Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-6809

Web authentication not treating "**" role constraint as expected

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 10.1.0.Final
    • 10.0.0.Final
    • Web (Undertow)
    • None
    • Compatibility/Configuration

      Servlet spec 3.1 states at point 13.3:

      If the role-name of the security-role to be tested is “*”, and the application has NOT declared an application security-role with role-name “*”, isUserInRole must only return true if the user has been authenticated; that is, only when getRemoteUser and getUserPrincipal would both return a non-null value. Otherwise, the container must check the user for membership in the application role.

      But Undertow treats the special role "**" as any other. With the following web.xml authorization succeeds, but authorization fails (403):

      <?xml version="1.0" encoding="UTF-8"?>
      <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
               version="3.1">
          <security-constraint>
              <web-resource-collection>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>**</role-name>
              </auth-constraint>
          </security-constraint>
      
          <login-config>
              <auth-method>BASIC</auth-method>
          </login-config>
      </web-app>
      

      With the following, and authenticating a user that has a role "**", the requested page is shown:

      <?xml version="1.0" encoding="UTF-8"?>
      <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
               version="3.1">
          <security-constraint>
              <web-resource-collection>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>**</role-name>
              </auth-constraint>
          </security-constraint>
      
          <login-config>
              <auth-method>BASIC</auth-method>
          </login-config>
      
          <security-role>
              <role-name>**</role-name>
          </security-role>
      </web-app>
      

      Reproducer war is attached.

        1. rolestest.war
          3 kB
          Guillermo González de Agüero

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              ggam_jira Guillermo González de Agüero (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: