When JACC is enabled, annotated role mapping is not enforced properly. #8903
Assignees
Labels
in:Security
release bug
This bug is present in a released version of Open Liberty
release:190010
team:Core Security
Comments
toshiyamamoto
added
in:Security
team:Core Security
release bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When servlet roles are defined by ServletSecurity annotations, the annotations are not parsed correctly, but throws the following exception:
java.lang.NullPointerException
at com.ibm.ws.security.authorization.jacc.web.impl.URLMap.convertMethod(URLMap.java:962)
at com.ibm.ws.security.authorization.jacc.web.impl.URLMap.convertRTM(URLMap.java:1005)
at com.ibm.ws.security.authorization.jacc.web.impl.URLMap.mergeRTM(URLMap.java:952)
at com.ibm.ws.security.authorization.jacc.web.impl.URLMap.getRoleMap(URLMap.java:348)
at com.ibm.ws.security.authorization.jacc.web.impl.WebSecurityPropagatorImpl.processUrlMap(WebSecurityPropagatorImpl.java:333)
This is an example of annotation:
@DeclareRoles({ "Role1" })
@ServletSecurity(value = @HttpConstraint(rolesAllowed = {
"Role1 }), httpMethodConstraints = {
@HttpMethodConstraint(value = "GET", rolesAllowed = "Role1"),
@HttpMethodConstraint(value = "POST", rolesAllowed = "Role1") })
The text was updated successfully, but these errors were encountered: