission);
              perms.add(permission);
            }
          }
          return perms;
        }
      

        --------------------------------------or my
      code2--------------------------------------

        private Collection<Permission> resolvePermissions(Collection<String>
      stringPerms)
        {
          Collection<Permission> perms = Collections.emptySet();
          PermissionResolver resolver = getPermissionResolver();
          //此处进行判断,如果数据库中的permission集合set中有null对象,删掉
          Collection<String> newStrPerms = new HashSet<String>();
          for(String permission : stringPerms)
          {
            if(StringUtils.isBlank(permission))
              newStrPerms.add(permission);
          }
          stringPerms = newStrPerms;
      
          if ((resolver != null) && (!CollectionUtils.isEmpty(stringPerms)))
          {
            perms = new LinkedHashSet(stringPerms.size());
            for (String strPermission : stringPerms)
            {
              Permission permission = resolver.resolvePermission(strPermission);
              perms.add(permission);
            }
          }
          return perms;
        }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                fpapon Francois Papon
                Reporter:
                bdemers Brian Demers
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h
                  1h