SEC-1002: java.lang.IllegalStateException: Mask 1 does not have a corresponding static Permission #1253

Closed
spring-issuemaster opened this Issue Oct 2, 2008 · 2 comments

1 participant

@spring-issuemaster

Willie Wheeler (Migrated from SEC-1002) said:

This problem, which appears in both 2.0.3 and 2.0.4, seems to be related to

http://jira.springframework.org/browse/SEC-908

but I’m not sure. I haven’t done much research into the cause.

At any rate, I’m using the tag but not the element in the app context. (I know there’s no inherent connection between the two, but I mention it because you need to remove in order to reproduce the bug.) When the JSP that contains the tag runs, I get the following stacktrace:

java.lang.IllegalStateException: Mask 1 does not have a corresponding static Permission
org.springframework.util.Assert.state(Assert.java:384)
org.springframework.security.acls.domain.DefaultPermissionFactory.buildFromMask(DefaultPermissionFactory.java:85)
org.springframework.security.acls.domain.AbstractRegisteredPermission.buildFromMask(AbstractRegisteredPermission.java:25)
org.springframework.security.taglibs.authz.AccessControlListTag.parsePermissionsString(AccessControlListTag.java:221)
org.springframework.security.taglibs.authz.AccessControlListTag.doStartTag(AccessControlListTag.java:97)
……

Anyway, I tried one of the ideas in the above-mentioned JIRA issue (namely forcing a BasePermission load and the associated execution of the static initializer) and that solved the problem.

I assume that what’s happening is that DefaultPermissionFactory is trying to carry permissions bits I’ve set either in the tags or else in the database to actual Permissions, isn’t finding anything in the registeredPermissionsByInteger map, and is failing as a result.

@spring-issuemaster

Luke Taylor said:

The ACL tags should probably be rewritten to use the PermissionEvaluator interface from the core, as this has no specific dependencies on the ACL module itself.

@spring-issuemaster

Luke Taylor said:

This should hopefully be resolved by the removal of static fields and methods from BasePermission and the requirement that a PermissionFactory is used directly to convert masks to Permissions (see SEC-1022).

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment