Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 10.1.0.CR1, 10.1.0.Final
Affects Version/s: 10.0.0.Final
Component/s: Web (Undertow)
Labels:
None

The following security constraint does not work as expected:

    <security-constraint>
        <display-name>secure resource</display-name>
        <web-resource-collection>
            <web-resource-name>welcome page</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>**</role-name>
        </auth-constraint>
    </security-constraint>

According to Servlet Specification 3.1, section 13.8, any authenticated user should be able to access the secured resources, but all I get is a Forbidden error page.

Stepping through the code, I can see that ServletSecurityRoleHandler is processing a SingleConstraintMatch with emptyRoleSemantic == PERMIT and requiredRoles == [**].

More likely, this should be emptyRoleSemantic == AUTHENTICATE and requiredRoles == [].

is cloned by

UNDERTOW-655 auth-constraint with role name ** does not work as specified

Resolved

Assignee:: Stuart Douglas (Inactive)

Reporter:: Harald Wellmann (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2016/03/04 3:45 AM

Updated:: 2017/12/06 11:34 AM

Resolved:: 2016/03/16 8:02 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide