[JBoss JIRA] (AS7-3282) HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)
2 a.m.
Robert Reimann created AS7-3282:
-----------------------------------
Summary: HTTP Basic authentication fails due to changed JBossWebRealm
defaults (AS6->AS7)
Key: AS7-3282
URL: https://issues.jboss.org/browse/AS7-3282
Project: Application Server 7
Issue Type: Bug
Components: Web
Affects Versions: 7.1.0.CR1b
Reporter: Robert Reimann
Assignee: Remy Maucherat
The change of the JBossWebRealm allRolesMode property from authOnly to strict leads to
HTTP Basic authentication failures. Accessing HTTP Basic protected resources always
returns a 403 forbidden response when using the security-constraint configuration below
which worked well under (JBoss AS4 and AS6).
The security-constraint inside the web.xml is defined as follws:
{code}
<security-constraint>
<web-resource-collection>
<web-resource-name>protected resources</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>any rolle allowed</description>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
{code}
Activating trace logging revealed the following message:
{code}
13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm]
(http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework
says:true:final=false
{code}
In AS6 the meaning of <role-name>*</role-name> was determined by the
allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml
and set to authOnly (= Allow any authenticated user) by default.
In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec
interpretation which requires that the user have one of the
web-app/security-role/role-name).
The workaround to add all security-rolles in the web.xml described in one of the forum
references (https://community.jboss.org/message/617196#617196) is no viable option for
applications with a large number of dynamically changing roles.
So please provide a configuration option for the allRolesMode property to allow for
changes of the default behavior and ease the migration from earlier JBoss AS versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:01 a.m.
[
https://issues.jboss.org/browse/AS7-3282?page=com.atlassian.jira.plugin.s...
]
Remy Maucherat commented on AS7-3282:
-------------------------------------
You seem to be aware of what the spec says and requires, yet you ask to continue being
able to ignore the specification. How about following the specification instead ?
HTTP Basic authentication fails due to changed JBossWebRealm defaults
(AS6->AS7)
--------------------------------------------------------------------------------
Key: AS7-3282
URL: https://issues.jboss.org/browse/AS7-3282
Project: Application Server 7
Issue Type: Bug
Components: Web
Affects Versions: 7.1.0.CR1b
Reporter: Robert Reimann
Assignee: Remy Maucherat
The change of the JBossWebRealm allRolesMode property from authOnly to strict leads to
HTTP Basic authentication failures. Accessing HTTP Basic protected resources always
returns a 403 forbidden response when using the security-constraint configuration below
which worked well under (JBoss AS4 and AS6).
The security-constraint inside the web.xml is defined as follws:
{code}
<security-constraint>
<web-resource-collection>
<web-resource-name>protected resources</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>any rolle allowed</description>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
{code}
Activating trace logging revealed the following message:
{code}
13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm]
(http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework
says:true:final=false
{code}
In AS6 the meaning of <role-name>*</role-name> was determined by the
allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml
and set to authOnly (= Allow any authenticated user) by default.
In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec
interpretation which requires that the user have one of the
web-app/security-role/role-name).
The workaround to add all security-rolles in the web.xml described in one of the forum
references (https://community.jboss.org/message/617196#617196) is no viable option for
applications with a large number of dynamically changing roles.
So please provide a configuration option for the allRolesMode property to allow for
changes of the default behavior and ease the migration from earlier JBoss AS versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:12 a.m.
[
https://issues.jboss.org/browse/AS7-3282?page=com.atlassian.jira.plugin.s...
]
Robert Reimann commented on AS7-3282:
-------------------------------------
Yes i'm aware of the spec but it's a matter of migration cost/effort. As i
described in the forum reference (https://community.jboss.org/message/645070#645070) we
have got a load of role-names and they aren't static so duplicating them inside the
web.xml is no viable option.
The servlet 2.4 spec (published in 2003) which redefined the meaning of
<role-name>*</role-name> was ignored for ages by previous JBoss AS versions
and consequently by the applications running on these versions with the default settings.
Changing the defaults to follow the spec is a comprehensible decision. But doing this
without providing a way to achieve backward compatibility is a serious migration issue for
our projects.
Since JBoss Web is based on Tomcat and the latter still contains the option to chose the
behavior
(http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/Rea...)
all i'm asking for is to expose these existing option via JBoss Web.
HTTP Basic authentication fails due to changed JBossWebRealm defaults
(AS6->AS7)
--------------------------------------------------------------------------------
Key: AS7-3282
URL: https://issues.jboss.org/browse/AS7-3282
Project: Application Server 7
Issue Type: Bug
Components: Web
Affects Versions: 7.1.0.CR1b
Reporter: Robert Reimann
Assignee: Remy Maucherat
The change of the JBossWebRealm allRolesMode property from authOnly to strict leads to
HTTP Basic authentication failures. Accessing HTTP Basic protected resources always
returns a 403 forbidden response when using the security-constraint configuration below
which worked well under (JBoss AS4 and AS6).
