Uploaded image for project: 'Thorntail'
  1. Thorntail
  2. THORN-1460

HttpSecurityPreparer should not ignore unknown auth methods

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2017.7.0
    • Fix Version/s: 2017.8.1
    • Component/s: config-api
    • Labels:
      None

      Description

      A project-default.yml fie like the following:

      swarm: 
        deployment: 
          RolesAllowedTest.war: 
            web: 
              login-config: 
                auth-method: MP-JWT
              security-constraints: 
                - url-pattern: "/endp/echo"
                  methods: [GET]
                  roles: [Echoer]
                - url-pattern: "/endp/echo2"
                  methods: [GET]
                  roles: [NoSuchRole]
      

      results in all of the web configuration being ignored because of the check for a known auth method among the 4 hardcoded in the org.wildfly.swarm.undertow.runtime.HttpSecurityPreparer. If an equivalent configuration is passed in via a WEB-INF/web.xml, the method is allowed. Since undertow has an extension mechanism that allows for deploying custom authentication mechanisms in the deployment war, I don't see the point in trying to validate it here.

      I would propose to just remove validation of the auth-method altogether. If acceptable, assign this to me and I'll create a pull request.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                starksm64 Scott Stark
                Reporter:
                starksm64 Scott Stark
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: