Uploaded image for project: 'Thorntail'
  1. Thorntail
  2. THORN-1954

MP JWT: unconstrained method denied access if the resource also contains constrained method



      If I use MP JWT to secure my JAX-RS resource, but leave some methods unconstrained, I expect access to them will be granted to everyone. E.g. the unconstrained method in this example:

      public class MixedResource {
          public String constrained() {
              return "Constrained method";
          public String unconstrained() {
              return "Unconstrained method";

      However, access is denied. This is caused by this piece of code from MPJWTAuthExtensionArchivePreparer.generateSecurityConstraints:

      String[] localRoles = null;
      if (classPermitAll != null) {
          localRoles = EMPTY_ROLES;
      } else if (classRolesAllowed != null) {
          localRoles = classRolesAllowed.value().asStringArray();
      newConstraints.add(createSecurityConstraint(webXml, getUriPath(subpath, fullAppPath.toString()), localRoles));

      Here, localRoles defaults to null, which is same as @DenyAll, and class-level @DenyAll is just implicitly assumed. That's wrong; we should explicitly check if there's a class-level @DenyAll, and if not, it means there's no class-level constraint and the unconstrained method shouldn't be secured at all.

      (Actually that's just my assumption. I'm no EJB security expert. Could someone confirm how EJB security works in this case? I think the behavior is modeled after EJB security, so should be as similar as possible.)

        Gliffy Diagrams




              • Assignee:
                mkouba Martin Kouba
                lthon Ladislav Thon
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: