[jboss-jira] [JBoss JIRA] (WFLY-6318) auth-constraint with role name ** does not work as specified
Stuart Douglas (JIRA)
issues at jboss.org
Wed Mar 16 20:03:00 EDT 2016
[ https://issues.jboss.org/browse/WFLY-6318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stuart Douglas resolved WFLY-6318.
----------------------------------
Fix Version/s: 10.1.0.Final
Resolution: Done
Resolved by Undertow 1.3.19.Final
> auth-constraint with role name ** does not work as specified
> ------------------------------------------------------------
>
> Key: WFLY-6318
> URL: https://issues.jboss.org/browse/WFLY-6318
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Harald Wellmann
> Assignee: Stuart Douglas
> Fix For: 10.1.0.Final
>
>
> The following security constraint does not work as expected:
> {code}
> <security-constraint>
> <display-name>secure resource</display-name>
> <web-resource-collection>
> <web-resource-name>welcome page</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>**</role-name>
> </auth-constraint>
> </security-constraint>
> {code}
> According to Servlet Specification 3.1, section 13.8, any authenticated user should be able to access the secured resources, but all I get is a {{Forbidden}} error page.
> Stepping through the code, I can see that {{ServletSecurityRoleHandler}} is processing a {{SingleConstraintMatch}} with {{emptyRoleSemantic == PERMIT}} and {{requiredRoles == [**]}}.
> More likely, this should be {{emptyRoleSemantic == AUTHENTICATE}} and {{requiredRoles == []}}.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list