Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-6318

auth-constraint with role name ** does not work as specified

    XMLWordPrintable

    Details

      Description

      The following security constraint does not work as expected:

          <security-constraint>
              <display-name>secure resource</display-name>
              <web-resource-collection>
                  <web-resource-name>welcome page</web-resource-name>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>**</role-name>
              </auth-constraint>
          </security-constraint>
      

      According to Servlet Specification 3.1, section 13.8, any authenticated user should be able to access the secured resources, but all I get is a Forbidden error page.

      Stepping through the code, I can see that ServletSecurityRoleHandler is processing a SingleConstraintMatch with emptyRoleSemantic == PERMIT and requiredRoles == [**].

      More likely, this should be emptyRoleSemantic == AUTHENTICATE and requiredRoles == [].

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  swd847 Stuart Douglas
                  Reporter:
                  hwellmann.de Harald Wellmann
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: