Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-12397

Undertow should not create WebResourcePermission with an action of "!"

XMLWordPrintable

      As Undertow processes a deployment to convert the security constraints to a JACC Policy using JACC Permissions there is a step which adds unchecked permissions based on the HTTP methods seen so far: -

                  if(jbossWebMetaData.getDenyUncoveredHttpMethods() == null) {
                      if (seenMethods.size() != NUMBER_OF_HTTP_METHODS) {
                          WebResourcePermission wrpUnchecked = new WebResourcePermission(qurl, "!"
                                  + getCommaSeparatedString(seenMethods.toArray(new String[seenMethods.size()])));
                          pc.addToUncheckedPolicy(wrpUnchecked);
                      }
                  }
      

      If no methods have been seen so far this can lead to an action of "!".

      Where an action is null or empty String the meaning is "all methods".
      Where a list of methods of prefixed with "!" the meaning is "all methods except those listed".

      Where we use "Unable to render embedded object: File (" we mean all methods as we have not already encountered any, however the API does specify the syntax and a single ") not found." without any actions is invalid so for that scenario we should use null or empty String.

              darran.lofthouse@redhat.com Darran Lofthouse
              darran.lofthouse@redhat.com Darran Lofthouse
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: