[jira] [Updated] (WICKET-3974) Wicket-auth annotation always denies access if the deny list is empty

Thu, 25 Aug 2011 04:03:05 -0700 

     [ 
https://issues.apache.org/jira/browse/WICKET-3974?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martin Grigorov updated WICKET-3974:
------------------------------------

    Fix Version/s: 1.6.0
         Assignee: Martin Grigorov

It's an API break (minor) so it will have to wait for the next major release.

> Wicket-auth annotation always denies access if the deny list is empty
> ---------------------------------------------------------------------
>
>                 Key: WICKET-3974
>                 URL: https://issues.apache.org/jira/browse/WICKET-3974
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-auth-roles
>    Affects Versions: 1.4.17
>            Reporter: Mathieu Marcotte-Gagnon
>            Assignee: Martin Grigorov
>             Fix For: 1.6.0
>
>         Attachments: WICKET-3974.patch, WICKET-3974.patch
>
>
> I am developing a web application that uses the wicket-auth framework 1.4.17,
> more specifically the following class :
> org.apache.wicket.authorization.strategies.role.annotations.AnnotationsRoleAuthorizationStrategy
> and I am experiencing an issue that I think might be a bug (but I'm not sure, 
> it might be
> that I'm doing something wrong). I am using an annotation like below :
>       @AuthorizeAction(action = ..., roles = ...)
> However I have found that I am always denied access to the page. I have 
> traced the reason
> of the access to the following code, in method "check" of the above class :
>       if (hasAny(new Roles(authorizeActionAnnotation.deny())))
>       {
>               return false;
>       }
> The deny list returned by "authorizeActionAnnotation.deny()" is empty, 
> therefore "hasAny"
> always returns true, which means that when the deny list is empty you are 
> always denied
> access to the page!
> Maybe it's a feature but it sounds like counter-intuitive to me :) Using the 
> following
> annotation did fix the issue :
>       @AuthorizeAction(action = ..., deny="dummyRoleToDeny", roles = ...)
> I posted this on the mailing list and obtained confirmation that this seems 
> to be an incorrect check,
> and not a misunderstanding on my part

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to