Willie Wheeler(Migrated from SEC-1002) said:
This problem, which appears in both 2.0.3 and 2.0.4, seems to be related to
but I’m not sure. I haven’t done much research into the cause.
At any rate, I’m using the security:accesscontrollist tag but not the element in the app context. (I know there’s no inherent connection between the two, but I mention it because you need to remove in order to reproduce the bug.) When the JSP that contains the tag runs, I get the following stacktrace:
java.lang.IllegalStateException: Mask 1 does not have a corresponding static Permission
Anyway, I tried one of the ideas in the above-mentioned JIRA issue (namely forcing a BasePermission load and the associated execution of the static initializer) and that solved the problem.
I assume that what’s happening is that DefaultPermissionFactory is trying to carry permissions bits I’ve set either in the tags or else in the database to actual Permissions, isn’t finding anything in the registeredPermissionsByInteger map, and is failing as a result.
Luke Taylor said:
The ACL tags should probably be rewritten to use the PermissionEvaluator interface from the core, as this has no specific dependencies on the ACL module itself.
This should hopefully be resolved by the removal of static fields and methods from BasePermission and the requirement that a PermissionFactory is used directly to convert masks to Permissions (see SEC-1022).