[JBoss JIRA] Commented: (JBAS-1824) JACC: <role-name>*</role-name> in web.xml

Friday, 3 November 2006

    [ http://jira.jboss.com/jira/browse/JBAS-1824?page=comments#action_12346229 ] 

Roland R?z commented on JBAS-1824:
----------------------------------

Sadly, the new feature described in http://jira.jboss.com/jira/browse/JBAS-2926 is just
about tomcat and not jacc. 

Providing such a feature prevents from ugly workarounds. For example writing a simple
public web service (with an EJB3 stateless session bean) requires the developer to add for
example the @RolesAllowed("friend") at the class level, else in the generated
web deployment is not able to produce the jacc permissions. 

The proposed change at the JACC layer by using a WebResourcePermission("xyz",
null) looks like a good solution. Until that is implemented JBoss could provide a feature
similar as the following:

org.jboss.web.WebPermissionMapping#createPermissions():
...
     // Get the qualified url pattern
                  PatternInfo info = (PatternInfo) patternMap.get(url);
                  Iterator roles = wsmd.getRoles().iterator();
                  HashSet mappedRoles = new HashSet();
                  while( roles.hasNext() )
                  {
                     String role = (String) roles.next();
                     if( role.equals("*") )
                     {
                    	if (Boolean.valueOf(              

System.getProperty("jboss.tomcat.jacc.allow-all.role.for.star",
"false")).booleanValue()) {
			// add the "ALLOW-ALL" which could be handled
                                // generically in jacc
                    		mappedRoles.add("ALLOW-ALL");
                    	}
                        // The wildcard ref maps to all declared security-role names
                        Iterator allRoles = metaData.getSecurityRoleNames().iterator();
                        while( allRoles.hasNext() )
                        {
                           role = (String) allRoles.next();
                           mappedRoles.add(role);
                        }
                     }
                     else
                     {
                        mappedRoles.add(role);
                     }
                  }
...

This feature would allow to handle the role * generically in the jacc provider. The
developer just sets the jboss.tomcat.jacc.allow-all.role.for.star system property to true
and uses then the role * as a role which any authenticated user has.

...
 JACC: <role-name>*</role-name> in web.xml
 -----------------------------------------

                 Key: JBAS-1824
                 URL: http://jira.jboss.com/jira/browse/JBAS-1824
             Project: JBoss Application Server
          Issue Type: Feature Request
          Components: Security
    Affects Versions: JBossAS-4.0.2 Final
         Environment: -
            Reporter: Roland R?z
         Assigned To: Scott M Stark
            Priority: Minor
   Original Estimate: 1 hour
  Remaining Estimate: 1 hour

 In some cases I wish to do authentication without authorisation. For example everybody
has access to my web-resource, but I want to know who she/he is.
 Therefore the accessing user must login.
 So my web.xml contains the following snippet:
 ...
  <security-constraint>
   <web-resource-collection>
    <web-resource-name>Protected Helloworld example</web-resource-name>
    <description/>
    <url-pattern>/servlet/HelloWorldExample</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
   </web-resource-collection>
   <auth-constraint>
    <role-name>*</role-name>
   </auth-constraint>
  </security-constraint>
  <login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>public</realm-name>
 </login-config>
 ...
 The web app runs with this configuration in Tomcat 5.5.8 standalone but not in Jboss.
 To run it in Jboss I have to add the following element:
  <security-role>
   <role-name>aRole</role-name>
  </security-role>
 The JACC spec (section 3.1.3.1, paragraph 3)states :
 " ?. When an auth-constraint names the reserved role-name, "*", all of the
patterns in the containing security-constraint must be combined with all of the roles
defined in the web application."
 JBoss implemented this by combining all of the patterns with all roles defined in the
web.xml and assumes that each role has to be defined in the web.xml.
 But the web applications roles are probably defined in other files than the web.xml. In
our case we use JACC with an external authentication provider. And each time, the roles
changes, I also would have to modify the web.xml.
 It is desirable if the auth-contraint with the role-name "*" acceppts
"all" roles and not only those that are defined in the web.xml.
 Or is this a JACC spec issue?
 Regards,
 Andrea 
-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006