Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-655

auth-constraint with role name ** does not work as specified

XMLWordPrintable

      The following security constraint does not work as expected:

          <security-constraint>
        <display-name>secure resource</display-name>
        <web-resource-collection>
            <web-resource-name>welcome page</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>**</role-name>
        </auth-constraint>
    </security-constraint>

      According to Servlet Specification 3.1, section 13.8, any authenticated user should be able to access the secured resources, but all I get is a Forbidden error page.

      Stepping through the code, I can see that ServletSecurityRoleHandler is processing a SingleConstraintMatch with emptyRoleSemantic == PERMIT and requiredRoles == [**].

      More likely, this should be emptyRoleSemantic == AUTHENTICATE and requiredRoles == [].

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              hwellmann.de Harald Wellmann (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: