Uploaded image for project: 'Thorntail'
  1. Thorntail
  2. THORN-1954

MP JWT: unconstrained method denied access if the resource also contains constrained method

    Details

      Description

      If I use MP JWT to secure my JAX-RS resource, but leave some methods unconstrained, I expect access to them will be granted to everyone. E.g. the unconstrained method in this example:

      @Path("/mixed")
      public class MixedResource {
          @GET
          @Path("/constrained")
          @RolesAllowed("*")
          public String constrained() {
              return "Constrained method";
          }
      
          @GET
          @Path("/unconstrained")
          public String unconstrained() {
              return "Unconstrained method";
          }
      }
      

      However, access is denied. This is caused by this piece of code from MPJWTAuthExtensionArchivePreparer.generateSecurityConstraints:

      String[] localRoles = null;
      if (classPermitAll != null) {
          localRoles = EMPTY_ROLES;
      } else if (classRolesAllowed != null) {
          localRoles = classRolesAllowed.value().asStringArray();
      }
      newConstraints.add(createSecurityConstraint(webXml, getUriPath(subpath, fullAppPath.toString()), localRoles));
      

      Here, localRoles defaults to null, which is same as @DenyAll, and class-level @DenyAll is just implicitly assumed. That's wrong; we should explicitly check if there's a class-level @DenyAll, and if not, it means there's no class-level constraint and the unconstrained method shouldn't be secured at all.

      (Actually that's just my assumption. I'm no EJB security expert. Could someone confirm how EJB security works in this case? I think the behavior is modeled after EJB security, so should be as similar as possible.)

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                mkouba Martin Kouba
                Reporter:
                lthon Ladislav Thon
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: