Struts 2
  1. Struts 2
  2. WW-4118

Allow RolesInterceptor to validate role names

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.16
    • Component/s: None
    • Labels:
      None
    • Flags:
      Patch

      Description

      Role names can be easily misconfigured resulting in security holes. However app developers typically known which roles are available in their environment. A small tweak to RolesInterceptor could make it easy for developers to have role verification. When the roles are invalid the RolesInterceptor could fail-fast, quickly bringing the issue to attention.

        Issue Links

          Activity

          Hide
          Hudson added a comment -

          SUCCESS: Integrated in Struts2-JDK6 #814 (See https://builds.apache.org/job/Struts2-JDK6/814/)
          WW-4118 Adds logic to allow validate defined roles and changes precedence that disallowedRoles are examined first (lukaszlenart: rev 1533359)

          • /struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/RolesInterceptor.java
          • /struts/struts2/trunk/core/src/test/java/org/apache/struts2/interceptor/RolesInterceptorTest.java
          Show
          Hudson added a comment - SUCCESS: Integrated in Struts2-JDK6 #814 (See https://builds.apache.org/job/Struts2-JDK6/814/ ) WW-4118 Adds logic to allow validate defined roles and changes precedence that disallowedRoles are examined first (lukaszlenart: rev 1533359) /struts/struts2/trunk/core/src/main/java/org/apache/struts2/interceptor/RolesInterceptor.java /struts/struts2/trunk/core/src/test/java/org/apache/struts2/interceptor/RolesInterceptorTest.java
          Hide
          Lukasz Lenart added a comment -

          Patch applied, thanks!

          Show
          Lukasz Lenart added a comment - Patch applied, thanks!
          Hide
          ASF subversion and git services added a comment -

          Commit 1533359 from Lukasz Lenart in branch 'struts2/trunk'
          [ https://svn.apache.org/r1533359 ]

          WW-4118 Adds logic to allow validate defined roles and changes precedence that disallowedRoles are examined first

          Show
          ASF subversion and git services added a comment - Commit 1533359 from Lukasz Lenart in branch 'struts2/trunk' [ https://svn.apache.org/r1533359 ] WW-4118 Adds logic to allow validate defined roles and changes precedence that disallowedRoles are examined first
          Hide
          Cam Morris added a comment -

          Attached to WW-4117 is a patch that implements this improvement and adds unit tests for this feature. It includes an override-able boolean areRolesValid(List<String> roles) that is called by setAllowedRoles and setDisallowedRoles.

          Show
          Cam Morris added a comment - Attached to WW-4117 is a patch that implements this improvement and adds unit tests for this feature. It includes an override-able boolean areRolesValid(List<String> roles) that is called by setAllowedRoles and setDisallowedRoles.

            People

            • Assignee:
              Lukasz Lenart
              Reporter:
              Cam Morris
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development