[SYNCOPE-829] Moving result size protection onto external layers
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/9d15e6f1 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/9d15e6f1 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/9d15e6f1 Branch: refs/heads/SYNCOPE-862 Commit: 9d15e6f19bd0db7375a024a4d313fe3f84dac70a Parents: 6401a90 Author: Francesco Chicchiriccò <ilgro...@apache.org> Authored: Mon Jun 13 11:33:25 2016 +0200 Committer: Francesco Chicchiriccò <ilgro...@apache.org> Committed: Mon Jun 13 11:33:25 2016 +0200 ---------------------------------------------------------------------- .../common/rest/api/beans/ConnObjectTOListQuery.java | 10 +++++++++- .../java/org/apache/syncope/core/logic/ResourceLogic.java | 8 +++----- 2 files changed, 12 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/9d15e6f1/common/rest-api/src/main/java/org/apache/syncope/common/rest/api/beans/ConnObjectTOListQuery.java ---------------------------------------------------------------------- diff --git a/common/rest-api/src/main/java/org/apache/syncope/common/rest/api/beans/ConnObjectTOListQuery.java b/common/rest-api/src/main/java/org/apache/syncope/common/rest/api/beans/ConnObjectTOListQuery.java index 53df9fb..16d0e66 100644 --- a/common/rest-api/src/main/java/org/apache/syncope/common/rest/api/beans/ConnObjectTOListQuery.java +++ b/common/rest-api/src/main/java/org/apache/syncope/common/rest/api/beans/ConnObjectTOListQuery.java @@ -19,6 +19,7 @@ package org.apache.syncope.common.rest.api.beans; import java.io.Serializable; +import javax.validation.constraints.Max; import javax.validation.constraints.Min; import javax.ws.rs.DefaultValue; import javax.ws.rs.QueryParam; @@ -32,6 +33,8 @@ public class ConnObjectTOListQuery implements Serializable { private static final long serialVersionUID = -371488230250055359L; + private static final int MAX_SIZE = 100; + public static class Builder { private final ConnObjectTOListQuery instance = new ConnObjectTOListQuery(); @@ -64,10 +67,15 @@ public class ConnObjectTOListQuery implements Serializable { private String orderBy; public Integer getSize() { - return size; + return size == null + ? 25 + : size > MAX_SIZE + ? MAX_SIZE + : size; } @Min(1) + @Max(MAX_SIZE) @QueryParam(JAXRSService.PARAM_SIZE) @DefaultValue("25") public void setSize(final Integer size) { http://git-wip-us.apache.org/repos/asf/syncope/blob/9d15e6f1/core/logic/src/main/java/org/apache/syncope/core/logic/ResourceLogic.java ---------------------------------------------------------------------- diff --git a/core/logic/src/main/java/org/apache/syncope/core/logic/ResourceLogic.java b/core/logic/src/main/java/org/apache/syncope/core/logic/ResourceLogic.java index 34d9544..915d8ff 100644 --- a/core/logic/src/main/java/org/apache/syncope/core/logic/ResourceLogic.java +++ b/core/logic/src/main/java/org/apache/syncope/core/logic/ResourceLogic.java @@ -77,8 +77,6 @@ import org.springframework.transaction.annotation.Transactional; @Component public class ResourceLogic extends AbstractTransactionalLogic<ResourceTO> { - private static final transient int MAX_CONNOBJ_SEARCH_SIZE = 1000; - @Autowired private ExternalResourceDAO resourceDAO; @@ -320,7 +318,7 @@ public class ResourceLogic extends AbstractTransactionalLogic<ResourceTO> { @PreAuthorize("hasRole('" + StandardEntitlement.RESOURCE_LIST_CONNOBJECT + "')") @Transactional(readOnly = true) public Pair<SearchResult, List<ConnObjectTO>> listConnObjects(final String key, final String anyTypeKey, - final Integer size, final String pagedResultsCookie, final List<OrderByClause> orderBy) { + final int size, final String pagedResultsCookie, final List<OrderByClause> orderBy) { Triple<ExternalResource, AnyType, Provision> init = connObjectInit(key, anyTypeKey); @@ -349,9 +347,9 @@ public class ResourceLogic extends AbstractTransactionalLogic<ResourceTO> { @Override public boolean handle(final ConnectorObject connectorObject) { connObjects.add(connObjectUtils.getConnObjectTO(connectorObject)); - // provide safety approach in case of pagination not supported or not required (SYNCOPE-829 reworking) + // safety protection against uncontrolled result size count++; - return count < MAX_CONNOBJ_SEARCH_SIZE; + return count < size; } }, size, pagedResultsCookie, orderBy, mapItems);