[jboss-jira] [JBoss JIRA] (WFLY-2358) setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"

RH Bugzilla Integration (JIRA) jira-events at lists.jboss.org
Tue Nov 19 09:47:06 EST 2013 

     [ https://issues.jboss.org/browse/WFLY-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

RH Bugzilla Integration updated WFLY-2358:
------------------------------------------

    Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=1022240, https://bugzilla.redhat.com/show_bug.cgi?id=1026418  (was: https://bugzilla.redhat.com/show_bug.cgi?id=1022240)

    
>  setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"
> ----------------------------------------------------------------------------------------
>
>                 Key: WFLY-2358
>                 URL: https://issues.jboss.org/browse/WFLY-2358
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (JBoss Web)
>    Affects Versions: 8.0.0.Beta1
>            Reporter: Derek Horton
>            Assignee: Remy Maucherat
>
> I am trying to get only authentication (no authorization) to work for web application.
> In EAP 5, all that was required was to set the <role-name> to a '*' in
> the <security-constraint> of the web.xml.  I tried this in EAP 6,
> however, it did not work.
> I then found the <jacc-star-role-allow> setting that goes in the
> jboss-web.xml.  Unfortunately, adding this option did not cause the
> wildcard ('*') role-name to work for allowing any authenticated user 
> to access the web application.
> Using the following system property does appear to work:
> org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE=authOnly
> How reproducible:
> Everytime.
> Steps to Reproduce:
> 1.  Set <role-name>*</role-name> in the security-contraint
> 2.  Set <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml
> 3.  Set the security-domain so that no roles are assigned to a user
> 4.  Attempt to access the web app
> Actual results:
> 403 - access denied
> Expected results:
> 200 - access allowed
> Additional info:

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list