stackoom
  简体   繁体   中英

Does hasPermission return false if the authentication object is null

 原文  2015-07-11 18:11:00       java/ spring/ authentication/ spring-security/ spring-annotations

Question

I have the below code change . 

-    @PreAuthorize("isAuthenticated()")
+    @PreAuthorize("hasPermission(#dto.perusteId, 'peruste', 'LUKU')")
     public void setStarted(DokumenttiDto dto);

As per the spring documentation, the authentication object should not be null. Here the developer removes the authentication check and puts a hasPermission check. So will the hasPermission method return false if the authentication object is null ? The authentication object will be supplied by the spring security framework automatically. Can this be considered as a refactoring change? two checks ( authentication + permission check) combined into one (permission check) ! I dont think the hasPermission method implementation is making any checks for authentication object.( https://github.com/Opetushallitus/eperusteet/blob/cd9eff86bdda5dd91072354392dedbe0783c9ddf/eperusteet/eperusteet-service/src/main/java/fi/vm/sade/eperusteet/service/security/PermissionEvaluator.java )

Here's the code change link : https://github.com/Opetushallitus/eperusteet/commit/e8459 

Method Detail

hasPermission
public boolean hasPermission(Authentication authentication,
                    Object domainObject,
                    Object permission)
Determines whether the user has the given permission(s) on the domain object using the ACL configuration. If the domain object is null, returns false (this can always be overridden using a null check in the expression itself).
Specified by:
hasPermission in interface PermissionEvaluator
Parameters:
authentication - represents the user in question. Should not be null.
domainObject - the domain object for which permissions should be checked. May be null in which case implementations should return false, as the null condition can be checked explicitly in the expression.
permission - a representation of the permission object as supplied by the expression system. Not null.

2 answers

solution1
 0  2015-07-11 19:58:46

I hope what it does is

It returns an object of permissions that is actually an Array/List of all the permissions that the user is having

If your user is not having any roles then an empty list is returned and it is added to the Authentication object

eg 

Authentication object when 

User with roles
permissions = ['admin, 'user', 'moderator'];
User with no roles
permissions = []

solution2
 0  2015-07-11 23:22:06

The hasPermission function (if correctly wired into the security expression evaluator) actually just passes on the authentication token to PermissionManager.hasPermission . If you look at the code, most of the convoluted if statements eventually call hasAnyRole which returns false when the authentication object is null.

However, this whole class is so messed up I cannot say it works better than a random number generator in reality.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question HttpServletRequest.getSession(false): When does it return null? Spring Security hasPermission for Collection<Object> When and why does List remove(Object object) return false Why does the getter() of mock object return null? Spring Authentication return null Does addAll() return false? Why does @AuthenticationPrincipal return the Authentication instead of the principal object? Why does Treeset<Object> contains() return false even if Object.equals() and Object.compareTo() are consistent? Why does JSTL return false positives in null-check of image blob data? Boolean Method does not return false
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM