What fix should be applied for JTest bug SECURITY.WSC.CACM-1

Question

I am working on a project which goes through JTest scan in which one of the bugs is SECURITY.WSC.CACM-1 which states that:

'isUserInRole()' is not allowed to be invoked within 'isInRole()', it should only be invoked inside centralized access control method declarations

I have written code as:

private HttpServletRequest getRequest() {
            assert (request != null);
            return request;
        }
       @Override
public void onRequestStart(HttpServletRequest request, HttpServletResponse response) {
            this.request = request;
        }
public boolean isAdmin() {
        return isInRole("ADMIN");
        }
private boolean isInRole(String role) {
             return getRequest().isUserInRole(role);
        }

Where am I wrong . Can anyone give me solution for this?

PS:- Please provide me link if you have for possible fixes for JTest scan defects

score 0 · Answer 1 · answered Nov 22 '18 at 13:55

This rule says that you shouldn't call access control methods from not specified methods. Your application should have authorization class/module. So your code:

private boolean isInRole(String role) {
    return getRequest().isUserInRole(role);
}

is incorrect (to check user role) because this method is located in the Servlet. Please move this method to your authorization class and setup this method in your test configuration.

What fix should be applied for JTest bug SECURITY.WSC.CACM-1

1 Answers1