Hi
2014-03-17 8:38 GMT-07:00 Mike Müller <[email protected]>: > Hi > > I think this is insecure by design and not correct: > The problem is not, that we do grant access if no ResourceAccessGate is > registered for application context. The problem is, that we grant access > also if there is a ResourceAccessGate registered for application level but > does return GateResult.DONTCARE. In this case no access should be granted > as we do on provider context. > To see that actual wrong implementation in action have a look at the > integration > Test in > SecuredProviderResourceAccessSecurityTest#testUpdateDeniedUpdateAllowedRead: > Here only READ is granted but not UPDATE. But because there are also > registered > ResourceAccessGates for application levels the access would be granted for > update anyway if no application ResourceAccessGate denies updates (per > default > they only return GateResult.DONTCARE). > There's no disadvantage if we do not grant access if no ResourceAccessGate > returns GateResult.GRANT. Because in the case if no ResourceAccessGate is > defined we do not have a registered ResourceAccessSecurity service for > the application level. > So IMHO we definitively have to change this behavour to act similar as in > the > provider context. > > ah, thanks, got it now. I think either way is a little bit strange. I guess we all agree that if there is no application RAG, the resource is accessible (leaving out the provider RAG for now). Then you add an application RAG which say "DONTCARE" and out of the sudden, the resource is not visible anymore. This seems a little bit contradicting the term "DONTCARE". I think DONTCARE means you get the same result as if this check wasn't done and in the case of the application RAG that's acess is granted. Regards Carsten > Best regards > mike > > > -----Original Message----- > > From: Carsten Ziegeler [mailto:[email protected]] > > Sent: Monday, March 17, 2014 3:35 PM > > To: [email protected] > > Subject: Re: [RT] Make ResourceAccessSecurity always restrict access if > > installed and no ResourceAccessGate present > > > > Yes, I think my first answer was wrong (Note to myself, don't answer > mails > > after long distance travels...) and you're right. The difference between > > provider and application type is exactly that. > > If there is no provider RAS and the provider does not declare to require > one, > > the resource is visible. Same with application type, but also if > application RAS > > is there but doesn't restrcit it. > > > > Carsten > > > > > > 2014-03-17 3:09 GMT-07:00 Marius Petria <[email protected]>: > > > > > > > Furthermore the implementation of the ResourceAccessSecurity for > > > > > the provider context does not behave like the one for the > > > > > application > > > > > context: If we for example check the read access for a resource > > > > > the implementation calls all ResourceAccessGates till a gate is > > > > > found which grants read access. That's correct but only done in > > > > > the provider context. > > > > > In the application context the implementation also calls all > > > > > ResourceAccessGates till a gate is found which grants read access. > > > > > But if no gate is found which grants read access and there's also > > > > > no gate which denies access (returns GateResult.DONTCARE), access > > > > > will be granted. This seems wrong in terms of security. The two > > > > > implementations for provider context and application context > > > > > should behave the same. With the only difference that > > > > > ResourceResolver will ignore the application context if the > service could > > not be found. > > > > > > I thought the difference in defaults between application scoped access > > > security and provider scoped is intended. > > > Provider scoped access security is requested by the resource provider > > > itself using USE_RESOURCE_ACCESS_SECURITY, so it makes sense to deny > > > access if no gate is present because the provider really cares about > > security. > > > > > > However, the application scoped access security is requested by the > > > one that installs a gate, so it should only restrict access if the > > > gate is present, as the provider does not really care about security. > > > > > > Or, am I understanding it wrong? > > > > > > Marius > > > > > > > > > > > > -- > > Carsten Ziegeler > > [email protected] > -- Carsten Ziegeler [email protected]
