ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5808/java/rule.adoc
Alban Auzeill 0329b1564c Add rules 5000-5999
2020-06-30 17:16:12 +02:00

83 lines
3.1 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
== Noncompliant Code Example
In a Spring-security web application:
* the <code>vote</code> method of an https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/access/AccessDecisionVoter.html[AccessDecisionVoter] type is not compliant when it returns only an affirmative decision (<code>ACCESS_GRANTED</code>) or abstains to make a decision (<code>ACCESS_ABSTAIN</code>):
----
public class WeakNightVoter implements AccessDecisionVoter {
@Override
public int vote(Authentication authentication, Object object, Collection collection) { // Noncompliant
Calendar calendar = Calendar.getInstance();
int currentHour = calendar.get(Calendar.HOUR_OF_DAY);
if(currentHour >= 8 && currentHour <= 19) {
return ACCESS_GRANTED; // Noncompliant
}
// when employees connect during the night, do not make decision
return ACCESS_ABSTAIN; // Noncompliant
}
}
----
* the <code>hasPermission</code> method of an https://docs.spring.io/spring-security/site/docs/4.2.13.RELEASE/apidocs/org/springframework/security/access/PermissionEvaluator.html[PermissionEvaluator] type is not compliant when it doesn't return <code>false</code>:
----
public class MyPermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
//Getting subject
Object user = authentication.getPrincipal();
if(user.getRole().equals(permission)) {
return true; // Noncompliant
}
return true; // Noncompliant
}
}
----
== Compliant Solution
In a Spring-security web application:
* the <code>vote</code> method of a https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/access/AccessDecisionVoter.html[AccessDecisionVoter] type should return a negative decision (<code>ACCESS_DENIED</code>):
----
public class StrongNightVoter implements AccessDecisionVoter {
@Override
public int vote(Authentication authentication, Object object, Collection collection) {
Calendar calendar = Calendar.getInstance();
int currentHour = calendar.get(Calendar.HOUR_OF_DAY);
if(currentHour >= 8 && currentHour <= 19) {
return ACCESS_GRANTED;
}
// employees are not allowed to connect during the night
return ACCESS_DENIED; // Compliant
}
}
----
* the <code>hasPermission</code> method of an https://docs.spring.io/spring-security/site/docs/4.2.13.RELEASE/apidocs/org/springframework/security/access/PermissionEvaluator.html[PermissionEvaluator] type should return <code>false</code>:
----
public class MyPermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
//Getting subject
Object user = authentication.getPrincipal();
if(user.getRole().equals(permission)) {
return true;
}
return false; // Compliant
}
}
----
include::../see.adoc[]
Reference in New Issue View Git Blame Copy Permalink