Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve documentation of SecurityContext.hasAccessToWebResource() without specifying the HTTP method #262

Closed
OndroMih opened this issue Aug 16, 2022 · 1 comment
Closed

Improve documentation of SecurityContext.hasAccessToWebResource() without specifying the HTTP method #262

OndroMih opened this issue Aug 16, 2022 · 1 comment

Comments

@OndroMih
Copy link
Contributor

Presently, the test is

security/tck/app-securitycontext/src/main/java/ee/jakarta/tck/security/test/Servlet.java

Line 85 in a87eca4

response.getWriter().write("has access to /protectedServlet: " + securityContext.hasAccessToWebResource("/protectedServlet") + "\n");
is making a call to SecurityContext.hasAccessToWebResource() without specifying the HTTP method to test.

In the javadoc, this parameter is described as taking "one or more methods to check", from the specification itself there is also no mention of calling without specifying the HTTP method and the documented example does specify a method: https://github.com/jakartaee/security/blob/a87eca4492dfc8dd1558f7ce9644a9121e72b384/spec/src/main/asciidoc/securityContext.adoc

This feels like something which could be clarified in a later release.
@OndroMih
Copy link
Contributor Author

For now, I think what best documents it is the TCK test and some hints in the Javadoc:

  • The Javadoc for SecurityContext.hasAccessToWebResource() contains the following in the documentation of the resource argument: "For a full specification of this pattern see WebResourcePermission(String, String)". I know this isn't in the docs for the methods argument, but WebResourcePermission includes not only resource pattern but also actions (http methods). So I'd assume that the documentation of WebResourcePermission is relevant also for the methods argument
  • The Javadoc for WebResourcePermission claims that "A null or empty string HTTPMethodSpec indicates that the permission applies to all HTTP methods at the resources identified by the URL pattern." Which means that the list of actions can be null or empty string. And that in that case the permission applies to all HTTP methods. That is a hint that when the methods argument to SecurityContext.hasAccessToWebResource() is empty, it should return true if the user has permission to all HTTP methods for a given resource.

I believe that this is also in line with what the TCK test expects.

@OndroMih OndroMih mentioned this issue Aug 18, 2022
Open
OndroMih added a commit to OndroMih/security that referenced this issue Mar 28, 2024
@OndroMih
Fixes jakartaee#262: Clarify using hasAccessToWebResource with no met…
201b057 
…hods

Signed-off-by:Ondro Mihalyi <mihalyi@omnifish.ee>
arjantijms added a commit that referenced this issue Apr 3, 2024
@arjantijms
Merge pull request #322 from OndroMih/ondromih-hasAccessWithNoMethod
41dac17 
Fixes #262: Clarify using hasAccessToWebResource with no methods
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@OndroMih