[
http://jira.jboss.com/jira/browse/JBAS-1824?page=all ]
Anil Saldhana updated JBAS-1824:
--------------------------------
Summary: JACC: <role-name>*</role-name> in web.xml should allow
configurable authorization bypass (was: JACC: <role-name>*</role-name> in
web.xml)
Priority: Major (was: Minor)
JACC: <role-name>*</role-name> in web.xml should allow
configurable authorization bypass
----------------------------------------------------------------------------------------
Key: JBAS-1824
URL:
http://jira.jboss.com/jira/browse/JBAS-1824
Project: JBoss Application Server
Issue Type: Feature Request
Components: Security
Affects Versions: JBossAS-4.0.2 Final
Environment: -
Reporter: Roland R?z
Assigned To: Anil Saldhana
Fix For: JBossAS-4.2.0.CR1
Original Estimate: 4 hours
Remaining Estimate: 4 hours
In some cases I wish to do authentication without authorisation. For example everybody
has access to my web-resource, but I want to know who she/he is.
Therefore the accessing user must login.
So my web.xml contains the following snippet:
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Helloworld example</web-resource-name>
<description/>
<url-pattern>/servlet/HelloWorldExample</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>public</realm-name>
</login-config>
...
The web app runs with this configuration in Tomcat 5.5.8 standalone but not in Jboss.
To run it in Jboss I have to add the following element:
<security-role>
<role-name>aRole</role-name>
</security-role>
The JACC spec (section 3.1.3.1, paragraph 3)states :
" ?. When an auth-constraint names the reserved role-name, "*", all of the
patterns in the containing security-constraint must be combined with all of the roles
defined in the web application."
JBoss implemented this by combining all of the patterns with all roles defined in the
web.xml and assumes that each role has to be defined in the web.xml.
But the web applications roles are probably defined in other files than the web.xml. In
our case we use JACC with an external authentication provider. And each time, the roles
changes, I also would have to modify the web.xml.
It is desirable if the auth-contraint with the role-name "*" acceppts
"all" roles and not only those that are defined in the web.xml.
Or is this a JACC spec issue?
Regards,
Andrea
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira