[jboss-jira] [JBoss JIRA] (WFLY-6809) Web authentication not treating "**" role constraint as expected

Stuart Douglas (JIRA) issues at jboss.org
Wed Aug 3 23:19:00 EDT 2016 

     [ https://issues.jboss.org/browse/WFLY-6809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas resolved WFLY-6809.
----------------------------------
    Fix Version/s: 10.1.0.Final
       Resolution: Done


> Web authentication not treating "**" role constraint as expected
> ----------------------------------------------------------------
>
>                 Key: WFLY-6809
>                 URL: https://issues.jboss.org/browse/WFLY-6809
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 10.0.0.Final
>            Reporter: Guillermo González de Agüero
>            Assignee: Stuart Douglas
>             Fix For: 10.1.0.Final
>
>         Attachments: rolestest.war
>
>
> Servlet spec 3.1 states at point 13.3:
> ??If the role-name of the security-role to be tested is “**”, and the application has NOT declared an application security-role with role-name “**”, isUserInRole must only return true if the user has been authenticated; that is, only when getRemoteUser and getUserPrincipal would both return a non-null value. Otherwise, the container must check the user for membership in the application role.??
> But Undertow treats the special role "**" as any other. With the following web.xml authorization succeeds, but authorization fails (403):
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
>          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
>          version="3.1">
>     <security-constraint>
>         <web-resource-collection>
>             <url-pattern>/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>**</role-name>
>         </auth-constraint>
>     </security-constraint>
>     <login-config>
>         <auth-method>BASIC</auth-method>
>     </login-config>
> </web-app>
> {code}
> With the following, and authenticating a user that has a role "**", the requested page is shown:
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
>          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
>          version="3.1">
>     <security-constraint>
>         <web-resource-collection>
>             <url-pattern>/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>**</role-name>
>         </auth-constraint>
>     </security-constraint>
>     <login-config>
>         <auth-method>BASIC</auth-method>
>     </login-config>
>     <security-role>
>         <role-name>**</role-name>
>     </security-role>
> </web-app>
> {code}
> Reproducer war is attached.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list