When JACC is enabled, annotated role mapping is not enforced properly. #8903
Labels
in:Security
release bug
This bug is present in a released version of Open Liberty
release:190010
team:Core Security
When servlet roles are defined by ServletSecurity annotations, the annotations are not parsed correctly, but throws the following exception:
java.lang.NullPointerException
at com.ibm.ws.security.authorization.jacc.web.impl.URLMap.convertMethod(URLMap.java:962)
at com.ibm.ws.security.authorization.jacc.web.impl.URLMap.convertRTM(URLMap.java:1005)
at com.ibm.ws.security.authorization.jacc.web.impl.URLMap.mergeRTM(URLMap.java:952)
at com.ibm.ws.security.authorization.jacc.web.impl.URLMap.getRoleMap(URLMap.java:348)
at com.ibm.ws.security.authorization.jacc.web.impl.WebSecurityPropagatorImpl.processUrlMap(WebSecurityPropagatorImpl.java:333)
This is an example of annotation:
@DeclareRoles({ "Role1" })
@ServletSecurity(value = @HttpConstraint(rolesAllowed = {
"Role1 }), httpMethodConstraints = {
@HttpMethodConstraint(value = "GET", rolesAllowed = "Role1"),
@HttpMethodConstraint(value = "POST", rolesAllowed = "Role1") })
The text was updated successfully, but these errors were encountered: