Merge pull request #1423 from fl4via/UNDERTOW-2209_2.2.x

[UNDERTOW-2209] Ignore defaultPath security when it is not configured at all
undertow-io · Dec 14, 2022 · 6d5d220 · 6d5d220
2 parents daf3cca + e0825df
commit 6d5d220
Showing 1 changed file with 15 additions and 10 deletions.
diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/security/SecurityPathMatches.java b/servlet/src/main/java/io/undertow/servlet/handlers/security/SecurityPathMatches.java
@@ -75,17 +75,23 @@ private SecurityPathMatches(final boolean denyUncoveredHttpMethods, final PathSe
      * @return <code>true</code> If no security path information has been defined
      */
     public boolean isEmpty() {
-        return defaultPathSecurityInformation.excludedMethodRoles.isEmpty() &&
-                defaultPathSecurityInformation.perMethodRequiredRoles.isEmpty() &&
-                defaultPathSecurityInformation.defaultRequiredRoles.isEmpty() &&
+        return isDefaultPathSecurityEmpty() &&
                 exactPathRoleInformation.isEmpty() &&
                 prefixPathRoleInformation.isEmpty() &&
                 extensionRoleInformation.isEmpty();
     }
 
+    public boolean isDefaultPathSecurityEmpty() {
+        return defaultPathSecurityInformation.excludedMethodRoles.isEmpty() &&
+                defaultPathSecurityInformation.perMethodRequiredRoles.isEmpty() &&
+                defaultPathSecurityInformation.defaultRequiredRoles.isEmpty();
+    }
+
     public SecurityPathMatch getSecurityInfo(final String path, final String method) {
         RuntimeMatch currentMatch = new RuntimeMatch();
-        handleMatch(method, defaultPathSecurityInformation, currentMatch);
+        if (!isDefaultPathSecurityEmpty()) {
+            handleMatch(method, defaultPathSecurityInformation, currentMatch);
+        }
         PathSecurityInformation match = exactPathRoleInformation.get(path);
         PathSecurityInformation extensionMatch = null;
         if (match != null) {
@@ -184,16 +190,15 @@ private void handleMatch(final String method, final PathSecurityInformation exac
                 transport(currentMatch, role.transportGuaranteeType);
                 currentMatch.constraints.add(new SingleConstraintMatch(role.emptyRoleSemantic, role.roles));
             }
-        } else if(denyUncoveredHttpMethods) {
-            if(exact.perMethodRequiredRoles.size() == 0) {
+        } else if (denyUncoveredHttpMethods) {
+            if (exact.perMethodRequiredRoles.size() == 0) {
                 // 13.8.4. When HTTP methods are not enumerated within a security-constraint, the protections defined by the
                 // constraint apply to the complete set of HTTP (extension) methods.
                 currentMatch.uncovered = false;
                 currentMatch.constraints.add(new SingleConstraintMatch(SecurityInfo.EmptyRoleSemantic.PERMIT, new HashSet<>()));
-            } else if(exact.perMethodRequiredRoles.size() > 0) {
-                //at this point method is null, but there is match, above if will be triggered for default path, we need to flip it?
-                currentMatch.uncovered = true;
-                //NOTE: ?
+            } else {
+                //at this point method info is null, but there is match, above if will be triggered for default path, we need to flip it?
+                // keep currentMatch.uncovered value as true (this is the value that is initially set)
                 currentMatch.constraints.clear();
                 currentMatch.constraints.add(new SingleConstraintMatch(SecurityInfo.EmptyRoleSemantic.DENY, new HashSet<>()));
             }