FilesExpand file tree

 main

/

authorization-spring.java

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

74 lines (58 loc) · 2.74 KB

 main

/

authorization-spring.java

Top

File metadata and controls

• Code
• Blame

74 lines (58 loc) · 2.74 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

/*

취약점 개요

응용 프로그램의 리소스에 액세스하기 위해 사용자에게 부여하거나 부여하지 않는 권한은 강력한 결정을 기반으로 해야 합니다.

예를 들어, 사용자가 인증되었는지 여부를 확인하는 것은 올바른 역할/권한을 가지고 있습니다. 또한 사용자의 위치 또는 사용자가 액세스를 요청한 날짜, 시간에 따라 다를 수 있습니다.

*/

// Noncompliant Code Example

// 1. the vote method of an AccessDecisionVoter type is not compliant when it returns only an affirmative decision (ACCESS_GRANTED)

// or abstains to make a decision (ACCESS_ABSTAIN)

public class WeakNightVoter implements AccessDecisionVoter {

@Override

public int vote(Authentication authentication, Object object, Collection collection) { // Noncompliant

Calendar calendar = Calendar.getInstance();

int currentHour = calendar.get(Calendar.HOUR_OF_DAY);

if(currentHour >= 8 && currentHour <= 19) {

return ACCESS_GRANTED; // Noncompliant

}

// when users connect during the night, do not make decision

return ACCESS_ABSTAIN; // Noncompliant

}

}

// 2. the hasPermission method of a PermissionEvaluator type is not compliant when it doesn’t return false

public class MyPermissionEvaluator implements PermissionEvaluator {

@Override

public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {

//Getting subject

Object user = authentication.getPrincipal();

if(user.getRole().equals(permission)) {

return true; // Noncompliant

}

return true; // Noncompliant

}

}

// Compliant Solution

// 1. he vote method of an AccessDecisionVoter type should return a negative decision (ACCESS_DENIED)

public class StrongNightVoter implements AccessDecisionVoter {

@Override

public int vote(Authentication authentication, Object object, Collection collection) {

Calendar calendar = Calendar.getInstance();

int currentHour = calendar.get(Calendar.HOUR_OF_DAY);

if(currentHour >= 8 && currentHour <= 19) {

return ACCESS_GRANTED;

}

// users are not allowed to connect during the night

return ACCESS_DENIED; // Compliant

}

}

// 2. the hasPermission method of a PermissionEvaluator type should return false

public class MyPermissionEvaluator implements PermissionEvaluator {

@Override

public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {

//Getting subject

Object user = authentication.getPrincipal();

if(user.getRole().equals(permission)) {

return true;

}

return false; // Compliant

}

}