Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1997

SecurityPathMatches fails to match default path ('/')

XMLWordPrintable

    • Hide

      Create a webapp with the following security constraint:

      <security-constraint>
          <web-resource-collection>
              <url-pattern>/accessible</url-pattern>
          </web-resource-collection>
          <auth-constraint>
              <role-name>*</role-name>
          </auth-constraint>
      </security-constraint>
      <security-constraint>
          <web-resource-collection>
              <url-pattern>/</url-pattern>
          </web-resource-collection>
          <auth-constraint/>
      </security-constraint>
      

      Given this and no other security constraints, requests for any resource other than "/accessible" should yield a 403 error. However, SecurityPathMatches ignores the security constraint defined for URL pattern '/.'

      Show
      Create a webapp with the following security constraint: <security-constraint> <web-resource-collection> <url-pattern>/accessible</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <url-pattern>/</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> Given this and no other security constraints, requests for any resource other than "/accessible" should yield a 403 error. However, SecurityPathMatches ignores the security constraint defined for URL pattern '/.'

      The SecurityPathMatches.getSecurityInfo(String, String) method fails to return the security info for path '/' when no other security info matches a given URL.

      As stated in the JavaEE Tutorial:

      If, for your web application, you do not want any resource to be accessible unless you explicitly define a constraint that permits access to it, you can define an auth-constraint that names no roles and associate it with the URL pattern /. The URL pattern / is the weakest matching pattern. Do not list any HTTP methods in this constraint:

      <!-- SECURITY CONSTRAINT #7 -->
      <security-constraint>
          <display-name>
              Switch from Constraint to Permission model
              (where everything is denied by default)
          </display-name>
          <web-resource-collection>
              <url-pattern>/</url-pattern>
          </web-resource-collection>
          <auth-constraint/>
      </security-constraint>
      

      Update: here is the link for the same Java EE tutorial, Jakarta EE9 version: https://eclipse-ee4j.github.io/jakartaee-tutorial/#securing-http-resources

              flaviarnn Flavia Rainone
              kevinwimmer@situsamc.com Kevin Wimmer (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: