[jira] [Updated] (WICKET-3974) Wicket-auth annotation always denies access if the deny list is empty

[Martin Grigorov (JIRA)]

     [ 
https://issues.apache.org/jira/browse/WICKET-3974?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martin Grigorov updated WICKET-3974:
------------------------------------

    Attachment: WICKET-3974.patch

Unfortunately the fix needs small API break.
org.apache.wicket.authroles.authorization.strategies.role.annotations.AuthorizeAction.roles()
 and #deny() have type String[] but their defaults for some reason are "". They 
have to be {}, i.e. empty array, not empty string.

Is it OK to include this fix in 1.5 RC at least ?

> Wicket-auth annotation always denies access if the deny list is empty
> ---------------------------------------------------------------------
>
>                 Key: WICKET-3974
>                 URL: https://issues.apache.org/jira/browse/WICKET-3974
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-auth-roles
>    Affects Versions: 1.4.17
>            Reporter: Mathieu Marcotte-Gagnon
>         Attachments: WICKET-3974.patch
>
>
> I am developing a web application that uses the wicket-auth framework 1.4.17,
> more specifically the following class :
> org.apache.wicket.authorization.strategies.role.annotations.AnnotationsRoleAuthorizationStrategy
> and I am experiencing an issue that I think might be a bug (but I'm not sure, 
> it might be
> that I'm doing something wrong). I am using an annotation like below :
>       @AuthorizeAction(action = ..., roles = ...)
> However I have found that I am always denied access to the page. I have 
> traced the reason
> of the access to the following code, in method "check" of the above class :
>       if (hasAny(new Roles(authorizeActionAnnotation.deny())))
>       {
>               return false;
>       }
> The deny list returned by "authorizeActionAnnotation.deny()" is empty, 
> therefore "hasAny"
> always returns true, which means that when the deny list is empty you are 
> always denied
> access to the page!
> Maybe it's a feature but it sounds like counter-intuitive to me :) Using the 
> following
> annotation did fix the issue :
>       @AuthorizeAction(action = ..., deny="dummyRoleToDeny", roles = ...)
> I posted this on the mailing list and obtained confirmation that this seems 
> to be an incorrect check,
> and not a misunderstanding on my part

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira