Bug 1022240

Summary: setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: WebAssignee: Rémy Maucherat <rmaucher>
Status: CLOSED CURRENTRELEASE QA Contact: Michael Cada <mcada>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1.1CC: lixuhua, pslavice
Target Milestone: DR1   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Derek Horton 2013-10-22 19:45:52 UTC 
Description of problem:

I am trying to get only authentication (no authorization) to work for web application.

In EAP 5, all that was required was to set the <role-name> to a '*' in
the <security-constraint> of the web.xml.  I tried this in EAP 6,
however, it did not work.

I then found the <jacc-star-role-allow> setting that goes in the
jboss-web.xml.  Unfortunately, adding this option did not cause the
wildcard ('*') role-name to work for allowing any authenticated user 
to access the web application.

Using the following system property does appear to work:
org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE=authOnly

How reproducible:
Everytime.


Steps to Reproduce:
1.  Set <role-name>*</role-name> in the security-contraint
2.  Set <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml
3.  Set the security-domain so that no roles are assigned to a user
4.  Attempt to access the web app

Actual results:
403 - access denied

Expected results:
200 - access allowed

Additional info:

Workaround - set the following system property:
org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE=authOnly
Comment 1 Rémy Maucherat 2013-10-23 08:00:39 UTC 
I don't know precisely what to do with the jacc-star-role-allow flag, its use was never very clear. Can you pass this to the security folks ?

For the new * behavior, the specification was clarified, it no longer means "anything", but any role in web.xml.
Comment 2 JBoss JIRA Server 2014-04-14 20:59:43 UTC 
Stuart Douglas <stuart.w.douglas> updated the status of jira WFLY-2358 to Resolved
Comment 3 James 2014-05-07 06:11:24 UTC 
Hi, 
I have the same problem on EAP611, has to follow the workaround to make it work. Is this a realy bug on EAP611?
Comment 4 Martin Velas 2014-07-31 09:43:28 UTC 
Issue is still valid for EAP 6.3.0.ER10.
Comment 5 Kabir Khan 2014-08-28 21:28:59 UTC 
PR https://github.com/jbossas/jboss-eap/pull/1630
Comment 6 Martin Velas 2014-09-30 15:18:19 UTC 
Verified for EAP 6.4.0.DR3.