'**' role incorrectly returns false from isUserInRole when user is authenticated -------------------------------------------------------------------------------- Key: WFLY-2854 URL: https://issues.jboss.org/browse/WFLY-2854 Project: WildFly Issue Type: Feature Request Security Level: Public(Everyone can see) Components: Security, Web (Undertow) Affects Versions: 8.0.0.CR1 Reporter: arjan tijms Assignee: Stuart Douglas Labels: role, roles, security, servlet When authentication has taken place in a web application such that {{HttpServletRequest#getUserPrincipal}} does not return null, testing for role '**' using {{HttpServletRequest#isUserInRole}} returns false. This is not correct. According to Servlet 13.3: {quote} {noformat} If the role-name of the security-role to be tested is “**”, and the application has NOT declared an application security-role with role-name “**”, isUserInRole must only return true if the user has been authenticated; {noformat} {quote} This is demonstrated by the following test: https://github.com/arjantijms/javaee7-samples/blob/master/jacc/contexts/s...