-
Bug
-
Resolution: Done
-
Major
-
10.0.0.Final
-
None
The following security constraint does not work as expected:
<security-constraint> <display-name>secure resource</display-name> <web-resource-collection> <web-resource-name>welcome page</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>**</role-name> </auth-constraint> </security-constraint>
According to Servlet Specification 3.1, section 13.8, any authenticated user should be able to access the secured resources, but all I get is a Forbidden error page.
Stepping through the code, I can see that ServletSecurityRoleHandler is processing a SingleConstraintMatch with emptyRoleSemantic == PERMIT and requiredRoles == [**].
More likely, this should be emptyRoleSemantic == AUTHENTICATE and requiredRoles == [].
- is cloned by
-
UNDERTOW-655 auth-constraint with role name ** does not work as specified
- Resolved