[jboss-jira] [JBoss JIRA] Commented: (JBAS-6130) AS5:JACC: <role-name>*</role-name> in web.xml should allow configurable authorization bypass

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Thu Oct 23 10:43:21 EDT 2008 

    [ https://jira.jboss.org/jira/browse/JBAS-6130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12435137#action_12435137 ] 

Anil Saldhana commented on JBAS-6130:
-------------------------------------

This feature exists in 4.x

> AS5:JACC: <role-name>*</role-name> in web.xml should allow configurable authorization bypass
> --------------------------------------------------------------------------------------------
>
>                 Key: JBAS-6130
>                 URL: https://jira.jboss.org/jira/browse/JBAS-6130
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: JBossAS-4.0.2 Final
>         Environment: -
>            Reporter: Anil Saldhana
>            Assignee: Anil Saldhana
>             Fix For: JBossAS-5.0.0.GA
>
>   Original Estimate: 4 hours
>  Remaining Estimate: 4 hours
>
> In some cases I wish to do authentication without authorisation. For example everybody has access to my web-resource, but I want to know who she/he is.
> Therefore the accessing user must login.
> So my web.xml contains the following snippet:
> ...
>  <security-constraint>
>   <web-resource-collection>
>    <web-resource-name>Protected Helloworld example</web-resource-name>
>    <description/>
>    <url-pattern>/servlet/HelloWorldExample</url-pattern>
>    <http-method>POST</http-method>
>    <http-method>GET</http-method>
>   </web-resource-collection>
>   <auth-constraint>
>    <role-name>*</role-name>
>   </auth-constraint>
>  </security-constraint>
>  <login-config>
>   <auth-method>BASIC</auth-method>
>   <realm-name>public</realm-name>
> </login-config>
> ...
> The web app runs with this configuration in Tomcat 5.5.8 standalone but not in Jboss.
> To run it in Jboss I have to add the following element:
>  <security-role>
>   <role-name>aRole</role-name>
>  </security-role>
> The JACC spec (section 3.1.3.1, paragraph 3)states :
> " ?. When an auth-constraint names the reserved role-name, "*", all of the patterns in the containing security-constraint must be combined with all of the roles defined in the web application."
> JBoss implemented this by combining all of the patterns with all roles defined in the web.xml and assumes that each role has to be defined in the web.xml.
> But the web applications roles are probably defined in other files than the web.xml. In our case we use JACC with an external authentication provider. And each time, the roles changes, I also would have to modify the web.xml.
> It is desirable if the auth-contraint with the role-name "*" acceppts "all" roles and not only those that are defined in the web.xml.
> Or is this a JACC spec issue?
> Regards,
> Andrea

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list