Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-902

Separator conflict between PermissionUtils.resolveDelimitedPermissions() and WildcardPermission.SUBPART_DIVIDER_TOKEN

    XMLWordPrintableJSON

Details

    Description

      PermissionUtils.resolveDelimitedPermissions() accepts multiple permissions, separated by comma. But comma is already reserved by WildcardPermission.SUBPART_DIVIDER_TOKEN.

       

      Example: "user:read,write:*"

      Expected:

      parts: [  ["user"],  ["read", "write"],  ["*"]]Actual:

      WildcardPermission.parts: [  ["user"],  ["read"]],WildcardPermission.parts: [  ["write"],  ["*"]]{}

      JUnit test to trigger the bug:

      import static org.assertj.core.api.Assertions.assertThat;

      import org.apache.shiro.authz.permission.WildcardPermission;
      import org.apache.shiro.authz.permission.WildcardPermissionResolver;
      import org.apache.shiro.util.PermissionUtils;
      import org.junit.jupiter.api.Test;

      public class PermissionUtilsTest {
          @Test
          void verifyResolveDelimitedPermissionsRespectsSubPartDividerToken() {
              var permissionResolver = new WildcardPermissionResolver(true);
              var result = PermissionUtils.resolveDelimitedPermissions("user:read,write:*", permissionResolver);
              assertThat(result)
                  .containsExactlyInAnyOrder(
                      new WildcardPermission("user:read,write:*")
                  );
      {{    }}}
      }

       

      I understand, that PermissionUtils actually cannot know about WildcardPermission.SUBPART_DIVIDER_TOKEN, because it is hidden behind the PermissionResolver abstraction. But WildcardPermissionResolver is the only resolver you provide. PermissionUtils should support using it.

      I also understand that the fix will be a breaking change, which should usually be avoided in public APIs. But also consider, that every new user using PermissionUtils will waste time debugging this bug, and then will avoid using resolveDelimitedPermissions(). What's the purpose of a stable but unused API?

       

      Attachments

        Issue Links

          Activity

            People

              bmarwell Benjamin Marwell
              ewirch Eduard Wirch
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m