Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-2926

Restore the authentication only semantics of the "*" role-name

XMLWordPrintable

      tomcat 5.5.16 has implemented a strict semantic of the role-name=* behavior that requires one or more valid roles in order for access to be permitted. There is no notion of authentication only security constraints. We should add a jboss-web.xml flag:

      <jboss-web>
      <security-domain authenticationOnlyAllRolesMode="true">...</security-domain>
      ...

      authenticationOnlyAllRolesMode = true if the all roles role-name of "*" is specified, and any authenticated user should be allowed access. A false setting defaults to restricting the allowed roles to those specified via security-role/role-name values. The tomcat service should also have an equivalent flag to set the default behavior for all web apps.

              starksm64 Scott Stark (Inactive)
              starksm64 Scott Stark (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: