mostafa-eltaher / abacspringsecurity Goto Github PK

Thanks for an awesome blog and sample project!

Here is a minor issue I found...

The JsonFilePolicyDefinition.DEFAULT_POLICY_FILE_NAME should have a leading / to find it as a root level classpath resource in src/main/resources:

Current: private static String DEFAULT_POLICY_FILE_NAME = "default-policy.json";
Fixed: private static String DEFAULT_POLICY_FILE_NAME = "/default-policy.json";

To my mind: attribute name 'action' in rule definition has incorrect meaning in that project.
And as a result, we can't bind a certain rule to a certain endpoint.

Try to look up an implementation of PermissionEvaluator - AbacPermissionEvaluator in the 'access-control' maven module.
Take into account following method's signature:
boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission);
'permission' is the last param.

In 'AbacPermissionEvaluator' implementation U throw this object to the PolicyEnforcement#check method as an action object.

According to 'PermissionEvaluator' provided by Spring-boot. Here Permission is an object which claims which permits caller(User) has. So, implementation of PermissionEvaluator have to describe security rules and decides: can caller(user) with certain permissions receive an access to a targetDomainObject.

So, as a result, U define a rule target incorrectly.
Let's see an exmaple: 'subject.role.name() == 'PM' && action == 'PROJECTS_VIEW''.

I understood following: the rule is acceptable if user role - is 'PM' and its permission is 'PROJECTS_VIEW' because action attribute didn't mean action - it means permissions.
As a result, we can't bind this rule to a certain endpoint. Above rule will apply for each request of PM user with the PROJECTS_VIEW permission and a condition will be evaluated.

What is your mind about that?