[jboss-jira] [JBoss JIRA] (WFLY-2358) setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"

[Derek Horton (JIRA)]

Derek Horton created WFLY-2358:
----------------------------------

             Summary:  setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"
                 Key: WFLY-2358
                 URL: https://issues.jboss.org/browse/WFLY-2358
             Project: WildFly
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Web (JBoss Web)
    Affects Versions: 8.0.0.Beta1
            Reporter: Derek Horton
            Assignee: Remy Maucherat


I am trying to get only authentication (no authorization) to work for web application.

In EAP 5, all that was required was to set the <role-name> to a '*' in
the <security-constraint> of the web.xml.  I tried this in EAP 6,
however, it did not work.

I then found the <jacc-star-role-allow> setting that goes in the
jboss-web.xml.  Unfortunately, adding this option did not cause the
wildcard ('*') role-name to work for allowing any authenticated user 
to access the web application.

Using the following system property does appear to work:
org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE=authOnly

How reproducible:
Everytime.


Steps to Reproduce:
1.  Set <role-name>*</role-name> in the security-contraint
2.  Set <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml
3.  Set the security-domain so that no roles are assigned to a user
4.  Attempt to access the web app

Actual results:
403 - access denied

Expected results:
200 - access allowed

Additional info:

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira