[jboss-jira] [JBoss JIRA] (WFLY-6809) Web authentication not treating "**" role constraint as expected
Guillermo González de Agüero (JIRA)
issues at jboss.org
Tue Jul 12 14:30:00 EDT 2016
[ https://issues.jboss.org/browse/WFLY-6809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13264414#comment-13264414 ]
Guillermo González de Agüero commented on WFLY-6809:
----------------------------------------------------
I read somewhere that the "**" role was a coordinated effort from the Servlet, EJB and JACC specs.
Check section 3.1.3.2 of the JACC spec (http://download.oracle.com/otndocs/jcp/jacc-1_5-mrel3-eval-spec/):
??A WebResourcePermission must be added to the corresponding role for each distinct combination in the cross-product of url-pattern and role-name occurring in the security-constraint elements that contain an auth-constraint naming roles. If the “any authenticated user” role-name, “\*\*”, occurs in an auth-constraint, a WebResourcePermission must also be added to the “\*\*” role. When an auth-constraint names the reserved role-name, "\*", all of the patterns in the containing security-constraint must be combined with all of the roles defined in the web application; which must not include the role “\*\*” unless the application has defined an application role named “\*\*”.??
As a side note, Payara/GlassFish behaves the way I mentioned. Don't know about other containers.
> Web authentication not treating "**" role constraint as expected
> ----------------------------------------------------------------
>
> Key: WFLY-6809
> URL: https://issues.jboss.org/browse/WFLY-6809
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Guillermo González de Agüero
> Assignee: Stuart Douglas
> Attachments: rolestest.war
>
>
> Servlet spec 3.1 states at point 13.3:
> ??If the role-name of the security-role to be tested is “**”, and the application has NOT declared an application security-role with role-name “**”, isUserInRole must only return true if the user has been authenticated; that is, only when getRemoteUser and getUserPrincipal would both return a non-null value. Otherwise, the container must check the user for membership in the application role.??
> But Undertow treats the special role "**" as any other. With the following web.xml authorization succeeds, but authorization fails (403):
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
> version="3.1">
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>**</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> </login-config>
> </web-app>
> {code}
> With the following, and authenticating a user that has a role "**", the requested page is shown:
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
> version="3.1">
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>**</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> </login-config>
> <security-role>
> <role-name>**</role-name>
> </security-role>
> </web-app>
> {code}
> Reproducer war is attached.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list