-
Bug
-
Resolution: Done
-
Critical
-
None
-
None
The SecurityPathMatches.getSecurityInfo(String, String) method fails to return the security info for path '/' when no other security info matches a given URL.
As stated in the JavaEE Tutorial:
If, for your web application, you do not want any resource to be accessible unless you explicitly define a constraint that permits access to it, you can define an auth-constraint that names no roles and associate it with the URL pattern /. The URL pattern / is the weakest matching pattern. Do not list any HTTP methods in this constraint:
<!-- SECURITY CONSTRAINT #7 --> <security-constraint> <display-name> Switch from Constraint to Permission model (where everything is denied by default) </display-name> <web-resource-collection> <url-pattern>/</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
Update: here is the link for the same Java EE tutorial, Jakarta EE9 version: https://eclipse-ee4j.github.io/jakartaee-tutorial/#securing-http-resources
- is incorporated by
-
WFCORE-6057 Upgrade Undertow to 2.3.0.Final (CVE-2022-2764)
- Closed
-
WFLY-17017 Upgrade Undertow to 2.3.0.Beta1
- Closed
-
WFCORE-6056 Upgrade Undertow to 2.3.0.Beta1
- Closed