Wicket-auth annotation always denies access if the deny list is empty
---------------------------------------------------------------------
Key: WICKET-3974
URL: https://issues.apache.org/jira/browse/WICKET-3974
Project: Wicket
Issue Type: Bug
Components: wicket-auth-roles
Affects Versions: 1.4.17
Reporter: Mathieu Marcotte-Gagnon
I am developing a web application that uses the wicket-auth framework 1.4.17,
more specifically the following class :
org.apache.wicket.authorization.strategies.role.annotations.AnnotationsRoleAuthorizationStrategy
and I am experiencing an issue that I think might be a bug (but I'm not sure,
it might be
that I'm doing something wrong). I am using an annotation like below :
@AuthorizeAction(action = ..., roles = ...)
However I have found that I am always denied access to the page. I have traced
the reason
of the access to the following code, in method "check" of the above class :
if (hasAny(new Roles(authorizeActionAnnotation.deny())))
{
return false;
}
The deny list returned by "authorizeActionAnnotation.deny()" is empty,
therefore "hasAny"
always returns true, which means that when the deny list is empty you are
always denied
access to the page!
Maybe it's a feature but it sounds like counter-intuitive to me :) Using the
following
annotation did fix the issue :
@AuthorizeAction(action = ..., deny="dummyRoleToDeny", roles = ...)
I posted this on the mailing list and obtained confirmation that this seems to
be an incorrect check,
and not a misunderstanding on my part
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
