Bug 1022240 - setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"
setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to ...
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: DR1
: EAP 6.4.0
Assigned To: Rémy Maucherat
Radim Hatlapatka
Depends On:
  Show dependency treegraph
Reported: 2013-10-22 15:45 EDT by Derek Horton
Modified: 2017-10-09 20:07 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-2358 Major Resolved setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly" 2017-07-24 13:11 EDT

  None (edit)
Description Derek Horton 2013-10-22 15:45:52 EDT
Description of problem:

I am trying to get only authentication (no authorization) to work for web application.

In EAP 5, all that was required was to set the <role-name> to a '*' in
the <security-constraint> of the web.xml.  I tried this in EAP 6,
however, it did not work.

I then found the <jacc-star-role-allow> setting that goes in the
jboss-web.xml.  Unfortunately, adding this option did not cause the
wildcard ('*') role-name to work for allowing any authenticated user 
to access the web application.

Using the following system property does appear to work:

How reproducible:

Steps to Reproduce:
1.  Set <role-name>*</role-name> in the security-contraint
2.  Set <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml
3.  Set the security-domain so that no roles are assigned to a user
4.  Attempt to access the web app

Actual results:
403 - access denied

Expected results:
200 - access allowed

Additional info:

Workaround - set the following system property:
Comment 1 Rémy Maucherat 2013-10-23 04:00:39 EDT
I don't know precisely what to do with the jacc-star-role-allow flag, its use was never very clear. Can you pass this to the security folks ?

For the new * behavior, the specification was clarified, it no longer means "anything", but any role in web.xml.
Comment 2 JBoss JIRA Server 2014-04-14 16:59:43 EDT
Stuart Douglas <stuart.w.douglas@gmail.com> updated the status of jira WFLY-2358 to Resolved
Comment 3 James 2014-05-07 02:11:24 EDT
I have the same problem on EAP611, has to follow the workaround to make it work. Is this a realy bug on EAP611?
Comment 4 Martin Velas 2014-07-31 05:43:28 EDT
Issue is still valid for EAP 6.3.0.ER10.
Comment 5 Kabir Khan 2014-08-28 17:28:59 EDT
PR https://github.com/jbossas/jboss-eap/pull/1630
Comment 6 Martin Velas 2014-09-30 11:18:19 EDT
Verified for EAP 6.4.0.DR3.

Note You need to log in before you can comment on or make changes to this bug.