[jboss-jira] [JBoss JIRA] Closed: (JBAS-4691) JACC: Unchecked WebUserDataPermission(s) for excluded and transport guarantee use cases

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Fri Sep 7 16:57:11 EDT 2007 

     [ http://jira.jboss.com/jira/browse/JBAS-4691?page=all ]

Anil Saldhana closed JBAS-4691.
-------------------------------

    Resolution: Done

============
asaldhana~/jboss-4.2>svn ci -m "JBAS-4691: unchecked WebUserDataPermission taking into account transport guarantee and excluding auth-constraint" server testsuite
Sending        server\src\main\org\jboss\web\WebPermissionMapping.java
Adding         testsuite\src\main\org\jboss\test\jacc\test\TestJBossPolicyConfiguration.java
Adding         testsuite\src\main\org\jboss\test\jacc\test\WebPermissionsValidationTestCase.java
Adding         testsuite\src\resources\security\jacc\webperm
Adding         testsuite\src\resources\security\jacc\webperm\web.xml
Transmitting file data ....
Committed revision 65246.
========================

> JACC: Unchecked WebUserDataPermission(s) for excluded and transport guarantee use cases
> ---------------------------------------------------------------------------------------
>
>                 Key: JBAS-4691
>                 URL: http://jira.jboss.com/jira/browse/JBAS-4691
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.2.0.GA
>            Reporter: Anil Saldhana
>         Assigned To: Anil Saldhana
>             Fix For: JBossAS-4.2.2.GA
>
>
> If security constraints exist with an excluding auth-constraint, then a WUDP needs to be added to unchecked policy for http methods that are non-excluded.
> Additionally, an unchecked perm should be added for :
> /**
> * A WebResourcePermission and a WebUserDataPermission must be added to the unchecked
> * policy statements for each url-pattern in the DD and the default  pattern, "/",
>    that is not combined by the webresource-collection elements of the deployment descriptor
> * with every HTTP method value. (JACC 1.0: Section 3.1.3.1)
> */

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list