Uploaded image for project: 'Thorntail'
  1. Thorntail
  2. THORN-2142

MP JWT: resource methods without security annotations are always allowed

    Details

      Description

      After the recent refactoring of MP JWT authorization, JAX-RS resource methods that don't have a security annotation (and the class doesn't have a security annotation either) are always allowed.

      This is inconsistent with previous behavior (= it's a regression) and also with how security annotations behave by default. If the class contains other methods that do have security annotations, then methods without security annotations should behave as if they were annotated @DenyAll. This is also documented in the fraction reference docs; see swarm.microprofile.jwt.default-missing-method-permissions-deny-access.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                lthon Ladislav Thon
                Reporter:
                lthon Ladislav Thon
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: