Skip to content

SEC-1140: ace masks are not being compared as bitmasks. #1388

@spring-projects-issues

Description

@spring-projects-issues

Brian Ewins(Migrated from SEC-1140) said:

Granting permissions with bitmasks with more than one bit set does not have the expected result, eg:

```
MutableAcl acl = (MutableAcl) mutableAclService.readAclById(objectIdentity);
Permission perm = BasePermission.buildFromMask(BasePermission.CREATE.getMask() | BasePermission.DELETE.getMask());
acl.insertAce(0, perm, sid, true);
assert(acl.isGranted(new Permission[]{BasePermission.CREATE}, new Sid[] {sid}, false));
```

As well as the forum link above, this gets mentioned other times in the forum:
http://forum.springsource.org/showthread.php?p=235305
http://forum.springsource.org/showthread.php?t=68655
and as one of the many issues in SEC-479. I’m raising this to split this one issue into a separate bug.

each time its come up, the outcome is that people are reimplementing AclImpl, BasicLookupStrategy etc. In our case we’re migrating data from a different acl system, and this results in us having to split up every individual permission in the database, (since otherwise the CumulativePermission loaded never matches). It does seem to defeat the purpose of these things being bitmasks, as well as meaning we need to store 32x as many rows.

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: aclAn issue in spring-security-aclstatus: declinedA suggestion or change that we don't feel we should currently applytype: enhancementA general enhancementtype: jiraAn issue that was migrated from JIRA

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions