[jira] [Resolved] (WICKET-3974) Wicket-auth annotation always denies access if the deny list is empty

Fri, 18 Nov 2011 03:01:19 -0800 

     [ 
https://issues.apache.org/jira/browse/WICKET-3974?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martin Grigorov resolved WICKET-3974.
-------------------------------------

    Resolution: Fixed
    
> Wicket-auth annotation always denies access if the deny list is empty
> ---------------------------------------------------------------------
>
>                 Key: WICKET-3974
>                 URL: https://issues.apache.org/jira/browse/WICKET-3974
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-auth-roles
>    Affects Versions: 1.4.17
>            Reporter: Mathieu Marcotte-Gagnon
>            Assignee: Martin Grigorov
>             Fix For: 6.0.0
>
>         Attachments: WICKET-3974.patch, WICKET-3974.patch
>
>
> I am developing a web application that uses the wicket-auth framework 1.4.17,
> more specifically the following class :
> org.apache.wicket.authorization.strategies.role.annotations.AnnotationsRoleAuthorizationStrategy
> and I am experiencing an issue that I think might be a bug (but I'm not sure, 
> it might be
> that I'm doing something wrong). I am using an annotation like below :
>       @AuthorizeAction(action = ..., roles = ...)
> However I have found that I am always denied access to the page. I have 
> traced the reason
> of the access to the following code, in method "check" of the above class :
>       if (hasAny(new Roles(authorizeActionAnnotation.deny())))
>       {
>               return false;
>       }
> The deny list returned by "authorizeActionAnnotation.deny()" is empty, 
> therefore "hasAny"
> always returns true, which means that when the deny list is empty you are 
> always denied
> access to the page!
> Maybe it's a feature but it sounds like counter-intuitive to me :) Using the 
> following
> annotation did fix the issue :
>       @AuthorizeAction(action = ..., deny="dummyRoleToDeny", roles = ...)
> I posted this on the mailing list and obtained confirmation that this seems 
> to be an incorrect check,
> and not a misunderstanding on my part

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to