Uploaded image for project: 'JBoss Enterprise Application Platform 6'
  1. JBoss Enterprise Application Platform 6
  2. JBPAPP6-1376

JACC 1.1 implementation must use exception list instead of missing method list for HTTP methods in the unchecked permissions

    Details

      Description

      The method org.jboss.as.web.security.WarJaccService.PatternInfo.getMissingMethods() which subtracts current methods set from the "big 7" is used for constructing some unchecked permissions.

      The method exception list (i.e. exclamation mark followed by current methods) must be used instead - as defined in section 3.1.3.1 of JACC 1.1 specification.

      The specification says:

      HTTP Method Exception List

      An HTTP method exception list is used to represent, by set difference, a non-
      enumerable subset of the set of all possible HTTP methods. An exception list
      respresents the subset of the complete set of HTTP methods formed by subtracting
      the methods named in the exception list from the complete set.
      An exception list is distinguished by its first character, which must be the
      exclaimation point (i.e., “!”) character. A comma seperated list of one or more
      HTTP method names must follow the exclaimation point.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                anil.saldhana Anil Saldanha
                Reporter:
                jcacek Josef Cacek
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: