Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-255

SAP Whitelisted JAX-RS resource cannot be accessed with no access token

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: Master
    • Fix Version/s: Master
    • Component/s: None

      Description

      @RequiresNoScope annotation should be checked only in conjunction with a valid access token.

      When there is no access token and JAX-RS resource is on SAP default whitelist then the resources must be available.

      Steps to reproduce:

      1. Select a JAX-RS resource class from our codebase that returns some result without checking any permissions
      2. Create a Service Access Policy, specify the class there, enable, mark as default and save
      3. Access the JAX-RS resource with no authentication (e.g. curl http://localhost:8080/o/some-app/the-resource )

       Expected result: The resource can be called
       Actual result: The server returns 403 Forbidden status

       

       

        Attachments

          Activity

            People

            Assignee:
            brian.lee Brian Lee
            Reporter:
            victor.galan Victor Galan
            Participants of an Issue:
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package
                Master