auth-constraint with role name ** does not work as specified ------------------------------------------------------------ Key: WFLY-6318 URL: https://issues.jboss.org/browse/WFLY-6318 Project: WildFly Issue Type: Bug Components: Web (Undertow) Affects Versions: 10.0.0.Final Reporter: Harald Wellmann Assignee: Stuart Douglas Fix For: 10.1.0.Final The following security constraint does not work as expected: {code} <security-constraint> <display-name>secure resource</display-name> <web-resource-collection> <web-resource-name>welcome page</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>**</role-name> </auth-constraint> </security-constraint> {code} According to Servlet Specification 3.1, section 13.8, any authenticated user should be able to access the secured resources, but all I get is a {{Forbidden}} error page. Stepping through the code, I can see that {{ServletSecurityRoleHandler}} is processing a {{SingleConstraintMatch}} with {{emptyRoleSemantic == PERMIT}} and {{requiredRoles == [**]}}. More likely, this should be {{emptyRoleSemantic == AUTHENTICATE}} and {{requiredRoles == []}}.