[jboss-jira] [JBoss JIRA] (JBEE-144) JACC 1.1 implementation must use exception list instead of missing method list for HTTP methods in the unchecked permissions

[Stefan Guilhen (JIRA)]

Stefan Guilhen created JBEE-144:
-----------------------------------

             Summary: JACC 1.1 implementation must use exception list instead of missing method list for HTTP methods in the unchecked permissions
                 Key: JBEE-144
                 URL: https://issues.jboss.org/browse/JBEE-144
             Project: JBoss JavaEE Spec APIs
          Issue Type: Bug
          Components: jboss-jacc-api
    Affects Versions: JavaEE 6 Spec APIs 3.0.2.Final
            Reporter: Stefan Guilhen
            Assignee: Stefan Guilhen
             Fix For: JavaEE Spec APIs 3.0.3.Final


As reported by [~jcacek]:

The method {{org.jboss.as.web.security.WarJaccService.PatternInfo.getMissingMethods()}}  which subtracts current methods set from the "big 7" is used for constructing some unchecked permissions.

The method exception list (i.e. exclamation mark followed by current methods) must be used instead - as defined in section 3.1.3.1 of JACC 1.1 specification.

The specification says:
{panel}
h4.HTTP Method Exception List
An HTTP method exception list is used to represent, by set difference, a non-
enumerable subset of the set of all possible HTTP methods. An exception list
respresents the subset of the complete set of HTTP methods formed by subtracting
the methods named in the exception list from the complete set.
An exception list is distinguished by its first character, which must be the
exclaimation point (i.e., “!”) character. A comma seperated list of one or more
HTTP method names must follow the exclaimation point.
{panel}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira