[jboss-jira] [JBoss JIRA] (WFLY-2358) setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"

RH Bugzilla Integration (JIRA) issues at jboss.org
Tue Sep 16 15:15:17 EDT 2014 

    [ https://issues.jboss.org/browse/WFLY-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13003153#comment-13003153 ] 

RH Bugzilla Integration commented on WFLY-2358:
-----------------------------------------------

Paul Gier <pgier at redhat.com> changed the Status of [bug 1022240|https://bugzilla.redhat.com/show_bug.cgi?id=1022240] from MODIFIED to ON_QA

>  setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"
> ----------------------------------------------------------------------------------------
>
>                 Key: WFLY-2358
>                 URL: https://issues.jboss.org/browse/WFLY-2358
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (JBoss Web)
>    Affects Versions: 8.0.0.Beta1
>            Reporter: Derek Horton
>            Assignee: Remy Maucherat
>
> I am trying to get only authentication (no authorization) to work for web application.
> In EAP 5, all that was required was to set the <role-name> to a '*' in
> the <security-constraint> of the web.xml.  I tried this in EAP 6,
> however, it did not work.
> I then found the <jacc-star-role-allow> setting that goes in the
> jboss-web.xml.  Unfortunately, adding this option did not cause the
> wildcard ('*') role-name to work for allowing any authenticated user 
> to access the web application.
> Using the following system property does appear to work:
> org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE=authOnly
> How reproducible:
> Everytime.
> Steps to Reproduce:
> 1.  Set <role-name>*</role-name> in the security-contraint
> 2.  Set <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml
> 3.  Set the security-domain so that no roles are assigned to a user
> 4.  Attempt to access the web app
> Actual results:
> 403 - access denied
> Expected results:
> 200 - access allowed
> Additional info:



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)

More information about the jboss-jira mailing list