[jboss-jira] [JBoss JIRA] (AS7-3282) HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)

Remy Maucherat (JIRA) jira-events at lists.jboss.org
Fri Feb 3 19:18:48 EST 2012 

     [ https://issues.jboss.org/browse/AS7-3282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Remy Maucherat resolved AS7-3282.
---------------------------------

    Fix Version/s: 7.1.0.Final
       Resolution: Done


Using a system property to set the default (org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE). Not quite convinced why this should have more support.
                
> HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)
> --------------------------------------------------------------------------------
>
>                 Key: AS7-3282
>                 URL: https://issues.jboss.org/browse/AS7-3282
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 7.1.0.CR1b
>            Reporter: Robert Reimann
>            Assignee: Remy Maucherat
>             Fix For: 7.1.0.Final
>
>
> The change of the JBossWebRealm allRolesMode property from authOnly to strict leads to HTTP Basic authentication failures. Accessing HTTP Basic protected resources always returns a 403 forbidden response when using the security-constraint configuration below which worked well under (JBoss AS4 and AS6).
>  
> The security-constraint inside the web.xml is defined as follws:
> {code}
> <security-constraint>
>    <web-resource-collection>
>       <web-resource-name>protected resources</web-resource-name>
>       <url-pattern>/protected/*</url-pattern>
>    </web-resource-collection>
>    <auth-constraint>
>       <description>any rolle allowed</description>
>       <role-name>*</role-name>
>    </auth-constraint>
> </security-constraint>
> {code}
> Activating trace logging revealed the following message:
> {code}
> 13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm] (http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework says:true:final=false
> {code}
>  
> In AS6 the meaning of <role-name>*</role-name> was determined by the allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml and set to authOnly (= Allow any authenticated user) by default.
>  
> In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name).
> The workaround to add all security-rolles in the web.xml described in one of the forum references (https://community.jboss.org/message/617196#617196) is no viable option for applications with a large number of dynamically changing roles.
> So please provide a configuration option for the allRolesMode property to allow for changes of the default behavior and ease the migration from earlier JBoss AS versions.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list