[jboss-jira] [JBoss JIRA] (WFLY-2854) '**' role incorrectly returns false from isUserInRole when user is authenticated
arjan tijms (JIRA)
issues at jboss.org
Fri Jan 31 16:53:29 EST 2014
[ https://issues.jboss.org/browse/WFLY-2854?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
arjan tijms updated WFLY-2854:
------------------------------
Description:
When authentication has taken place in a web application such that {{HttpServletRequest#getUserPrincipal}} does not return null, testing for role '**' using {{HttpServletRequest#isUserInRole}} returns false.
This is not correct. According to Servlet 13.3:
{quote}
{noformat}
If the role-name of the security-role to be tested is “**”,
and the application has NOT declared an application security-role with
role-name “**”, isUserInRole must only return true if the user has been
authenticated;
{noformat}
{quote}
This is demonstrated by the following test:
https://github.com/arjantijms/javaee7-samples/blob/master/jacc/contexts/src/test/java/org/javaee7/jacc/contexts/SubjectFromPolicyContextTest.java#L76
was:
When authentication has taken place in a web application such that {{HttpServletRequest#getUserprincipap}} does not return null, testing for role '**' using {{HttpServletRequest#isUserInRole}} returns false.
This is not correct. According to Servlet 13.3:
{quote}
{noformat}
If the role-name of the security-role to be tested is “**”,
and the application has NOT declared an application security-role with
role-name “**”, isUserInRole must only return true if the user has been
authenticated;
{noformat}
{quote}
This is demonstrated by the following test:
https://github.com/arjantijms/javaee7-samples/blob/master/jacc/contexts/src/test/java/org/javaee7/jacc/contexts/SubjectFromPolicyContextTest.java#L76
> '**' role incorrectly returns false from isUserInRole when user is authenticated
> --------------------------------------------------------------------------------
>
> Key: WFLY-2854
> URL: https://issues.jboss.org/browse/WFLY-2854
> Project: WildFly
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: Security
> Affects Versions: 8.0.0.CR1
> Reporter: arjan tijms
> Assignee: Darran Lofthouse
> Labels: role, roles, security, servlet
>
> When authentication has taken place in a web application such that {{HttpServletRequest#getUserPrincipal}} does not return null, testing for role '**' using {{HttpServletRequest#isUserInRole}} returns false.
> This is not correct. According to Servlet 13.3:
> {quote}
> {noformat}
> If the role-name of the security-role to be tested is “**”,
> and the application has NOT declared an application security-role with
> role-name “**”, isUserInRole must only return true if the user has been
> authenticated;
> {noformat}
> {quote}
> This is demonstrated by the following test:
> https://github.com/arjantijms/javaee7-samples/blob/master/jacc/contexts/src/test/java/org/javaee7/jacc/contexts/SubjectFromPolicyContextTest.java#L76
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list