Uploaded image for project: 'Thorntail'
  1. Thorntail
  2. THORN-1972

MP JWT: can't use different roles for different methods with parameterized @Paths that share a common prefix

    Details

      Description

      The WildFly Swarm MP JWT implementation works by scanning for JAX-RS classes and converting the security annotations to <security-constraint>-s in web.xml. If there is a parameterized @Path, such as @Path("/my/{parameterized}/path"), a <security-constraint> is created only for a prefix of the path, up to the first parameter. This, however, isn't sufficient to describe all JAX-RS possibilities. Consider this JAX-RS resource:

      @Path("/parameterized-paths")
      public class ParameterizedPaths {
          @GET
          @Path("/my/{path}/admin")
          @RolesAllowed("admin")
          public String admin(@PathParam("path") String path) {
              return "Admin accessed " + path;
          }
      
          @GET
          @Path("/my/{path}/view")
          @RolesAllowed("view")
          public String view(@PathParam("path") String path) {
              return "View accessed " + path;
          }
      }
      

      This is a 100% valid JAX-RS. The method to be called is selected by the full URL, not just by a prefix. Our implementation of MP JWT isn't able to honor the @RolesAllowed annotations properly; the admin method can be called by users in the view role et vice versa.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mszynkie Michal Szynkiewicz
                  Reporter:
                  lthon Ladislav Thon
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: