ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5808/java/rule.adoc

101 lines
3.2 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
== Noncompliant Code Example
In a Spring-security web application:
* the ``++vote++`` method of an https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/access/AccessDecisionVoter.html[AccessDecisionVoter] type is not compliant when it returns only an affirmative decision (``++ACCESS_GRANTED++``) or abstains to make a decision (``++ACCESS_ABSTAIN++``):
----
public class WeakNightVoter implements AccessDecisionVoter {
@Override
public int vote(Authentication authentication, Object object, Collection collection) { // Noncompliant
Calendar calendar = Calendar.getInstance();
int currentHour = calendar.get(Calendar.HOUR_OF_DAY);
if(currentHour >= 8 && currentHour <= 19) {
return ACCESS_GRANTED; // Noncompliant
}
// when users connect during the night, do not make decision
return ACCESS_ABSTAIN; // Noncompliant
}
}
----
* the ``++hasPermission++`` method of a https://docs.spring.io/spring-security/site/docs/4.2.13.RELEASE/apidocs/org/springframework/security/access/PermissionEvaluator.html[PermissionEvaluator] type is not compliant when it doesn't return ``++false++``:
----
public class MyPermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
//Getting subject
Object user = authentication.getPrincipal();
if(user.getRole().equals(permission)) {
return true; // Noncompliant
}
return true; // Noncompliant
}
}
----
== Compliant Solution
In a Spring-security web application:
* the ``++vote++`` method of an https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/access/AccessDecisionVoter.html[AccessDecisionVoter] type should return a negative decision (``++ACCESS_DENIED++``):
----
public class StrongNightVoter implements AccessDecisionVoter {
@Override
public int vote(Authentication authentication, Object object, Collection collection) {
Calendar calendar = Calendar.getInstance();
int currentHour = calendar.get(Calendar.HOUR_OF_DAY);
if(currentHour >= 8 && currentHour <= 19) {
return ACCESS_GRANTED;
}
// users are not allowed to connect during the night
return ACCESS_DENIED; // Compliant
}
}
----
* the ``++hasPermission++`` method of a https://docs.spring.io/spring-security/site/docs/4.2.13.RELEASE/apidocs/org/springframework/security/access/PermissionEvaluator.html[PermissionEvaluator] type should return ``++false++``:
----
public class MyPermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
//Getting subject
Object user = authentication.getPrincipal();
if(user.getRole().equals(permission)) {
return true;
}
return false; // Compliant
}
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink