Consider the following code, where you accept a caller key and a token request from a caller, to issue a security key for further requests? Note that we also have a minimal exclusion check, where we prevent certain callers from getting the admin permission. Now, the question. What is wrong with the code below?
public enum SecurityToken
{
Admin,
Registered,
Anon
}
public class SecurityGateway
{
public string GetSecurityKey(string callerKey,SecurityToken token)
{
//Prevent caller2 from getting the admin token
if (callerKey.Equals("secretcallerkey2")
&& token == SecurityToken.Admin)
return "Error: You can't request an admin token";
//Issue the token
switch (token)
{
case SecurityToken.Anon:
return "PermissionKeyForAnonymous";
case SecurityToken.Registered:
return "PermissionKeyForRegistered";
default:
return "PermissionKeyForAdmin";
}
}
}
If you already found the issue, you may stop reading here. Otherwise, let us examine this in a bit detail.
Assume that a caller, let us sayCaller1, is requesting a security key for leveraging admin permissions.
SecurityGateway gateway = new SecurityGateway();
//Caller 1
var key = gateway.GetSecurityKey("secretcallerkey1", SecurityToken.Admin);
//key's value is PermissionKeyForAdmin for secretcallerkey1
Read more: amazedsaint's .net journal
Posts
