Application Server 7
  1. Application Server 7
  2. AS7-3282

HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved (View Workflow)
    • Priority: Major Major
    • Resolution: Done
    • Affects Version/s: 7.1.0.CR1b
    • Fix Version/s: 7.1.0.Final
    • Component/s: Web
    • Labels:
      None
    • Similar Issues:
      Show 10 results 

      Description

      The change of the JBossWebRealm allRolesMode property from authOnly to strict leads to HTTP Basic authentication failures. Accessing HTTP Basic protected resources always returns a 403 forbidden response when using the security-constraint configuration below which worked well under (JBoss AS4 and AS6).

      The security-constraint inside the web.xml is defined as follws:

      <security-constraint>
         <web-resource-collection>
            <web-resource-name>protected resources</web-resource-name>
            <url-pattern>/protected/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
            <description>any rolle allowed</description>
            <role-name>*</role-name>
         </auth-constraint>
      </security-constraint>
      

      Activating trace logging revealed the following message:

      13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm] (http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework says:true:final=false
      

      In AS6 the meaning of <role-name>*</role-name> was determined by the allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml and set to authOnly (= Allow any authenticated user) by default.

      In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name).

      The workaround to add all security-rolles in the web.xml described in one of the forum references (https://community.jboss.org/message/617196#617196) is no viable option for applications with a large number of dynamically changing roles.

      So please provide a configuration option for the allRolesMode property to allow for changes of the default behavior and ease the migration from earlier JBoss AS versions.

        Activity

        Hide
        Remy Maucherat
        added a comment -

        You seem to be aware of what the spec says and requires, yet you ask to continue being able to ignore the specification. How about following the specification instead ?

        Show
        Remy Maucherat
        added a comment - You seem to be aware of what the spec says and requires, yet you ask to continue being able to ignore the specification. How about following the specification instead ?
        Hide
        Robert Reimann
        added a comment -

        Yes i'm aware of the spec but it's a matter of migration cost/effort. As i described in the forum reference (https://community.jboss.org/message/645070#645070) we have got a load of role-names and they aren't static so duplicating them inside the web.xml is no viable option.

        The servlet 2.4 spec (published in 2003) which redefined the meaning of <role-name>*</role-name> was ignored for ages by previous JBoss AS versions and consequently by the applications running on these versions with the default settings. Changing the defaults to follow the spec is a comprehensible decision. But doing this without providing a way to achieve backward compatibility is a serious migration issue for our projects.

        Since JBoss Web is based on Tomcat and the latter still contains the option to chose the behavior (http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/RealmBase.AllRolesMode.html) all i'm asking for is to expose these existing option via JBoss Web.

        Show
        Robert Reimann
        added a comment - Yes i'm aware of the spec but it's a matter of migration cost/effort. As i described in the forum reference ( https://community.jboss.org/message/645070#645070 ) we have got a load of role-names and they aren't static so duplicating them inside the web.xml is no viable option. The servlet 2.4 spec (published in 2003) which redefined the meaning of <role-name>*</role-name> was ignored for ages by previous JBoss AS versions and consequently by the applications running on these versions with the default settings. Changing the defaults to follow the spec is a comprehensible decision. But doing this without providing a way to achieve backward compatibility is a serious migration issue for our projects. Since JBoss Web is based on Tomcat and the latter still contains the option to chose the behavior ( http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/RealmBase.AllRolesMode.html ) all i'm asking for is to expose these existing option via JBoss Web.
        Hide
        Remy Maucherat
        added a comment -

        Yes, I understand doing the right thing is never an option

        Show
        Remy Maucherat
        added a comment - Yes, I understand doing the right thing is never an option
        Hide
        Remy Maucherat
        added a comment -

        Using a system property to set the default (org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE). Not quite convinced why this should have more support.

        Show
        Remy Maucherat
        added a comment - Using a system property to set the default (org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE). Not quite convinced why this should have more support.

          People

          • Assignee:
            Remy Maucherat
            Reporter:
            Robert Reimann
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: