Details
-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
8.0.0.Beta1
-
None
-
Workaround Exists
-
Description
I am trying to get only authentication (no authorization) to work for web application.
In EAP 5, all that was required was to set the <role-name> to a '*' in
the <security-constraint> of the web.xml. I tried this in EAP 6,
however, it did not work.
I then found the <jacc-star-role-allow> setting that goes in the
jboss-web.xml. Unfortunately, adding this option did not cause the
wildcard ('*') role-name to work for allowing any authenticated user
to access the web application.
Using the following system property does appear to work:
org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE=authOnly
How reproducible:
Everytime.
Steps to Reproduce:
1. Set <role-name>*</role-name> in the security-contraint
2. Set <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml
3. Set the security-domain so that no roles are assigned to a user
4. Attempt to access the web app
Actual results:
403 - access denied
Expected results:
200 - access allowed
Additional info: