[jboss-jira] [JBoss JIRA] (WFLY-2358) setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"
RH Bugzilla Integration (JIRA)
jira-events at lists.jboss.org
Tue Nov 19 09:47:06 EST 2013
[ https://issues.jboss.org/browse/WFLY-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
RH Bugzilla Integration updated WFLY-2358:
------------------------------------------
Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=1022240 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1022240, https://bugzilla.redhat.com/show_bug.cgi?id=1026418)
> setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"
> ----------------------------------------------------------------------------------------
>
> Key: WFLY-2358
> URL: https://issues.jboss.org/browse/WFLY-2358
> Project: WildFly
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Web (JBoss Web)
> Affects Versions: 8.0.0.Beta1
> Reporter: Derek Horton
> Assignee: Remy Maucherat
>
> I am trying to get only authentication (no authorization) to work for web application.
> In EAP 5, all that was required was to set the <role-name> to a '*' in
> the <security-constraint> of the web.xml. I tried this in EAP 6,
> however, it did not work.
> I then found the <jacc-star-role-allow> setting that goes in the
> jboss-web.xml. Unfortunately, adding this option did not cause the
> wildcard ('*') role-name to work for allowing any authenticated user
> to access the web application.
> Using the following system property does appear to work:
> org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE=authOnly
> How reproducible:
> Everytime.
> Steps to Reproduce:
> 1. Set <role-name>*</role-name> in the security-contraint
> 2. Set <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml
> 3. Set the security-domain so that no roles are assigned to a user
> 4. Attempt to access the web app
> Actual results:
> 403 - access denied
> Expected results:
> 200 - access allowed
> Additional info:
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list