Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.4.17
-
None
Description
I am developing a web application that uses the wicket-auth framework 1.4.17,
more specifically the following class :
org.apache.wicket.authorization.strategies.role.annotations.AnnotationsRoleAuthorizationStrategy
and I am experiencing an issue that I think might be a bug (but I'm not sure, it might be
that I'm doing something wrong). I am using an annotation like below :
@AuthorizeAction(action = ..., roles = ...)
However I have found that I am always denied access to the page. I have traced the reason
of the access to the following code, in method "check" of the above class :
if (hasAny(new Roles(authorizeActionAnnotation.deny())))
{ return false; }The deny list returned by "authorizeActionAnnotation.deny()" is empty, therefore "hasAny"
always returns true, which means that when the deny list is empty you are always denied
access to the page!
Maybe it's a feature but it sounds like counter-intuitive to me 
Using the following
annotation did fix the issue :
@AuthorizeAction(action = ..., deny="dummyRoleToDeny", roles = ...)
I posted this on the mailing list and obtained confirmation that this seems to be an incorrect check,
and not a misunderstanding on my part