[jboss-jira] [JBoss JIRA] Updated: (JBAS-1824) JACC: <role-name>*</role-name> in web.xml

Anil Saldhana (JIRA) jira-events at jboss.com
Mon Nov 6 11:07:42 EST 2006 

     [ http://jira.jboss.com/jira/browse/JBAS-1824?page=all ]

Anil Saldhana updated JBAS-1824:
--------------------------------

     Original Estimate: 4 hours  (was: 1 hour)
    Remaining Estimate: 4 hours  (was: 1 hour)
         Fix Version/s: JBossAS-4.2.0.CR1
                        JBossAS-4.0.5.SP1 
              Assignee: Anil Saldhana  (was: Scott M Stark)
            Complexity: Medium

Scheduling the configurable feature of WebResourcePermission("/any/*", null) approach, for the next release of JBoss 4.0.x.

> JACC: <role-name>*</role-name> in web.xml
> -----------------------------------------
>
>                 Key: JBAS-1824
>                 URL: http://jira.jboss.com/jira/browse/JBAS-1824
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: JBossAS-4.0.2 Final
>         Environment: -
>            Reporter: Roland R?z
>         Assigned To: Anil Saldhana
>            Priority: Minor
>             Fix For: JBossAS-4.2.0.CR1, JBossAS-4.0.5.SP1 
>
>   Original Estimate: 4 hours
>  Remaining Estimate: 4 hours
>
> In some cases I wish to do authentication without authorisation. For example everybody has access to my web-resource, but I want to know who she/he is.
> Therefore the accessing user must login.
> So my web.xml contains the following snippet:
> ...
>  <security-constraint>
>   <web-resource-collection>
>    <web-resource-name>Protected Helloworld example</web-resource-name>
>    <description/>
>    <url-pattern>/servlet/HelloWorldExample</url-pattern>
>    <http-method>POST</http-method>
>    <http-method>GET</http-method>
>   </web-resource-collection>
>   <auth-constraint>
>    <role-name>*</role-name>
>   </auth-constraint>
>  </security-constraint>
>  <login-config>
>   <auth-method>BASIC</auth-method>
>   <realm-name>public</realm-name>
> </login-config>
> ...
> The web app runs with this configuration in Tomcat 5.5.8 standalone but not in Jboss.
> To run it in Jboss I have to add the following element:
>  <security-role>
>   <role-name>aRole</role-name>
>  </security-role>
> The JACC spec (section 3.1.3.1, paragraph 3)states :
> " ?. When an auth-constraint names the reserved role-name, "*", all of the patterns in the containing security-constraint must be combined with all of the roles defined in the web application."
> JBoss implemented this by combining all of the patterns with all roles defined in the web.xml and assumes that each role has to be defined in the web.xml.
> But the web applications roles are probably defined in other files than the web.xml. In our case we use JACC with an external authentication provider. And each time, the roles changes, I also would have to modify the web.xml.
> It is desirable if the auth-contraint with the role-name "*" acceppts "all" roles and not only those that are defined in the web.xml.
> Or is this a JACC spec issue?
> Regards,
> Andrea

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list