[jboss-jira] [JBoss JIRA] (JBEE-143) JACC permissions added to the unchecked policy must be constructed using qualified pattern as their name

Stefan Guilhen (JIRA) jira-events at lists.jboss.org
Thu Sep 26 16:01:03 EDT 2013 

Stefan Guilhen created JBEE-143:
-----------------------------------

             Summary:  JACC permissions added to the unchecked policy must be constructed using qualified pattern as their name
                 Key: JBEE-143
                 URL: https://issues.jboss.org/browse/JBEE-143
             Project: JBoss JavaEE Spec APIs
          Issue Type: Bug
          Components: jboss-jacc-api
    Affects Versions: JavaEE 6 Spec APIs 3.0.2.Final
            Reporter: Stefan Guilhen
            Assignee: Stefan Guilhen
             Fix For: JavaEE Spec APIs 3.0.3.Final


As reported by [~jcacek]:

JACC 1.1 specification, chapter 3.1.3.1 Translating security-constraint Elements says:
{panel}
A WebResourcePermission and a WebUserDataPermission must be added to
the unchecked policy statements for each url-pattern in the deployment
descriptor and the default pattern, "/", that is not combined by the web-
resource-collection elements of the deployment descriptor with every
HTTP method value. The permission objects must be constructed using the
*qualified pattern* as their name and with actions represented by an HTTP method
exception list that identifies (as defined in “HTTP Method Exception List”) all the
HTTP methods that do not occur in combination with the pattern.The resulting
permissions must be added to the unchecked policy statements by calling the
addToUncheckedPolicy method on the PolicyConfiguration object.
{panel}

but the class WarJaccService doesn't use qualified patterns (around line 170 in source code):
{code}
String excludedString = "!" + getCommaSeparatedString(httpMethods);
WebResourcePermission wrp1 = new WebResourcePermission(info.pattern, excludedString);
WebUserDataPermission wudp1 = new WebUserDataPermission(info.pattern, excludedString);
{code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list