[jboss-jira] [JBoss JIRA] (WFLY-2358) setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"

setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly" ---------------------------------------------------------------------------------------- Key: WFLY-2358 URL: https://issues.jboss.org/browse/WFLY-2358 Project: WildFly Issue Type: Bug Components: Web (JBoss Web) Affects Versions: 8.0.0.Beta1 Reporter: Derek Horton Assignee: Remy Maucherat I am trying to get only authentication (no authorization) to work for web application. In EAP 5, all that was required was to set the <role-name> to a '*' in the <security-constraint> of the web.xml. I tried this in EAP 6, however, it did not work. I then found the <jacc-star-role-allow> setting that goes in the jboss-web.xml. Unfortunately, adding this option did not cause the wildcard ('*') role-name to work for allowing any authenticated user to access the web application. Using the following system property does appear to work: org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE=authOnly How reproducible: Everytime. Steps to Reproduce: 1. Set <role-name>*</role-name> in the security-contraint 2. Set <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml 3. Set the security-domain so that no roles are assigned to a user 4. Attempt to access the web app Actual results: 403 - access denied Expected results: 200 - access allowed Additional info: