shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephen Colebourne (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SHIRO-495) AuthorizingRealm permission matching hard to override
Date Mon, 14 Apr 2014 14:22:17 GMT
Stephen Colebourne created SHIRO-495:
----------------------------------------

             Summary: AuthorizingRealm permission matching hard to override
                 Key: SHIRO-495
                 URL: https://issues.apache.org/jira/browse/SHIRO-495
             Project: Shiro
          Issue Type: Bug
          Components: Realms 
    Affects Versions: 1.2.3
            Reporter: Stephen Colebourne


The class {{AuthorizingRealm}} implements the Authorizer interface. That interface defines
10 permission-based methods which are all implemented to delegate down to a single {{isPermitted(Permission,AuthorizationInfo)}}
method.

Unfortunately, the {{isPermitted(Permission,AuthorizationInfo)}} method is defined as private.
As such, subclass {{Realm}} implementations cannot override the permission evaluation to implement
their own logic (which I want to do right now).

There is no security issue with making the method protected, as it is possible to override
each of the 10 public methods in the subclass. Its simply the case that overriding 10 methods
to behave exactly the same as {{AuthorizingRealm}} simply because the single central method
is not protected is dumb.

Please change the {{isPermitted(Permission,AuthorizationInfo)}} method from private scope
to protected scope. I would provide a patch, but its such a simple change its just not worth
it ;-) I've classified it as a bug because it looks like a simple oversight when reviewing
the rest of the class.

The workaround is to define implementations of {{Permission}} and {{PermissionResolver}},
which is a more complex solution.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message