> the current implementation does actually this (if I read the code > correctly) :)
Yes you're right, the implementation for this case is correct. Sorry for the confusion... > If useRAS is set, but no Gate available, the resource is not returned. At > least > ProviderHandler#getReadableResource does this. > But of course if this is not the case, then you're totally right and we need > to > change this. > > And I totally agree that provider and application context should behave > similar. > > Regards > Carsten > > > 2014-03-16 12:54 GMT-07:00 Mike Müller <[email protected]>: > > > Hi > > > > As I worked on SLING-3435 [1] and added some more tests I noticed that > > Even if resourceaccesssecurity is installed as a bundle the two > > implementing classes ApplicationResourceAccessSecurityImpl (for > > application context) and ProviderResourceAccessSecurityImpl (for > > provider context) are only registered if there is at least one > > ResourceAccessGate registered for the appropriate context. > > The implementation of ResourceResolver itself only checks if there is > > an implementation for ResourceAccessSecurity registered. If no such > > service is available, ResourceResolver grants access for all > > operations. That means, even if a ResourceProvider implementation sets > > the useResourceAccessSecurity flag to true, access will be granted if > > no ResourceAccessGate is registered for the provider context. > > > > I think this should be changed, because it makes > > resourceaccesssecurity somewhat weak. > > Imagine we do have a Mongo ResourceProvider with the > > useResourceAccessSecurity flag set to true and we even have installed > > the resourceaccesssecurity bundle. > > Now > > we either forgot to install also a ResourceAccessGate implementation > > or the bundle containing the gate is not started properly. With the > > actual behavour access will be granted on all resources from Mongo > > ResourceProvider for all operations. > > Even if the bundle with our ResourceAccessGate implementation is > > started correctly But not the resourceaccesssecurity bundle we do have > > the same problem. > > It think this is wrong in terms of security. > > > > I suggest we should do the following: > > - If a provider sets useResourceAccessSecurity flag to true we do not > > grant access to any Resource from this provider (for any operation) if > > ResourceAccessSecurity for the provider context can't be found. > > > > Furthermore the implementation of the ResourceAccessSecurity for the > > provider context does not behave like the one for the application > > context: If we for example check the read access for a resource the > > implementation calls all ResourceAccessGates till a gate is found > > which grants read access. That's correct but only done in the provider > > context. > > In the application context the implementation also calls all > > ResourceAccessGates till a gate is found which grants read access. But > > if no gate is found which grants read access and there's also no gate > > which denies access (returns GateResult.DONTCARE), access will be > > granted. This seems wrong in terms of security. The two > > implementations for provider context and application context should > > behave the same. With the only difference that ResourceResolver will > > ignore the application context if the service could not be found. > > > > WDYT? > > > > Best regards > > mike > > > > [1] https://issues.apache.org/jira/browse/SLING-3435 > > > > > > -- > Carsten Ziegeler > [email protected]
