directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FC-120) Fortress API allows any user role assignment if admin session is null
Date Thu, 17 Sep 2015 14:29:04 GMT

    [ https://issues.apache.org/jira/browse/FC-120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14802979#comment-14802979
] 

Shawn McKinney commented on FC-120:
-----------------------------------

The concern is the invocation to 'canAssign' inside method in AdminMgr.assignUser quietly
returns if the admin user's session is not set:

    @Override
    public void assignUser( UserRole uRole ) throws SecurityException
    {
        ...
        String methodName = "assignUser";
        AdminUtil.canAssign( uRole.getAdminSession(), user, role, contextId );

This is by design.  The fortress adminmgr and reviewmgr apis automatically perform ARBAC style
checking iff the caller set the admin user's session before invocation.  This checking includes:

1. calls the checkAccess to see if admin user has the administrative permission that corresponds
to the method
2. calls to canAssign/Deassign, canGrant/Revoke

The situation you describe here is the caller did not set the session so the adminmgr method
can't perform the ARBAC checks listed above.

In this scenario if you want to do this check, without following the step above, you simply
call the method DelAccessMgr.canAssign directly before then making the call to assignUser.

> Fortress API allows any user role assignment if admin session is null
> ---------------------------------------------------------------------
>
>                 Key: FC-120
>                 URL: https://issues.apache.org/jira/browse/FC-120
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC41
>            Reporter: Chris Pike
>            Priority: Critical
>
> This may be a misunderstanding on my part, but in line 65 of AdminUtil, if a null session
is passed in it doesn't perform a canAssign check. It looks like the setEntitySession method
on line 568 of admin manager impl also does some sort of check, but I can get around this
by setting admin session to null in admin manager. 
> //user the admin manager is acting on behalf of, that has no ARBAC permissions
> User user = new User("testuser1");	
> Session session = new Session(user);		
> adminManager = AdminMgrFactory.createInstance(session);
> adminManager.setAdmin(null);
> UserRole userRole = new UserRole("fortress-web-super-user");
> userRole.setUserId("testuser1");
> adminManager.assignUser(userRole);



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message