[jboss-jira] [JBoss JIRA] (WFLY-6325) auth-constraint with role name ** does not work as specified
Stuart Douglas (JIRA)
issues at jboss.org
Sun Mar 6 22:50:00 EST 2016
Stuart Douglas created WFLY-6325:
------------------------------------
Summary: auth-constraint with role name ** does not work as specified
Key: WFLY-6325
URL: https://issues.jboss.org/browse/WFLY-6325
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 10.0.0.Final
Reporter: Harald Wellmann
Assignee: Stuart Douglas
The following security constraint does not work as expected:
{code}
<security-constraint>
<display-name>secure resource</display-name>
<web-resource-collection>
<web-resource-name>welcome page</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
</security-constraint>
{code}
According to Servlet Specification 3.1, section 13.8, any authenticated user should be able to access the secured resources, but all I get is a {{Forbidden}} error page.
Stepping through the code, I can see that {{ServletSecurityRoleHandler}} is processing a {{SingleConstraintMatch}} with {{emptyRoleSemantic == PERMIT}} and {{requiredRoles == [**]}}.
More likely, this should be {{emptyRoleSemantic == AUTHENTICATE}} and {{requiredRoles == []}}.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list