In some cases I wish to do authentication without authorisation. For example everybody has access to my web-resource, but I want to know who she/he is.
Therefore the accessing user must login.

So my web.xml contains the following snippet:
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Helloworld example</web-resource-name>
<description/>
<url-pattern>/servlet/HelloWorldExample</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>public</realm-name>
</login-config>
...

The web app runs with this configuration in Tomcat 5.5.8 standalone but not in Jboss.
To run it in Jboss I have to add the following element:

<security-role>
<role-name>aRole</role-name>
</security-role>

The JACC spec (section 3.1.3.1, paragraph 3)states :
" ?. When an auth-constraint names the reserved role-name, "*", all of the patterns in the containing security-constraint must be combined with all of the roles defined in the web application."

JBoss implemented this by combining all of the patterns with all roles defined in the web.xml and assumes that each role has to be defined in the web.xml.

But the web applications roles are probably defined in other files than the web.xml. In our case we use JACC with an external authentication provider. And each time, the roles changes, I also would have to modify the web.xml.

It is desirable if the auth-contraint with the role-name "*" acceppts "all" roles and not only those that are defined in the web.xml.

Or is this a JACC spec issue?

Regards,
Andrea