Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Done
Priority: Major
Fix Version/s: JBossAS-4.0.4.CR2, JBossAS-5.0.0.Beta1
Affects Version/s: None
Component/s: Security, Web (Tomcat) service
Labels:
None

Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%

SFDC Cases Links:
SFDC Cases Counter:

Description

tomcat 5.5.16 has implemented a strict semantic of the role-name=* behavior that requires one or more valid roles in order for access to be permitted. There is no notion of authentication only security constraints. We should add a jboss-web.xml flag:

<jboss-web>
<security-domain authenticationOnlyAllRolesMode="true">...</security-domain>
...

authenticationOnlyAllRolesMode = true if the all roles role-name of "*" is specified, and any authenticated user should be allowed access. A false setting defaults to restricting the allowed roles to those specified via security-role/role-name values. The tomcat service should also have an equivalent flag to set the default behavior for all web apps.

Attachments

Issue Links

blocks

JBWS-309 Authorization Error using JBossWS together with JACC

Closed

JBWS-736 CTS: webservices/sec/ejb/certificate/Client.java#secEjbCertificate

Closed

JBAS-2867 Fix Security Tests in the 4.0 Testsuite

Closed

Activity

People

Assignee:: Scott Stark (Inactive)

Reporter:: Scott Stark (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 2006/03/12 11:56 PM

Updated:: 2020/09/14 5:34 AM

Resolved:: 2006/03/18 2:12 AM