org.acegisecurity.acls.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs

Spring JIRA | Simon van der Sluis | 10 years ago
tip
Click on the to mark the solution that helps you, Samebug will learn from it.
As a community member, you’ll be rewarded for you help.
  1. 0

    SEC-503: org.acegisecurity.acls.AclImpl only allows Acl owner (or administrator?) to insert or delete an Ace

    GitHub | 10 years ago | spring-issuemaster
    org.acegisecurity.acls.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs
  2. 0

    AclImpl.insertAce(..) and AclImpl.deleteAce(..) both check that the current authentication is the owner of the Acl being modified, if the authentication is not the owner an exception is thrown (see stack trace at the end of this post. In our application we require multiple users (authentications) to be able to administer ACLs, so this check presents a problem. I propose a modification to the MutableAcl (org.acegisecurity.acls.MutableAcl) methods insertAce(..) and deleteAce(..) where each would take an additional boolean parameter enforeOwnerOnlyChange, if true then behaviour should be as it currently is, if false the checking the ACL owner against the current authentication should be skipped. The changed first couple of lines to AclImpl methods are should below: public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl { ... /** * @see MutableAcl#deleteAce(Serializable, boolean) */ public void deleteAce(Serializable aceId, boolean enforceOwnerOnlyChange) throws NotFoundException { if (enforceOwnerOnlyChange) { aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL); } // delete as as per current ... } /** * @see MutableAcl#insertAce(Serializable, Permission, Sid, boolean, boolean) */ public void insertAce(Serializable afterAceId, Permission permission, Sid sid, boolean granting, boolean enforceOwnerOnlyChange) throws NotFoundException { if (enforceOwnerOnlyChange) { aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL); } // insert Ace as per current ... } Also I've created some javadoc for the MutableAcl interface method definitions for the above: /** * Deletes the identified {@link AccessControlEntry} from this Acl. * @param aceId The ID of the Ace to delete * @param enforceOwnerOnlyChange If <code>true</code> enforces that the user (Authentication) making the * change is the same as the user (Authentication) who made created the Acl.<br> * If <code>false</code> Allows any authentication to make the change. */ public void deleteAce(Serializable aceId, boolean enforceOwnerOnlyChange) throws NotFoundException; /** * Inserts an {@link AccessControlEntry} into this Acl * @param afterAceId The ACE in this Acl which the Ace should be inserted after * @param permission The permission for the new {@link AccessControlEntry} * @param sid The Sid for the new {@link AccessControlEntry} * @param granting Value of the granting property of the new Ace * @param enforceOwnerOnlyChange If <code>true</code> enforces that the user (Authentication) making the * change is the same as the user (Authentication) who made created the Acl.<br> * If <code>false</code> Allows any authentication to make the change. * @throws NotFoundException */ public void insertAce(Serializable afterAceId, Permission permission, Sid sid, boolean granting, boolean enforceOwnerOnlyChange) throws NotFoundException; Stack trace: org.acegisecurity.acls.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs at org.acegisecurity.acls.domain.AclImpl.isGranted(AclImpl.java:305) at org.acegisecurity.acls.domain.AclAuthorizationStrategyImpl.securityCheck(AclAuthorizationStrategyImpl.java:113) at org.acegisecurity.acls.domain.AclImpl.insertAce(AclImpl.java:181) at com.energyintellect.framework.security.factory.acegi.AclAcegiFactory.assignPermission(AclAcegiFactory.java:197) at com.energyintellect.framework.security.factory.acegi.AclAcegiFactory.assignReadPermission(AclAcegiFactory.java:182) at com.energyintellect.framework.security.factory.AclFactoryTest.testMultiUserAclUpdates(AclFactoryTest.java:159) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at junit.framework.TestCase.runTest(TestCase.java:154) at junit.framework.TestCase.runBare(TestCase.java:127) at org.springframework.test.ConditionalTestCase.runBare(ConditionalTestCase.java:69) at junit.framework.TestResult$1.protect(TestResult.java:106) at junit.framework.TestResult.runProtected(TestResult.java:124) at junit.framework.TestResult.run(TestResult.java:109) at junit.framework.TestCase.run(TestCase.java:118) at junit.framework.TestSuite.runTest(TestSuite.java:208) at junit.framework.TestSuite.run(TestSuite.java:203) at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:128) at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)

    Spring JIRA | 10 years ago | Simon van der Sluis
    org.acegisecurity.acls.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs
  3. 0

