Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-2854

'**' role incorrectly returns false from isUserInRole when user is authenticated

    Details

      Description

      When authentication has taken place in a web application such that HttpServletRequest#getUserPrincipal does not return null, testing for role '**' using HttpServletRequest#isUserInRole returns false.

      This is not correct. According to Servlet 13.3:

      If the role-name of the security-role to be tested is “**”, 
      and the application has NOT declared an application security-role with 
      role-name “**”, isUserInRole must only return true if the user has been
      authenticated;
      

      This is demonstrated by the following test:

      https://github.com/arjantijms/javaee7-samples/blob/master/jacc/contexts/src/test/java/org/javaee7/jacc/contexts/SubjectFromPolicyContextTest.java#L76

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                swd847 Stuart Douglas
                Reporter:
                atijms Arjan Tijms
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: