[jboss-jira] [JBoss JIRA] (WFLY-3261) Security constraint does not protect URL

Tue Apr 15 08:34:35 EDT 2014

     [ https://issues.jboss.org/browse/WFLY-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Simon Martinelli updated WFLY-3261:
-----------------------------------

    Description: 
Security constraint works as expected on JBoss EAP 6.2.2 and JBoss AS 7.1.1.Final but no on Wildfly

*web.xml*
{{
<security-constraint>
	<display-name>Spaces</display-name>
    <web-resource-collection>
    <web-resource-name>spaces</web-resource-name>
		<url-pattern>/spaces/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
         <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
}}

*jboss-web.xml*
{{
<jboss-web>
  <context-root>/jtaf</context-root>
  <security-domain>jtaf</security-domain>
</jboss-web>
}}

*standalone.xml*
{{
<security-domain name="jtaf" cache-type="default">
	<authentication>
		<login-module code="Database" flag="required">
			<module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS"/>
			<module-option name="principalsQuery" value="select secret from securityuser where email = ?"/>
            <module-option name="rolesQuery" value="select name, 'Roles' from securitygroup where email = ?"/>
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="hashAlgorithm" value="MD5"/>
            <module-option name="hashEncoding" value="base64"/>
        </login-module>
	</authentication>
</security-domain>
}}

  was:
Security constraint works as expected on JBoss EAP 6.2.2 and JBoss AS 7.1.1.Final but no on Wildfly

--> web.xml

<security-constraint>
	<display-name>Spaces</display-name>
    <web-resource-collection>
    <web-resource-name>spaces</web-resource-name>
		<url-pattern>/spaces/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
         <role-name>user</role-name>
    </auth-constraint>
</security-constraint>

--> jobss-web.xml

<jboss-web>
  <context-root>/jtaf</context-root>
  <security-domain>jtaf</security-domain>
</jboss-web>

--> standalone.xml

<security-domain name="jtaf" cache-type="default">
	<authentication>
		<login-module code="Database" flag="required">
			<module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS"/>
			<module-option name="principalsQuery" value="select secret from securityuser where email = ?"/>
            <module-option name="rolesQuery" value="select name, 'Roles' from securitygroup where email = ?"/>
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="hashAlgorithm" value="MD5"/>
            <module-option name="hashEncoding" value="base64"/>
        </login-module>
	</authentication>
</security-domain>


> Security constraint does not protect URL
> ----------------------------------------
>
>                 Key: WFLY-3261
>                 URL: https://issues.jboss.org/browse/WFLY-3261
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.CR1
>            Reporter: Simon Martinelli
>            Assignee: Stuart Douglas
>
> Security constraint works as expected on JBoss EAP 6.2.2 and JBoss AS 7.1.1.Final but no on Wildfly
> *web.xml*
> {{
> <security-constraint>
> 	<display-name>Spaces</display-name>
>     <web-resource-collection>
>     <web-resource-name>spaces</web-resource-name>
> 		<url-pattern>/spaces/*</url-pattern>
> 	</web-resource-collection>
> 	<auth-constraint>
>          <role-name>user</role-name>
>     </auth-constraint>
> </security-constraint>
> }}
> *jboss-web.xml*
> {{
> <jboss-web>
>   <context-root>/jtaf</context-root>
>   <security-domain>jtaf</security-domain>
> </jboss-web>
> }}
> *standalone.xml*
> {{
> <security-domain name="jtaf" cache-type="default">
> 	<authentication>
> 		<login-module code="Database" flag="required">
> 			<module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS"/>
> 			<module-option name="principalsQuery" value="select secret from securityuser where email = ?"/>
>             <module-option name="rolesQuery" value="select name, 'Roles' from securitygroup where email = ?"/>
>             <module-option name="password-stacking" value="useFirstPass"/>
>             <module-option name="hashAlgorithm" value="MD5"/>
>             <module-option name="hashEncoding" value="base64"/>
>         </login-module>
> 	</authentication>
> </security-domain>
> }}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira