[jira] [Commented] (FC-120) Fortress API allows any user role assignment if admin session is null

Thu, 17 Sep 2015 07:30:06 -0700 

    [ 
https://issues.apache.org/jira/browse/FC-120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14802979#comment-14802979
 ] 

Shawn McKinney commented on FC-120:
-----------------------------------

The concern is the invocation to 'canAssign' inside method in 
AdminMgr.assignUser quietly returns if the admin user's session is not set:

    @Override
    public void assignUser( UserRole uRole ) throws SecurityException
    {
        ...
        String methodName = "assignUser";
        AdminUtil.canAssign( uRole.getAdminSession(), user, role, contextId );

This is by design.  The fortress adminmgr and reviewmgr apis automatically 
perform ARBAC style checking iff the caller set the admin user's session before 
invocation.  This checking includes:

1. calls the checkAccess to see if admin user has the administrative permission 
that corresponds to the method
2. calls to canAssign/Deassign, canGrant/Revoke

The situation you describe here is the caller did not set the session so the 
adminmgr method can't perform the ARBAC checks listed above.

In this scenario if you want to do this check, without following the step 
above, you simply call the method DelAccessMgr.canAssign directly before then 
making the call to assignUser.

> Fortress API allows any user role assignment if admin session is null
> ---------------------------------------------------------------------
>
>                 Key: FC-120
>                 URL: https://issues.apache.org/jira/browse/FC-120
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC41
>            Reporter: Chris Pike
>            Priority: Critical
>
> This may be a misunderstanding on my part, but in line 65 of AdminUtil, if a 
> null session is passed in it doesn't perform a canAssign check. It looks like 
> the setEntitySession method on line 568 of admin manager impl also does some 
> sort of check, but I can get around this by setting admin session to null in 
> admin manager. 
> //user the admin manager is acting on behalf of, that has no ARBAC permissions
> User user = new User("testuser1");    
> Session session = new Session(user);          
> adminManager = AdminMgrFactory.createInstance(session);
> adminManager.setAdmin(null);
> UserRole userRole = new UserRole("fortress-web-super-user");
> userRole.setUserId("testuser1");
> adminManager.assignUser(userRole);



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to