== Why is this an issue? include::../description.adoc[] === Noncompliant code example In a Spring-security web application: * the ``++vote++`` method of an https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/access/AccessDecisionVoter.html[AccessDecisionVoter] type is not compliant when it returns only an affirmative decision (``++ACCESS_GRANTED++``) or abstains to make a decision (``++ACCESS_ABSTAIN++``): [source,java] ---- public class WeakNightVoter implements AccessDecisionVoter { @Override public int vote(Authentication authentication, Object object, Collection collection) { // Noncompliant Calendar calendar = Calendar.getInstance(); int currentHour = calendar.get(Calendar.HOUR_OF_DAY); if(currentHour >= 8 && currentHour <= 19) { return ACCESS_GRANTED; // Noncompliant } // when users connect during the night, do not make decision return ACCESS_ABSTAIN; // Noncompliant } } ---- * the ``++hasPermission++`` method of a https://docs.spring.io/spring-security/site/docs/4.2.13.RELEASE/apidocs/org/springframework/security/access/PermissionEvaluator.html[PermissionEvaluator] type is not compliant when it doesn't return ``++false++``: [source,java] ---- public class MyPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { //Getting subject Object user = authentication.getPrincipal(); if(user.getRole().equals(permission)) { return true; // Noncompliant } return true; // Noncompliant } } ---- === Compliant solution In a Spring-security web application: * the ``++vote++`` method of an https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/access/AccessDecisionVoter.html[AccessDecisionVoter] type should return a negative decision (``++ACCESS_DENIED++``): [source,java] ---- public class StrongNightVoter implements AccessDecisionVoter { @Override public int vote(Authentication authentication, Object object, Collection collection) { Calendar calendar = Calendar.getInstance(); int currentHour = calendar.get(Calendar.HOUR_OF_DAY); if(currentHour >= 8 && currentHour <= 19) { return ACCESS_GRANTED; } // users are not allowed to connect during the night return ACCESS_DENIED; // Compliant } } ---- * the ``++hasPermission++`` method of a https://docs.spring.io/spring-security/site/docs/4.2.13.RELEASE/apidocs/org/springframework/security/access/PermissionEvaluator.html[PermissionEvaluator] type should return ``++false++``: [source,java] ---- public class MyPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { //Getting subject Object user = authentication.getPrincipal(); if(user.getRole().equals(permission)) { return true; } return false; // Compliant } } ---- === Exceptions No issue is reported when the method throws an exception as it might be used to indicate a strong decision. include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] endif::env-github,rspecator-view[]