[jboss-jira] [JBoss JIRA] (WFLY-12397) Undertow should not create WebResourcePermission with an action of "!"

Brian Stansberry (Jira) issues at jboss.org
Fri Aug 23 16:15:00 EDT 2019 

    [ https://issues.jboss.org/browse/WFLY-12397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13774932#comment-13774932 ] 

Brian Stansberry commented on WFLY-12397:
-----------------------------------------

[~dlofthouse] In the last paragraph in the description there is some strange quoted text. I think you meant two occurrences of "!" but some other text got swapped in.

No big deal. I was doing PR review and wanted to understand what I was looking at and that paragraph got me scratching my head a bit. :)

> Undertow should not create WebResourcePermission with an action of "!"
> ----------------------------------------------------------------------
>
>                 Key: WFLY-12397
>                 URL: https://issues.jboss.org/browse/WFLY-12397
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>            Priority: Major
>             Fix For: 18.0.0.Beta1
>
>
> As Undertow processes a deployment to convert the security constraints to a JACC Policy using JACC Permissions there is a step which adds unchecked permissions based on the HTTP methods seen so far: -
> {noformat}
>             if(jbossWebMetaData.getDenyUncoveredHttpMethods() == null) {
>                 if (seenMethods.size() != NUMBER_OF_HTTP_METHODS) {
>                     WebResourcePermission wrpUnchecked = new WebResourcePermission(qurl, "!"
>                             + getCommaSeparatedString(seenMethods.toArray(new String[seenMethods.size()])));
>                     pc.addToUncheckedPolicy(wrpUnchecked);
>                 }
>             }
> {noformat}
> If no methods have been seen so far this can lead to an action of "!".
> Where an action is null or empty String the meaning is "all methods".
> Where a list of methods of prefixed with "!" the meaning is "all methods except those listed".
> Where we use "!" we mean all methods as we have not already encountered any, however the API does specify the syntax and a single "!" without any actions is invalid so for that scenario we should use null or empty String.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list