Description of problem: I am trying to get only authentication (no authorization) to work for web application. In EAP 5, all that was required was to set the <role-name> to a '*' in the <security-constraint> of the web.xml. I tried this in EAP 6, however, it did not work. I then found the <jacc-star-role-allow> setting that goes in the jboss-web.xml. Unfortunately, adding this option did not cause the wildcard ('*') role-name to work for allowing any authenticated user to access the web application. Using the following system property does appear to work: org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE=authOnly How reproducible: Everytime. Steps to Reproduce: 1. Set <role-name>*</role-name> in the security-contraint 2. Set <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml 3. Set the security-domain so that no roles are assigned to a user 4. Attempt to access the web app Actual results: 403 - access denied Expected results: 200 - access allowed Additional info: Workaround - set the following system property: org.apache.catalina.realm.RealmBase.ALL_ROLES_MODE=authOnly
I don't know precisely what to do with the jacc-star-role-allow flag, its use was never very clear. Can you pass this to the security folks ? For the new * behavior, the specification was clarified, it no longer means "anything", but any role in web.xml.
Stuart Douglas <stuart.w.douglas> updated the status of jira WFLY-2358 to Resolved
Hi, I have the same problem on EAP611, has to follow the workaround to make it work. Is this a realy bug on EAP611?
Issue is still valid for EAP 6.3.0.ER10.
PR https://github.com/jbossas/jboss-eap/pull/1630
Verified for EAP 6.4.0.DR3.