rspec/rules/S5808/java/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

In a Spring-security web application:

* the <code>vote</code> method of an https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/access/AccessDecisionVoter.html[AccessDecisionVoter] type is not compliant when it returns only an affirmative decision (<code>ACCESS_GRANTED</code>) or abstains to make a decision (<code>ACCESS_ABSTAIN</code>):

----
public class WeakNightVoter implements AccessDecisionVoter {
    @Override
    public int vote(Authentication authentication, Object object, Collection collection) {  // Noncompliant

      Calendar calendar = Calendar.getInstance();

      int currentHour = calendar.get(Calendar.HOUR_OF_DAY);

      if(currentHour >= 8 && currentHour <= 19) {
        return ACCESS_GRANTED; // Noncompliant
      }

      // when employees connect during the night, do not make decision
      return ACCESS_ABSTAIN; // Noncompliant
    }
}
----

* the <code>hasPermission</code> method of an https://docs.spring.io/spring-security/site/docs/4.2.13.RELEASE/apidocs/org/springframework/security/access/PermissionEvaluator.html[PermissionEvaluator] type is not compliant when it doesn't return <code>false</code>:

----
public class MyPermissionEvaluator implements PermissionEvaluator {

    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        //Getting subject
        Object user = authentication.getPrincipal();

        if(user.getRole().equals(permission)) {
              return true; // Noncompliant
        }

        return true;  // Noncompliant
    }
} 
----

== Compliant Solution

In a Spring-security web application:

* the <code>vote</code> method of a https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/access/AccessDecisionVoter.html[AccessDecisionVoter] type should return a negative decision (<code>ACCESS_DENIED</code>):

----
public class StrongNightVoter implements AccessDecisionVoter {
    @Override
    public int vote(Authentication authentication, Object object, Collection collection) {

      Calendar calendar = Calendar.getInstance();

      int currentHour = calendar.get(Calendar.HOUR_OF_DAY);

      if(currentHour >= 8 && currentHour <= 19) {
        return ACCESS_GRANTED;
      }

      // employees are not allowed to connect during the night
      return ACCESS_DENIED; // Compliant
    }
}
----

* the <code>hasPermission</code> method of an https://docs.spring.io/spring-security/site/docs/4.2.13.RELEASE/apidocs/org/springframework/security/access/PermissionEvaluator.html[PermissionEvaluator] type should return <code>false</code>:

----
public class MyPermissionEvaluator implements PermissionEvaluator {
    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        //Getting subject
        Object user = authentication.getPrincipal();

        if(user.getRole().equals(permission)) {
              return true;
        }

        return false; // Compliant
    }
} 
----

include::../see.adoc[]