SEC-2817: ObjectIdentityImpl.equals method doesn't allow comparing ObjectIdentity instances from different classes #3036
Labels
in: acl
An issue in spring-security-acl
type: bug
A general bug
type: jira
An issue that was migrated from JIRA
Comments
spring-projects-issues
added
in: acl
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kenan Sevindik (Migrated from SEC-2817) said:
Inside ObjectIdentityImpl.equals(..) method, target arg object is expected of type ObjectIdentityImpl. However, we can have another implementation of ObjectIdentity interface and an instance of it can be passed into that equals method as well.
Let's say I create a CustomObjectIdentity class of type ObjectIdentity, have a domain object of type: x.y.Foo with id: Long(1), and create two ObjectIdentity instances representing that domain object.
IMO, oid1.equals(oid2) should return true here. Instead of checking if target arg object is of type ObjectIdentityImpl within equals method, it should just check if target object is of type ObjectIdentity and obtain type and identifier values via getters to evaluate the equals method.
The text was updated successfully, but these errors were encountered: