Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Done
Priority: Major
Fix Version/s: 8.0.0.Final
Affects Version/s: 8.0.0.CR1
Component/s: Security, Web (Undertow)
Labels:
- role
- roles
- security
- servlet

Description

When authentication has taken place in a web application such that HttpServletRequest#getUserPrincipal does not return null, testing for role '**' using HttpServletRequest#isUserInRole returns false.

This is not correct. According to Servlet 13.3:

If the role-name of the security-role to be tested is “**”, 
and the application has NOT declared an application security-role with 
role-name “**”, isUserInRole must only return true if the user has been
authenticated;

This is demonstrated by the following test:

https://github.com/arjantijms/javaee7-samples/blob/master/jacc/contexts/src/test/java/org/javaee7/jacc/contexts/SubjectFromPolicyContextTest.java#L76

Attachments

Activity

People

Assignee:: Stuart Douglas

Reporter:: Arjan Tijms (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2014/01/31 4:52 PM

Updated:: 2017/12/06 11:40 AM

Resolved:: 2014/02/13 9:45 PM