Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-3282

HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 7.1.0.CR1b
    • Fix Version/s: 7.1.0.Final
    • Component/s: Web
    • Labels:
      None
    • Similar Issues:
      Show 10 results 

      Description

      The change of the JBossWebRealm allRolesMode property from authOnly to strict leads to HTTP Basic authentication failures. Accessing HTTP Basic protected resources always returns a 403 forbidden response when using the security-constraint configuration below which worked well under (JBoss AS4 and AS6).

      The security-constraint inside the web.xml is defined as follws:

      <security-constraint>
         <web-resource-collection>
            <web-resource-name>protected resources</web-resource-name>
            <url-pattern>/protected/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
            <description>any rolle allowed</description>
            <role-name>*</role-name>
         </auth-constraint>
      </security-constraint>
      

      Activating trace logging revealed the following message:

      13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm] (http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework says:true:final=false
      

      In AS6 the meaning of <role-name>*</role-name> was determined by the allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml and set to authOnly (= Allow any authenticated user) by default.

      In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name).

      The workaround to add all security-rolles in the web.xml described in one of the forum references (https://community.jboss.org/message/617196#617196) is no viable option for applications with a large number of dynamically changing roles.

      So please provide a configuration option for the allRolesMode property to allow for changes of the default behavior and ease the migration from earlier JBoss AS versions.

        Gliffy Diagrams

          Activity

          Hide
          rmaucher Remy Maucherat added a comment -

          You seem to be aware of what the spec says and requires, yet you ask to continue being able to ignore the specification. How about following the specification instead ?

          Show
          rmaucher Remy Maucherat added a comment - You seem to be aware of what the spec says and requires, yet you ask to continue being able to ignore the specification. How about following the specification instead ?
          Hide
          r.reimann Robert Reimann added a comment -

          Yes i'm aware of the spec but it's a matter of migration cost/effort. As i described in the forum reference (https://community.jboss.org/message/645070#645070) we have got a load of role-names and they aren't static so duplicating them inside the web.xml is no viable option.

          The servlet 2.4 spec (published in 2003) which redefined the meaning of <role-name>*</role-name> was ignored for ages by previous JBoss AS versions and consequently by the applications running on these versions with the default settings. Changing the defaults to follow the spec is a comprehensible decision. But doing this without providing a way to achieve backward compatibility is a serious migration issue for our projects.

          Since JBoss Web is based on Tomcat and the latter still contains the option to chose the behavior (http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/RealmBase.AllRolesMode.html) all i'm asking for is to expose these existing option via JBoss Web.

          Show
          r.reimann Robert Reimann added a comment - Yes i'm aware of the spec but it's a matter of migration cost/effort. As i described in the forum reference ( https://community.jboss.org/message/645070#645070 ) we have got a load of role-names and they aren't static so duplicating them inside the web.xml is no viable option. The servlet 2.4 spec (published in 2003) which redefined the meaning of <role-name>*</role-name> was ignored for ages by previous JBoss AS versions and consequently by the applications running on these versions with the default settings. Changing the defaults to follow the spec is a comprehensible decision. But doing this without providing a way to achieve backward compatibility is a serious migration issue for our projects. Since JBoss Web is based on Tomcat and the latter still contains the option to chose the behavior ( http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/RealmBase.AllRolesMode.html ) all i'm asking for is to expose these existing option via JBoss Web.
          Hide
          rmaucher Remy Maucherat added a comment -

          Yes, I understand doing the right thing is never an option

          Show
          rmaucher Remy Maucherat added a comment - Yes, I understand doing the right thing is never an option
          Hide
          rmaucher Remy Maucherat added a comment -

          Using a system property to set the default (org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE). Not quite convinced why this should have more support.

          Show
          rmaucher Remy Maucherat added a comment - Using a system property to set the default (org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE). Not quite convinced why this should have more support.

            People

            • Assignee:
              rmaucher Remy Maucherat
              Reporter:
              r.reimann Robert Reimann
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development