Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-2854

'**' role incorrectly returns false from isUserInRole when user is authenticated

    XMLWordPrintable

Details

    Description

      When authentication has taken place in a web application such that HttpServletRequest#getUserPrincipal does not return null, testing for role '**' using HttpServletRequest#isUserInRole returns false.

      This is not correct. According to Servlet 13.3:

      If the role-name of the security-role to be tested is “**”, 
      and the application has NOT declared an application security-role with 
      role-name “**”, isUserInRole must only return true if the user has been
      authenticated;
      

      This is demonstrated by the following test:

      https://github.com/arjantijms/javaee7-samples/blob/master/jacc/contexts/src/test/java/org/javaee7/jacc/contexts/SubjectFromPolicyContextTest.java#L76

      Attachments

        Activity

          People

            sdouglas1@redhat.com Stuart Douglas
            arjan.tijms@gmail.com Arjan Tijms
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: