Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-6318

auth-constraint with role name ** does not work as specified

XMLWordPrintable

      The following security constraint does not work as expected:

          <security-constraint>
              <display-name>secure resource</display-name>
              <web-resource-collection>
                  <web-resource-name>welcome page</web-resource-name>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>**</role-name>
              </auth-constraint>
          </security-constraint>
      

      According to Servlet Specification 3.1, section 13.8, any authenticated user should be able to access the secured resources, but all I get is a Forbidden error page.

      Stepping through the code, I can see that ServletSecurityRoleHandler is processing a SingleConstraintMatch with emptyRoleSemantic == PERMIT and requiredRoles == [**].

      More likely, this should be emptyRoleSemantic == AUTHENTICATE and requiredRoles == [].

            sdouglas1@redhat.com Stuart Douglas
            hwellmann.de Harald Wellmann (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: