Open Kjames5269 opened 5 years ago
The first 6 domains in the access control context comes from the inherited access control context (ACC) on line AccessControlContext.java:572. The rest are from the stack.
The current ACD implementation assumed that combined domains could only appear after all stack domains but that is not the case.
An ACC may have a privileged ACC, if not than the inherited one is retrieved. If that ACC has a combiner, then it is used and we cannot tell how the domain list can get re-organized. Most will add them after stack domains. But a combiner can change the whole thing by adding and/or removing entries if they want.
If no combiner is associated with the privileged ACC (or inherited ACC), then its domains if any are placed first, followed by stack domains which can be optimized (entries removed if they were already added before).
The implementation should be modified such that we get the pure set of stack domains and if we can find that exact list as is (assuming that entries can be skipped if they were already defined before), then that would be our start of stack domain index. Anything before is assumed to be combined and anything after is also assumed to be combined (as we are doing today). We should keep track of each entry in the computed list if it corresponds to a stack entry as only those can have privileges extended.
Further more, there is a miss-conception that when we are computing solutions and analyzing them, we loose all combined domains when in fact there is no guaranty. We should think about recomputing an actual ACC and recompute the whole thing from there by cleaning the retrieved stack list of domains. This definitely requires a bit more work.
Description
Running the AC Debugger with the following flags: -c -r -w
Steps to Reproduce
https://codice.atlassian.net/browse/DDF-4416
Expected behavior:
An access control exception to be logged
Actual behavior:
AC Debugger throws a warning
Reproduces how often:
100% of the time
Version
1.8-SNAPSHOT
Additional Information
Any additional information, configuration or data that might be necessary to reproduce the issue.