Peter Kriens created SHIRO-629:
----------------------------------
Summary: WildcardPermission syntax
Key: SHIRO-629
URL: https://issues.apache.org/jira/browse/SHIRO-629
Project: Shiro
Issue Type: Question
Components: Authorization (access control)
Reporter: Peter Kriens
Priority: Critical
While looking at the WildcardPermission I see it allows a much wider range of
usage then used in all the examples I've seen. Looking at the implementation I
notice it is not verifying. I also noted that there is no escaping for matching
the [*:,] tokens in the target permission. I think the examples follow the
grammar like:
permission ::= part ( ':' part ) *
part ::= wildcard | options
wildcard ::= '*'
options ::= literal ( ',' literal )
literal ::= [^*:,]+
This should disallow permissions like "abc*def", "abc:def,*:foo", "abc:",
"x:::::::::::::::". However, the implementation seems to more or less allow
anything without warnings or errors. Is this intentional?
Last, the implementation looks quite expensive since it requires for each
construction numerous lists, sets, and arrays. It also executes n*m a regular
expression operations for the split. Since the target permission could be
constructed frequently since it contains the parameters this is imho very
costly.
Therefore it would be nice if a formal grammar including the character set and
escaping.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
