Uploaded image for project: 'JBoss Enterprise Application Platform 6'
  1. JBoss Enterprise Application Platform 6
  2. JBPAPP6-1380

JACC permissions added to the unchecked policy must be constructed using qualified pattern as their name

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Migrated to another ITS
    • Affects Version/s: EAP 6.0.0
    • Fix Version/s: TBD EAP 6
    • Component/s: Security
    • Labels:

      Description

      JACC 1.1 specification, chapter 3.1.3.1 Translating security-constraint Elements says:

      A WebResourcePermission and a WebUserDataPermission must be added to
      the unchecked policy statements for each url-pattern in the deployment
      descriptor and the default pattern, "/", that is not combined by the web-
      resource-collection elements of the deployment descriptor with every
      HTTP method value. The permission objects must be constructed using the
      qualified pattern as their name and with actions represented by an HTTP method
      exception list that identifies (as defined in “HTTP Method Exception List”) all the
      HTTP methods that do not occur in combination with the pattern.The resulting
      permissions must be added to the unchecked policy statements by calling the
      addToUncheckedPolicy method on the PolicyConfiguration object.

      but the class WarJaccService doesn't use qualified patterns (around line 170 in source code):

      String excludedString = "!" + getCommaSeparatedString(httpMethods);
      WebResourcePermission wrp1 = new WebResourcePermission(info.pattern, excludedString);
      WebUserDataPermission wudp1 = new WebUserDataPermission(info.pattern, excludedString);
      

        Attachments

          Activity

            People

            Assignee:
            anil.saldhana Anil Saldanha (Inactive)
            Reporter:
            jcacek Josef Cacek (Inactive)
            Archiver:
            samahaja Sagar Mahajan

              Dates

              Created:
              Updated:
              Resolved:
              Archived: