[jboss-jira] [JBoss JIRA] (WFLY-3261) Security constraint does not protect URL

Dino Tsoumakis (JIRA) issues at jboss.org
Tue Apr 15 09:46:34 EDT 2014 

    [ https://issues.jboss.org/browse/WFLY-3261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12962035#comment-12962035 ] 

Dino Tsoumakis commented on WFLY-3261:
--------------------------------------

Similar Problem here. This is really a blocker for us.
                
> Security constraint does not protect URL
> ----------------------------------------
>
>                 Key: WFLY-3261
>                 URL: https://issues.jboss.org/browse/WFLY-3261
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.CR1
>            Reporter: Simon Martinelli
>            Assignee: Stuart Douglas
>
> Security constraint works as expected on JBoss EAP 6.2.2 and JBoss AS 7.1.1.Final but no on Wildfly
> *web.xml*
> {code:xml}
> <security-constraint>
> 	<display-name>Spaces</display-name>
>     <web-resource-collection>
>     <web-resource-name>spaces</web-resource-name>
> 		<url-pattern>/spaces/*</url-pattern>
> 	</web-resource-collection>
> 	<auth-constraint>
>          <role-name>user</role-name>
>     </auth-constraint>
> </security-constraint>
> {code}
> *jboss-web.xml*
> {code:xml}
> <jboss-web>
>   <context-root>/jtaf</context-root>
>   <security-domain>jtaf</security-domain>
> </jboss-web>
> {code}
> *standalone.xml*
> {code:xml}
> <security-domain name="jtaf" cache-type="default">
> 	<authentication>
> 		<login-module code="Database" flag="required">
> 			<module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS"/>
> 			<module-option name="principalsQuery" value="select secret from securityuser where email = ?"/>
>             <module-option name="rolesQuery" value="select name, 'Roles' from securitygroup where email = ?"/>
>             <module-option name="password-stacking" value="useFirstPass"/>
>             <module-option name="hashAlgorithm" value="MD5"/>
>             <module-option name="hashEncoding" value="base64"/>
>         </login-module>
> 	</authentication>
> </security-domain>
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list