    AclImpl.insertAce(..) and AclImpl.deleteAce(..) both check that the current authentication is the owner of the Acl being modified, if the authentication is not the owner an exception is thrown (see stack trace at the end of this post. In our application we require multiple users (authentications) to be able to administer ACLs, so this check presents a problem. I propose a modification to the MutableAcl (org.acegisecurity.acls.MutableAcl) methods insertAce(..) and deleteAce(..) where each would take an additional boolean parameter enforeOwnerOnlyChange, if true then behaviour should be as it currently is, if false the checking the ACL owner against the current authentication should be skipped. The changed first couple of lines to AclImpl methods are should below: public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl { ... /** * @see MutableAcl#deleteAce(Serializable, boolean) */ public void deleteAce(Serializable aceId, boolean enforceOwnerOnlyChange) throws NotFoundException { if (enforceOwnerOnlyChange) { aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL); } // delete as as per current ... } /** * @see MutableAcl#insertAce(Serializable, Permission, Sid, boolean, boolean) */ public void insertAce(Serializable afterAceId, Permission permission, Sid sid, boolean granting, boolean enforceOwnerOnlyChange) throws NotFoundException { if (enforceOwnerOnlyChange) { aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL); } // insert Ace as per current ... } Also I've created some javadoc for the MutableAcl interface method definitions for the above: /** * Deletes the identified {@link AccessControlEntry} from this Acl. * @param aceId The ID of the Ace to delete * @param enforceOwnerOnlyChange If <code>true</code> enforces that the user (Authentication) making the * change is the same as the user (Authentication) who made created the Acl.<br> * If <code>false</code> Allows any authentication to make the change. */ public void deleteAce(Serializable aceId, boolean enforceOwnerOnlyChange) throws NotFoundException; /** * Inserts an {@link AccessControlEntry} into this Acl * @param afterAceId The ACE in this Acl which the Ace should be inserted after * @param permission The permission for the new {@link AccessControlEntry} * @param sid The Sid for the new {@link AccessControlEntry} * @param granting Value of the granting property of the new Ace * @param enforceOwnerOnlyChange If <code>true</code> enforces that the user (Authentication) making the * change is the same as the user (Authentication) who made created the Acl.<br> * If <code>false</code> Allows any authentication to make the change. * @throws NotFoundException */ public void insertAce(Serializable afterAceId, Permission permission, Sid sid, boolean granting, boolean enforceOwnerOnlyChange) throws NotFoundException; Stack trace: org.acegisecurity.acls.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs at org.acegisecurity.acls.domain.AclImpl.isGranted(AclImpl.java:305) at org.acegisecurity.acls.domain.AclAuthorizationStrategyImpl.securityCheck(AclAuthorizationStrategyImpl.java:113) at org.acegisecurity.acls.domain.AclImpl.insertAce(AclImpl.java:181) at com.energyintellect.framework.security.factory.acegi.AclAcegiFactory.assignPermission(AclAcegiFactory.java:197) at com.energyintellect.framework.security.factory.acegi.AclAcegiFactory.assignReadPermission(AclAcegiFactory.java:182) at com.energyintellect.framework.security.factory.AclFactoryTest.testMultiUserAclUpdates(AclFactoryTest.java:159) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at junit.framework.TestCase.runTest(TestCase.java:154) at junit.framework.TestCase.runBare(TestCase.java:127) at org.springframework.test.ConditionalTestCase.runBare(ConditionalTestCase.java:69) at junit.framework.TestResult$1.protect(TestResult.java:106) at junit.framework.TestResult.runProtected(TestResult.java:124) at junit.framework.TestResult.run(TestResult.java:109) at junit.framework.TestCase.run(TestCase.java:118) at junit.framework.TestSuite.runTest(TestSuite.java:208) at junit.framework.TestSuite.run(TestSuite.java:203) at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:128) at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)

    Spring JIRA | 10 years ago | Simon van der Sluis
    org.acegisecurity.acls.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs
  4. Speed up your debug routine!

    Automated exception search integrated into your IDE

    Root Cause Analysis

    1. org.acegisecurity.acls.NotFoundException

      Unable to locate a matching ACE for passed permissions and SIDs

      at org.acegisecurity.acls.domain.AclImpl.isGranted()
    2. Acegi Security Core
      AclImpl.insertAce
      1. org.acegisecurity.acls.domain.AclImpl.isGranted(AclImpl.java:305)
      2. org.acegisecurity.acls.domain.AclAuthorizationStrategyImpl.securityCheck(AclAuthorizationStrategyImpl.java:113)
      3. org.acegisecurity.acls.domain.AclImpl.insertAce(AclImpl.java:181)
      3 frames
    3. com.energyintellect.framework
      AclFactoryTest.testMultiUserAclUpdates
      1. com.energyintellect.framework.security.factory.acegi.AclAcegiFactory.assignPermission(AclAcegiFactory.java:197)
      2. com.energyintellect.framework.security.factory.acegi.AclAcegiFactory.assignReadPermission(AclAcegiFactory.java:182)
      3. com.energyintellect.framework.security.factory.AclFactoryTest.testMultiUserAclUpdates(AclFactoryTest.java:159)
      3 frames
    4. Java RT
      Method.invoke
      1. sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      2. sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      3. sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      4. java.lang.reflect.Method.invoke(Method.java:597)
      4 frames
    5. JUnit
      TestCase.runBare
      1. junit.framework.TestCase.runTest(TestCase.java:154)
      2. junit.framework.TestCase.runBare(TestCase.java:127)
      2 frames
    6. Spring TestContext
      ConditionalTestCase.runBare
      1. org.springframework.test.ConditionalTestCase.runBare(ConditionalTestCase.java:69)
      1 frame
    7. JUnit
      TestSuite.run
      1. junit.framework.TestResult$1.protect(TestResult.java:106)
      2. junit.framework.TestResult.runProtected(TestResult.java:124)
      3. junit.framework.TestResult.run(TestResult.java:109)
      4. junit.framework.TestCase.run(TestCase.java:118)
      5. junit.framework.TestSuite.runTest(TestSuite.java:208)
      6. junit.framework.TestSuite.run(TestSuite.java:203)
      6 frames
    8. JUnit3 Runner
      RemoteTestRunner.main
      1. org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:128)
      2. org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
      3. org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460)
      4. org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673)
      5. org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386)
      6. org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)
      6 frames