Authorizations granted or not to users to access resources of an application should be based on strong decisions. For instance, checking whether the user is authenticated or not, has the right roles/privileges. It may also depend on the user’s location, or the date, time when the user requests access.
In a Spring-security web application:
vote
method of an AccessDecisionVoter type is not compliant when it returns only an affirmative decision (ACCESS_GRANTED
) or abstains to make a decision (ACCESS_ABSTAIN
): public class WeakNightVoter implements AccessDecisionVoter { @Override public int vote(Authentication authentication, Object object, Collection collection) { // Noncompliant Calendar calendar = Calendar.getInstance(); int currentHour = calendar.get(Calendar.HOUR_OF_DAY); if(currentHour >= 8 && currentHour <= 19) { return ACCESS_GRANTED; // Noncompliant } // when users connect during the night, do not make decision return ACCESS_ABSTAIN; // Noncompliant } }
hasPermission
method of a PermissionEvaluator type is not compliant when it doesn’t return false
: public class MyPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { //Getting subject Object user = authentication.getPrincipal(); if(user.getRole().equals(permission)) { return true; // Noncompliant } return true; // Noncompliant } }
In a Spring-security web application:
vote
method of an AccessDecisionVoter type should return a negative decision (ACCESS_DENIED
): public class StrongNightVoter implements AccessDecisionVoter { @Override public int vote(Authentication authentication, Object object, Collection collection) { Calendar calendar = Calendar.getInstance(); int currentHour = calendar.get(Calendar.HOUR_OF_DAY); if(currentHour >= 8 && currentHour <= 19) { return ACCESS_GRANTED; } // users are not allowed to connect during the night return ACCESS_DENIED; // Compliant } }
hasPermission
method of a PermissionEvaluator type should return false
: public class MyPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { //Getting subject Object user = authentication.getPrincipal(); if(user.getRole().equals(permission)) { return true; } return false; // Compliant } }
No issue is reported when the method throws an exception as it might be used to indicate a strong decision.