Hi, the current implementation does actually this (if I read the code correctly) :) If useRAS is set, but no Gate available, the resource is not returned. At least ProviderHandler#getReadableResource does this. But of course if this is not the case, then you're totally right and we need to change this.
And I totally agree that provider and application context should behave similar. Regards Carsten 2014-03-16 12:54 GMT-07:00 Mike Müller <[email protected]>: > Hi > > As I worked on SLING-3435 [1] and added some more tests I noticed that > Even if resourceaccesssecurity is installed as a bundle the two > implementing > classes ApplicationResourceAccessSecurityImpl (for application context) and > ProviderResourceAccessSecurityImpl (for provider context) are only > registered > if there is at least one ResourceAccessGate registered for the appropriate > context. > The implementation of ResourceResolver itself only checks if there is an > implementation > for ResourceAccessSecurity registered. If no such service is available, > ResourceResolver > grants access for all operations. That means, even if a ResourceProvider > implementation > sets the useResourceAccessSecurity flag to true, access will be granted if > no > ResourceAccessGate is registered for the provider context. > > I think this should be changed, because it makes resourceaccesssecurity > somewhat weak. > Imagine we do have a Mongo ResourceProvider with the > useResourceAccessSecurity flag > set to true and we even have installed the resourceaccesssecurity bundle. > Now > we either forgot to install also a ResourceAccessGate implementation or > the bundle > containing the gate is not started properly. With the actual behavour > access will be > granted on all resources from Mongo ResourceProvider for all operations. > Even if the bundle with our ResourceAccessGate implementation is started > correctly > But not the resourceaccesssecurity bundle we do have the same problem. > It think this is wrong in terms of security. > > I suggest we should do the following: > - If a provider sets useResourceAccessSecurity flag to true we do not > grant access to any > Resource from this provider (for any operation) if ResourceAccessSecurity > for the provider > context can't be found. > > Furthermore the implementation of the ResourceAccessSecurity for the > provider context > does not behave like the one for the application context: If we for > example check the > read access for a resource the implementation calls all > ResourceAccessGates till a gate > is found which grants read access. That's correct but only done in the > provider context. > In the application context the implementation also calls all > ResourceAccessGates till a > gate is found which grants read access. But if no gate is found which > grants read access > and there's also no gate which denies access (returns > GateResult.DONTCARE), access > will be granted. This seems wrong in terms of security. The two > implementations for > provider context and application context should behave the same. With the > only difference > that ResourceResolver will ignore the application context if the service > could not be > found. > > WDYT? > > Best regards > mike > > [1] https://issues.apache.org/jira/browse/SLING-3435 > -- Carsten Ziegeler [email protected]
