Details
-
Bug
-
Resolution: Done
-
Minor
-
JBossAS-4.0.2RC1
-
None
Description
The JACC specification (section 3.1.3.1) states:
When an auth-constraint names the reserved role-name, "*", all of the patterns in the containing security-constraint must be combined with all of the roles defined in the web application. ...
This is not the case as JBoss ignores this definition and creates a WebResourcePermission for the role "*".
Regards,
Andrea