You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by fp...@apache.org on 2019/05/09 17:56:13 UTC
[shiro] branch master updated: [SHIRO-685] Potential NullPointerException if PermissionResolver return null/empty string
This is an automated email from the ASF dual-hosted git repository.
fpapon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shiro.git
The following commit(s) were added to refs/heads/master by this push:
new d7d33bf [SHIRO-685] Potential NullPointerException if PermissionResolver return null/empty string
new 9d2908e Merge pull request #132 from fpapon/SHIRO-685
d7d33bf is described below
commit d7d33bfbd0a1d3f41b288d1ae8bf8f6fefe35022
Author: Francois Papon <fp...@apache.org>
AuthorDate: Thu May 9 01:31:40 2019 +0400
[SHIRO-685] Potential NullPointerException if PermissionResolver return null/empty string
---
.../org/apache/shiro/realm/AuthorizingRealm.java | 7 ++-
.../apache/shiro/realm/AuthorizingRealmTest.java | 56 ++++++++++++++++++++--
2 files changed, 57 insertions(+), 6 deletions(-)
diff --git a/core/src/main/java/org/apache/shiro/realm/AuthorizingRealm.java b/core/src/main/java/org/apache/shiro/realm/AuthorizingRealm.java
index 254472f..8f69a24 100644
--- a/core/src/main/java/org/apache/shiro/realm/AuthorizingRealm.java
+++ b/core/src/main/java/org/apache/shiro/realm/AuthorizingRealm.java
@@ -26,6 +26,7 @@ import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.util.Initializable;
+import org.apache.shiro.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -431,8 +432,10 @@ public abstract class AuthorizingRealm extends AuthenticatingRealm
if (resolver != null && !CollectionUtils.isEmpty(stringPerms)) {
perms = new LinkedHashSet<Permission>(stringPerms.size());
for (String strPermission : stringPerms) {
- Permission permission = resolver.resolvePermission(strPermission);
- perms.add(permission);
+ if (StringUtils.clean(strPermission) != null) {
+ Permission permission = resolver.resolvePermission(strPermission);
+ perms.add(permission);
+ }
}
}
return perms;
diff --git a/core/src/test/java/org/apache/shiro/realm/AuthorizingRealmTest.java b/core/src/test/java/org/apache/shiro/realm/AuthorizingRealmTest.java
index 32c50df..c78d669 100644
--- a/core/src/test/java/org/apache/shiro/realm/AuthorizingRealmTest.java
+++ b/core/src/test/java/org/apache/shiro/realm/AuthorizingRealmTest.java
@@ -18,7 +18,18 @@
*/
package org.apache.shiro.realm;
-import org.apache.shiro.authc.*;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAccount;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.Permission;
@@ -26,15 +37,18 @@ import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.authz.UnauthorizedException;
import org.apache.shiro.authz.permission.RolePermissionResolver;
import org.apache.shiro.authz.permission.WildcardPermission;
+import org.apache.shiro.authz.permission.WildcardPermissionResolver;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.junit.After;
-import static org.junit.Assert.*;
import org.junit.Before;
import org.junit.Test;
-import java.security.Principal;
-import java.util.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
/**
@@ -214,6 +228,40 @@ public class AuthorizingRealmTest {
assertTrue( realm.isPermitted( pCollection, "other:bar:foo" ) );
}
+ @Test
+ public void testRealmWithEmptyOrNullPermissions() {
+ Principal principal = new UsernamePrincipal("rolePermResolver");
+ PrincipalCollection pCollection = new SimplePrincipalCollection(principal, "testRealmWithRolePermissionResolver");
+
+ AuthorizingRealm realm = new AllowAllRealm();
+ realm.setRolePermissionResolver( new RolePermissionResolver()
+ {
+ public Collection<Permission> resolvePermissionsInRole( String roleString )
+ {
+ Collection<Permission> permissions = new HashSet<Permission>();
+ if( roleString.equals( ROLE ))
+ {
+ permissions.add( new WildcardPermission( ROLE + ":perm1" ) );
+ permissions.add( new WildcardPermission( ROLE + ":perm2" ) );
+ permissions.add( new WildcardPermission( ROLE + ": " ) );
+ permissions.add( new WildcardPermission( ROLE + ":\t" ) );
+ permissions.add( new WildcardPermission( "other:*:foo" ) );
+ }
+ return permissions;
+ }
+ });
+
+ realm.setPermissionResolver(new WildcardPermissionResolver());
+ SimpleAuthorizationInfo authorizationInfo = (SimpleAuthorizationInfo) realm.getAuthorizationInfo(pCollection);
+ assertNotNull(authorizationInfo);
+ authorizationInfo.addStringPermission("");
+ authorizationInfo.addStringPermission(" ");
+ authorizationInfo.addStringPermission("\t");
+ authorizationInfo.addStringPermission(null);
+ Collection<Permission> permissions = realm.getPermissions(authorizationInfo);
+ assertEquals(permissions.size(), 4);
+ }
+
private void assertArrayEquals(boolean[] expected, boolean[] actual) {
if (expected.length != actual.length) {
fail("Expected array of length [" + expected.length + "] but received array of length [" + actual.length + "]");