You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For now, I think what best documents it is the TCK test and some hints in the Javadoc:
The Javadoc for SecurityContext.hasAccessToWebResource() contains the following in the documentation of the resource argument: "For a full specification of this pattern see WebResourcePermission(String, String)". I know this isn't in the docs for the methods argument, but WebResourcePermission includes not only resource pattern but also actions (http methods). So I'd assume that the documentation of WebResourcePermission is relevant also for the methods argument
The Javadoc for WebResourcePermission claims that "A null or empty string HTTPMethodSpec indicates that the permission applies to all HTTP methods at the resources identified by the URL pattern." Which means that the list of actions can be null or empty string. And that in that case the permission applies to all HTTP methods. That is a hint that when the methods argument to SecurityContext.hasAccessToWebResource() is empty, it should return true if the user has permission to all HTTP methods for a given resource.
I believe that this is also in line with what the TCK test expects.
Presently, the test is
security/tck/app-securitycontext/src/main/java/ee/jakarta/tck/security/test/Servlet.java
Line 85 in a87eca4
In the javadoc, this parameter is described as taking "one or more methods to check", from the specification itself there is also no mention of calling without specifying the HTTP method and the documented example does specify a method: https://github.com/jakartaee/security/blob/a87eca4492dfc8dd1558f7ce9644a9121e72b384/spec/src/main/asciidoc/securityContext.adoc
This feels like something which could be clarified in a later release.
The text was updated successfully, but these errors were encountered: