[JBoss JIRA] (WFLY-6809) Web authentication not treating "**" role constraint as expected

Tuesday, 12 July 2016

    [
https://issues.jboss.org/browse/WFLY-6809?page=com.atlassian.jira.plugin....
] 

Guillermo González de Agüero commented on WFLY-6809:
----------------------------------------------------

I read somewhere that the "**" role was a coordinated effort from the Servlet,
EJB and JACC specs.

Check section 3.1.3.2 of the JACC spec
(http://download.oracle.com/otndocs/jcp/jacc-1_5-mrel3-eval-spec/):

??A WebResourcePermission must be added to the corresponding role for each distinct
combination in the cross-product of url-pattern and role-name occurring in the
security-constraint elements that contain an auth-constraint naming roles. If the “any
authenticated user” role-name, “\*\*”, occurs in an auth-constraint, a
WebResourcePermission must also be added to the “\*\*” role. When an auth-constraint names
the reserved role-name, "\*", all of the patterns in the containing
security-constraint must be combined with all of the roles defined in the web application;
which must not include the role “\*\*” unless the application has defined an application
role named “\*\*”.??

As a side note, Payara/GlassFish behaves the way I mentioned. Don't know about other
containers.

...
 Web authentication not treating "**" role constraint as
expected
 ----------------------------------------------------------------

                 Key: WFLY-6809
                 URL: https://issues.jboss.org/browse/WFLY-6809
             Project: WildFly
          Issue Type: Bug
          Components: Web (Undertow)
    Affects Versions: 10.0.0.Final
            Reporter: Guillermo González de Agüero
            Assignee: Stuart Douglas
         Attachments: rolestest.war

 Servlet spec 3.1 states at point 13.3:
 ??If the role-name of the security-role to be tested is “**”, and the application has NOT
declared an application security-role with role-name “**”, isUserInRole must only return
true if the user has been authenticated; that is, only when getRemoteUser and
getUserPrincipal would both return a non-null value. Otherwise, the container must check
the user for membership in the application role.??
 But Undertow treats the special role "**" as any other. With the following
web.xml authorization succeeds, but authorization fails (403):
 {code:xml}
 <?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
          version="3.1">
     <security-constraint>
         <web-resource-collection>
             <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>**</role-name>
         </auth-constraint>
     </security-constraint>
     <login-config>
         <auth-method>BASIC</auth-method>
     </login-config>
 </web-app>
 {code}
 With the following, and authenticating a user that has a role "**", the
requested page is shown:
 {code:xml}
 <?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
          version="3.1">
     <security-constraint>
         <web-resource-collection>
             <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>**</role-name>
         </auth-constraint>
     </security-constraint>
     <login-config>
         <auth-method>BASIC</auth-method>
     </login-config>
     <security-role>
         <role-name>**</role-name>
     </security-role>
 </web-app>
 {code}
 Reproducer war is attached. 

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006