Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-3282

HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)


    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 7.1.0.CR1b
    • Fix Version/s: 7.1.0.Final
    • Component/s: Web
    • Labels:


      The change of the JBossWebRealm allRolesMode property from authOnly to strict leads to HTTP Basic authentication failures. Accessing HTTP Basic protected resources always returns a 403 forbidden response when using the security-constraint configuration below which worked well under (JBoss AS4 and AS6).

      The security-constraint inside the web.xml is defined as follws:

            <web-resource-name>protected resources</web-resource-name>
            <description>any rolle allowed</description>

      Activating trace logging revealed the following message:

      13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm] (http-localhost- hasRole:RealmBase says:false::Authz framework says:true:final=false

      In AS6 the meaning of <role-name>*</role-name> was determined by the allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml and set to authOnly (= Allow any authenticated user) by default.

      In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name).

      The workaround to add all security-rolles in the web.xml described in one of the forum references (https://community.jboss.org/message/617196#617196) is no viable option for applications with a large number of dynamically changing roles.

      So please provide a configuration option for the allRolesMode property to allow for changes of the default behavior and ease the migration from earlier JBoss AS versions.

        Gliffy Diagrams




              • Assignee:
                rmaucher Remy Maucherat
                r.reimann Robert Reimann
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created: