Uploaded image for project: 'Thorntail'
  1. Thorntail
  2. THORN-1953

MP JWT: JAX-RS resource with no @RolesAllowed annotation isn't secured properly

    Details

      Description

      If I use MP JWT for securing JAX-RS resources, I have to always include the @RolesAllowed annotation in the class, otherwise that resource isn't secured properly.

      This is because MPJWTAuthExtensionArchivePreparer.process only calls generateSecurityConstraints for classes where at least one method (or the entire class) has the @RolesAllowed annotation, and only then are the @DenyAll and @PermitAll annotations processed.

      To reproduce, imagine this simple resource:

      @DenyAll
      @Path("/denied")
      public class DeniedResource {
          @GET
          public String denied() {
              return "This should never happen";
          }
      }
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                mkouba Martin Kouba
                Reporter:
                lthon Ladislav Thon
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: