[jboss-jira] [JBoss JIRA] (WFLY-6809) Web authentication not treating "**" role constraint as expected

Guillermo González de Agüero (JIRA) issues at jboss.org
Thu Jul 7 14:14:00 EDT 2016 

Guillermo González de Agüero created WFLY-6809:
--------------------------------------------------

             Summary: Web authentication not treating "**" role constraint as expected
                 Key: WFLY-6809
                 URL: https://issues.jboss.org/browse/WFLY-6809
             Project: WildFly
          Issue Type: Bug
          Components: Web (Undertow)
            Reporter: Guillermo González de Agüero
            Assignee: Stuart Douglas
         Attachments: rolestest.war

Servlet spec 3.1 states at point 13.3:

??If the role-name of the security-role to be tested is “**”, and the application has NOT declared an application security-role with role-name “**”, isUserInRole must only return true if the user has been authenticated; that is, only when getRemoteUser and getUserPrincipal would both return a non-null value. Otherwise, the container must check the user for membership in the application role.??

But Undertow treats the special role "**" as any other. With the following web.xml authorization succeeds, but authorization fails (403):

{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">
    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>**</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>
</web-app>
{code}

With the following, and authenticating a user that has a role "**", the requested page is shown:


{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">
    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>**</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

    <security-role>
        <role-name>**</role-name>
    </security-role>
</web-app>
{code}

Reproducer war is attached.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list