Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-5865

No warning logged for uncovered HTTP methods by security constraints

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Minor
    • 7.1.0.DR10
    • 7.1.0.DR3
    • Undertow
    • None

    Description

      When securing some deployment, one can cover various HTTP methods for various URL resources. In case that there are some HTTP methods left uncovered, then according to the Servlet 3.1 specification in section 13.8.4.2 Handling Uncovered HTTP Methods, there is:

      During application deployment, the container must inform the deployer of any
      uncovered HTTP methods present in the application security constraint
      configuration resulting from the combination of the constraints defined for the
      application. The provided information must identify the uncovered HTTP protocol
      methods, and the corresponding URL patterns at which the HTTP methods are
      uncovered. The requirement to notify the deployer may be satisfied by logging the
      required information.

      Although when trying with attached simple app jboss-helloworld.war it seems that no warning is logged at all.

      NOTE: from the functional point of view this seems to be working just fine; even when I add <deny-uncovered-http-methods/> element. Therefore just low-priority set.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-848 No warning logged for uncovered HTTP methods by security constraints

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Resolved
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-17918 [GSS](7.2.z) unsecured path warn for secured @WebService bean

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-18299 [GSS](7.3.z) unsecured path warn for secured @WebService bean

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rpelisse@redhat.com Romain Pelisse
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: