[jboss-jira] [JBoss JIRA] (WFLY-12397) Undertow should not create WebResourcePermission with an action of "!"
Darran Lofthouse (Jira)
issues at jboss.org
Tue Aug 20 10:59:00 EDT 2019
Darran Lofthouse created WFLY-12397:
---------------------------------------
Summary: Undertow should not create WebResourcePermission with an action of "!"
Key: WFLY-12397
URL: https://issues.jboss.org/browse/WFLY-12397
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 18.0.0.Beta1
As Undertow processes a deployment to convert the security constraints to a JACC Policy using JACC Permissions there is a step which adds unchecked permissions based on the HTTP methods seen so far: -
{noformat}
if(jbossWebMetaData.getDenyUncoveredHttpMethods() == null) {
if (seenMethods.size() != NUMBER_OF_HTTP_METHODS) {
WebResourcePermission wrpUnchecked = new WebResourcePermission(qurl, "!"
+ getCommaSeparatedString(seenMethods.toArray(new String[seenMethods.size()])));
pc.addToUncheckedPolicy(wrpUnchecked);
}
}
{noformat}
If no methods have been seen so far this can lead to an action of "!".
Where an action is null or empty String the meaning is "all methods".
Where a list of methods of prefixed with "!" the meaning is "all methods except those listed".
Where we use "!" we mean all methods as we have not already encountered any, however the API does specify the syntax and a single "!" without any actions is invalid so for that scenario we should use null or empty String.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list