Stephen Colebourne created SHIRO-495:
----------------------------------------
Summary: AuthorizingRealm permission matching hard to override
Key: SHIRO-495
URL: https://issues.apache.org/jira/browse/SHIRO-495
Project: Shiro
Issue Type: Bug
Components: Realms
Affects Versions: 1.2.3
Reporter: Stephen Colebourne
The class {{AuthorizingRealm}} implements the Authorizer interface. That
interface defines 10 permission-based methods which are all implemented to
delegate down to a single {{isPermitted(Permission,AuthorizationInfo)}} method.
Unfortunately, the {{isPermitted(Permission,AuthorizationInfo)}} method is
defined as private. As such, subclass {{Realm}} implementations cannot override
the permission evaluation to implement their own logic (which I want to do
right now).
There is no security issue with making the method protected, as it is possible
to override each of the 10 public methods in the subclass. Its simply the case
that overriding 10 methods to behave exactly the same as {{AuthorizingRealm}}
simply because the single central method is not protected is dumb.
Please change the {{isPermitted(Permission,AuthorizationInfo)}} method from
private scope to protected scope. I would provide a patch, but its such a
simple change its just not worth it ;-) I've classified it as a bug because it
looks like a simple oversight when reviewing the rest of the class.
The workaround is to define implementations of {{Permission}} and
{{PermissionResolver}}, which is a more complex solution.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