The security-constraint inside the web.xml is defined as follws:
{code}
<security-constraint>
<web-resource-collection>
<web-resource-name>protected resources</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>any rolle allowed</description>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
{code}
Activating trace logging revealed the following message:
{code}
13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm]
(http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework
says:true:final=false
{code}
In AS6 the meaning of <role-name>*</role-name> was determined by the
allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml
and set to authOnly (= Allow any authenticated user) by default.
In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec
interpretation which requires that the user have one of the
web-app/security-role/role-name).
The workaround to add all security-rolles in the web.xml described in one of the forum
references (https://community.jboss.org/message/617196#617196) is no viable option for
applications with a large number of dynamically changing roles.
So please provide a configuration option for the allRolesMode property to allow for
changes of the default behavior and ease the migration from earlier JBoss AS versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:30 a.m.
[
https://issues.jboss.org/browse/AS7-3282?page=com.atlassian.jira.plugin.s...
]
Remy Maucherat commented on AS7-3282:
-------------------------------------
Yes, I understand doing the right thing is never an option :)
HTTP Basic authentication fails due to changed JBossWebRealm defaults
(AS6->AS7)
--------------------------------------------------------------------------------
Key: AS7-3282
URL: https://issues.jboss.org/browse/AS7-3282
Project: Application Server 7
Issue Type: Bug
Components: Web
Affects Versions: 7.1.0.CR1b
Reporter: Robert Reimann
Assignee: Remy Maucherat
The change of the JBossWebRealm allRolesMode property from authOnly to strict leads to
HTTP Basic authentication failures. Accessing HTTP Basic protected resources always
returns a 403 forbidden response when using the security-constraint configuration below
which worked well under (JBoss AS4 and AS6).
The security-constraint inside the web.xml is defined as follws:
{code}
<security-constraint>
<web-resource-collection>
<web-resource-name>protected resources</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>any rolle allowed</description>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
{code}
Activating trace logging revealed the following message:
{code}
13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm]
(http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework
says:true:final=false
{code}
In AS6 the meaning of <role-name>*</role-name> was determined by the
allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml
and set to authOnly (= Allow any authenticated user) by default.
In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec
interpretation which requires that the user have one of the
web-app/security-role/role-name).
The workaround to add all security-rolles in the web.xml described in one of the forum
references (https://community.jboss.org/message/617196#617196) is no viable option for
applications with a large number of dynamically changing roles.
So please provide a configuration option for the allRolesMode property to allow for
changes of the default behavior and ease the migration from earlier JBoss AS versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:18 p.m.
[
https://issues.jboss.org/browse/AS7-3282?page=com.atlassian.jira.plugin.s...
]
Remy Maucherat resolved AS7-3282.
---------------------------------
Fix Version/s: 7.1.0.Final
Resolution: Done
Using a system property to set the default
(org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE). Not quite convinced why this should
have more support.
HTTP Basic authentication fails due to changed JBossWebRealm defaults
(AS6->AS7)
--------------------------------------------------------------------------------
Key: AS7-3282
URL: https://issues.jboss.org/browse/AS7-3282
Project: Application Server 7
Issue Type: Bug
Components: Web
Affects Versions: 7.1.0.CR1b
Reporter: Robert Reimann
Assignee: Remy Maucherat
Fix For: 7.1.0.Final
The change of the JBossWebRealm allRolesMode property from authOnly to strict leads to
HTTP Basic authentication failures. Accessing HTTP Basic protected resources always
returns a 403 forbidden response when using the security-constraint configuration below
which worked well under (JBoss AS4 and AS6).
The security-constraint inside the web.xml is defined as follws:
{code}
<security-constraint>
<web-resource-collection>
<web-resource-name>protected resources</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>any rolle allowed</description>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
{code}
Activating trace logging revealed the following message:
{code}
13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm]
(http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework
says:true:final=false
{code}
In AS6 the meaning of <role-name>*</role-name> was determined by the
allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml
and set to authOnly (= Allow any authenticated user) by default.
In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec
interpretation which requires that the user have one of the
web-app/security-role/role-name).
The workaround to add all security-rolles in the web.xml described in one of the forum
references (https://community.jboss.org/message/617196#617196) is no viable option for
applications with a large number of dynamically changing roles.
So please provide a configuration option for the allRolesMode property to allow for
changes of the default behavior and ease the migration from earlier JBoss AS versions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4665
days inactive
4688
days old
4 comments
2 participants
participants (2)
-
Remy Maucherat (JIRA) -
Robert Reimann (JIRA)