Uploaded image for project: 'JBoss Enterprise Application Platform 6'
  1. JBoss Enterprise Application Platform 6
  2. JBPAPP6-1380

JACC permissions added to the unchecked policy must be constructed using qualified pattern as their name

    Details

      Description

      JACC 1.1 specification, chapter 3.1.3.1 Translating security-constraint Elements says:

      A WebResourcePermission and a WebUserDataPermission must be added to
      the unchecked policy statements for each url-pattern in the deployment
      descriptor and the default pattern, "/", that is not combined by the web-
      resource-collection elements of the deployment descriptor with every
      HTTP method value. The permission objects must be constructed using the
      qualified pattern as their name and with actions represented by an HTTP method
      exception list that identifies (as defined in “HTTP Method Exception List”) all the
      HTTP methods that do not occur in combination with the pattern.The resulting
      permissions must be added to the unchecked policy statements by calling the
      addToUncheckedPolicy method on the PolicyConfiguration object.

      but the class WarJaccService doesn't use qualified patterns (around line 170 in source code):

      String excludedString = "!" + getCommaSeparatedString(httpMethods);
      WebResourcePermission wrp1 = new WebResourcePermission(info.pattern, excludedString);
      WebUserDataPermission wudp1 = new WebUserDataPermission(info.pattern, excludedString);
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                anil.saldhana Anil Saldanha
                Reporter:
                jcacek Josef Cacek
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: