SEC-2083: Create a MethodSecurityExpressionHandler that can handle fixed-sized collections

[spring-projects-issues]

Mattias Severson (Migrated from SEC-2083) said:

When using annotations to filter collections based, e.g. @PostFilter("hasPermission(filterObject, 'SOME_PERMISSION')"), the DefaultMethodSecurityExpressionHandler.filter() gets called. The problem with this method is that if the filterTarget is an immutable list or an immutable set, an exception will thrown (because collection.clear() is called before the elements in the retainList are added back to the collection).

One solution to overcome this problem is to implement an "ImmutableMethodSecurityExpressionHandler" by subclassing the DefaultMethodSecurityExpressionHandler, override the filter() method if the filterTarget is of type List, Set, or SortedSet, do the filtering as before, but instead of clearing the existing collection, returning the retainList wrapped in Collections.unmodifiableList(), Collections.unmodifiableSet() or Collections.unmodifiableSortedSet() respectively.

UPDATE: We should also support Arrays.asList which is a fixed size collection

[spring-projects-issues]

Mattias Severson said:

Are you considering filtering of immutable collections? I have just submitted a pull reqiest to give you some idea to what I have in mind.

[spring-projects-issues]

Rob Winch said:

Thanks for the submission. I think I would prefer a strategy style pattern rather than inheritance. This would allow handling of custom types. One issue I see w/ the pull request is it does not seem to consider that some users may use specific types of collections. For example, if the method signature were a LinkedList this solution does not look like it would work since LinkedList is a List and the solution would use an ArrayList. A PR that would be merged would certainly need some tests to demonstrate these use cases working.

[gcorsaro]

I was better looking to this issue and I think it's misleading. it should be considered as a bug, not enhancement. As showed in my ticket #8427 the issue regards also mutable lists. This means that currently it's not possible to use the postfilter on any collection. Changing the scope could give different prioritization to this ticket I think.

[rwinch]

It works fine with collections that allow for changing the size. For example, LinkedList and ArrayList work just fine. There are tests to back this up.