Merge pull request #1429 from fl4via/UNDERTOW-2213

[UNDERTOW-2213] Revert deny-uncovered-methods fix for corner case
undertow-io · Dec 27, 2022 · 8a62c9c · 8a62c9c
2 parents c418492 + 4e793af
commit 8a62c9c
Showing 1 changed file with 4 additions and 22 deletions.
diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/security/SecurityPathMatches.java b/servlet/src/main/java/io/undertow/servlet/handlers/security/SecurityPathMatches.java
@@ -75,23 +75,17 @@ private SecurityPathMatches(final boolean denyUncoveredHttpMethods, final PathSe
      * @return <code>true</code> If no security path information has been defined
      */
     public boolean isEmpty() {
-        return isDefaultPathSecurityEmpty() &&
+        return defaultPathSecurityInformation.excludedMethodRoles.isEmpty() &&
+                defaultPathSecurityInformation.perMethodRequiredRoles.isEmpty() &&
+                defaultPathSecurityInformation.defaultRequiredRoles.isEmpty() &&
                 exactPathRoleInformation.isEmpty() &&
                 prefixPathRoleInformation.isEmpty() &&
                 extensionRoleInformation.isEmpty();
     }
 
-    public boolean isDefaultPathSecurityEmpty() {
-        return defaultPathSecurityInformation.excludedMethodRoles.isEmpty() &&
-                defaultPathSecurityInformation.perMethodRequiredRoles.isEmpty() &&
-                defaultPathSecurityInformation.defaultRequiredRoles.isEmpty();
-    }
-
     public SecurityPathMatch getSecurityInfo(final String path, final String method) {
         RuntimeMatch currentMatch = new RuntimeMatch();
-        if (!isDefaultPathSecurityEmpty()) {
-            handleMatch(method, defaultPathSecurityInformation, currentMatch);
-        }
+        handleMatch(method, defaultPathSecurityInformation, currentMatch);
         PathSecurityInformation match = exactPathRoleInformation.get(path);
         PathSecurityInformation extensionMatch = null;
         if (match != null) {
@@ -190,18 +184,6 @@ private void handleMatch(final String method, final PathSecurityInformation exac
                 transport(currentMatch, role.transportGuaranteeType);
                 currentMatch.constraints.add(new SingleConstraintMatch(role.emptyRoleSemantic, role.roles));
             }
-        } else if (denyUncoveredHttpMethods) {
-            if (exact.perMethodRequiredRoles.size() == 0) {
-                // 13.8.4. When HTTP methods are not enumerated within a security-constraint, the protections defined by the
-                // constraint apply to the complete set of HTTP (extension) methods.
-                currentMatch.uncovered = false;
-                currentMatch.constraints.add(new SingleConstraintMatch(SecurityInfo.EmptyRoleSemantic.PERMIT, new HashSet<>()));
-            } else {
-                //at this point method info is null, but there is match, above if will be triggered for default path, we need to flip it?
-                // keep currentMatch.uncovered value as true (this is the value that is initially set)
-                currentMatch.constraints.clear();
-                currentMatch.constraints.add(new SingleConstraintMatch(SecurityInfo.EmptyRoleSemantic.DENY, new HashSet<>()));
-            }
         }
         for (ExcludedMethodRoles excluded : exact.excludedMethodRoles) {
             if (!excluded.methods.contains(method)) {