AffirmativeBased bug (2.0.3)

**qmaster** · Dec 22nd, 2009, 09:31 AM

I know that this is occurring in an older version but since I did not check the current version to see if the issue is still there I would write it here...

It not really a bug but more like a performance issue. The loop below should terminate right away when a single deny is encounter

Code:

public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
        throws AccessDeniedException {
        Iterator iter = this.getDecisionVoters().iterator();
        int deny = 0;

        while (iter.hasNext()) {
            AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
            int result = voter.vote(authentication, object, config);

            switch (result) {
            case AccessDecisionVoter.ACCESS_GRANTED:
                return;

            case AccessDecisionVoter.ACCESS_DENIED:
                deny++;

                break;

            default:
                break;
            }
        }

        if (deny > 0) {
            throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
                    "Access is denied"));

A very easy fix is this

Code:

while (iter.hasNext() && deny == 0) {

**Luke Taylor** · Dec 22nd, 2009, 10:35 AM

It's not a bug. Check the Javadoc. AffirmativeBase "Denies access only if there was a deny vote AND no affirmative votes".

Breaking without checking all voters will break that contract.

**qmaster** · Dec 22nd, 2009, 11:24 AM

Makes perfect sense - my bad!

Originally Posted by Luke Taylor

It's not a bug. Check the Javadoc. AffirmativeBase "Denies access only if there was a deny vote AND no affirmative votes".

Breaking without checking all voters will break that contract.

Thread: AffirmativeBased bug (2.0.3)

Thread Tools

Display

AffirmativeBased bug (2.0.3)

Posting Permissions