Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-12397

Undertow should not create WebResourcePermission with an action of "!"

    Details

      Description

      As Undertow processes a deployment to convert the security constraints to a JACC Policy using JACC Permissions there is a step which adds unchecked permissions based on the HTTP methods seen so far: -

                  if(jbossWebMetaData.getDenyUncoveredHttpMethods() == null) {
                      if (seenMethods.size() != NUMBER_OF_HTTP_METHODS) {
                          WebResourcePermission wrpUnchecked = new WebResourcePermission(qurl, "!"
                                  + getCommaSeparatedString(seenMethods.toArray(new String[seenMethods.size()])));
                          pc.addToUncheckedPolicy(wrpUnchecked);
                      }
                  }
      

      If no methods have been seen so far this can lead to an action of "!".

      Where an action is null or empty String the meaning is "all methods".
      Where a list of methods of prefixed with "!" the meaning is "all methods except those listed".

      Where we use "Unable to render embedded object: File (" we mean all methods as we have not already encountered any, however the API does specify the syntax and a single ") not found." without any actions is invalid so for that scenario we should use null or empty String.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  dlofthouse Darran Lofthouse
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: