Uploaded image for project: 'Thorntail'
  1. Thorntail
  2. THORN-1955

MP JWT: can't use different roles for different methods with the same @Path but different @Produces

    Details

      Description

      The WildFly Swarm MP JWT implementation works by scanning for JAX-RS classes and converting the security annotations to <security-constraint>-s in web.xml. This only allows distinguishing requests by URL and HTTP method. This, however, isn't sufficient to describe all JAX-RS possibilities. Consider this JAX-RS resource:

      @Path("/content-types")
      public class ContentTypesResource {
          @GET
          @Produces(MediaType.TEXT_PLAIN)
          @RolesAllowed("plain")
          public String plain() {
              return "Hello, world!";
          }
      
          @GET
          @Produces(MediaType.TEXT_HTML)
          @RolesAllowed("web")
          public String web() {
              return "<html>Hello, world!</html>";
          }
      }
      

      This is a 100% valid JAX-RS. The method to be called is selected by URL and by the Accept header. (This is BTW often used by people building more complex REST APIs, where they want to serve the same resource in multiple representations.) Our implementation of MP JWT isn't able to honor the @RolesAllowed annotations properly; the plain method can be called by users in the web role et vice versa.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mszynkie Michal Szynkiewicz
                  Reporter:
                  lthon Ladislav Thon
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: