Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot specify INTEGRAL as transport-guarantee Type #19

Open
hs536 opened this issue Jun 10, 2022 · 1 comment
Open

Cannot specify INTEGRAL as transport-guarantee Type #19

hs536 opened this issue Jun 10, 2022 · 1 comment

Comments

@hs536
Copy link

hs536 commented Jun 10, 2022

Servlet 6.0 schema says that we can specify INTEGRAL as the type of transport-guarantee.

refs) https://jakarta.ee/xml/ns/jakartaee/web-common_6_0.xsd

<xsd:complexType name="transport-guaranteeType">
<xsd:annotation>
<xsd:documentation> The transport-guaranteeType specifies that the communication between client and server should be NONE, INTEGRAL, or CONFIDENTIAL. NONE means that the application does not require any transport guarantees. A value of INTEGRAL means that the application requires that the data sent between the client and server be sent in such a way that it can't be changed in transit. CONFIDENTIAL means that the application requires that the data be transmitted in a fashion that prevents other entities from observing the contents of the transmission. In most cases, the presence of the INTEGRAL or CONFIDENTIAL flag will indicate that the use of SSL is required. Used in: user-data-constraint </xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="jakartaee:string">
<xsd:enumeration value="NONE"/>
<xsd:enumeration value="INTEGRAL"/> ★
<xsd:enumeration value="CONFIDENTIAL"/>
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>

like

    <security-constraint>
        <web-resource-collection>
           <web-resource-name>integral</web-resource-name>
           <url-pattern>/integral</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
           <transport-guarantee>INTEGRAL</transport-guarantee> ★
        </user-data-constraint>
    </security-constraint>

On the other hand, Exousia uses ServletSecurity.TransportGuarantee in SecurityConstraint (instead of jakarta.security.jacc.WebUserDataPermission).

private final TransportGuarantee transportGuarantee;

ServletSecurity.TransportGuarantee does not have INTEGRAL as its API, so we cannot use this type.

@hs536
Copy link
Author

hs536 commented Jun 10, 2022

I happened to notice this issue when I was testing apps on GlassFish 7(nightly build).
https://github.com/eclipse-ee4j/glassfish/blob/9c73d617fbea80034c57aee9580f62fea9aa7221/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/web/integration/GlassFishToExousiaConverter.java#L50-L54

Unfortunately, it is not detailed in Jakarta Servlet spec...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant