Red Hat Bugzilla – Bug 1022240
setting <jacc-star-role-allow> in jboss-web.xml does not set allRolesMode to "authOnly"
Last modified: 2017-10-09 20:07:25 EDT
Description of problem:
I am trying to get only authentication (no authorization) to work for web application.
In EAP 5, all that was required was to set the <role-name> to a '*' in
the <security-constraint> of the web.xml. I tried this in EAP 6,
however, it did not work.
I then found the <jacc-star-role-allow> setting that goes in the
jboss-web.xml. Unfortunately, adding this option did not cause the
wildcard ('*') role-name to work for allowing any authenticated user
to access the web application.
Using the following system property does appear to work:
Steps to Reproduce:
1. Set <role-name>*</role-name> in the security-contraint
2. Set <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml
3. Set the security-domain so that no roles are assigned to a user
4. Attempt to access the web app
403 - access denied
200 - access allowed
Workaround - set the following system property:
I don't know precisely what to do with the jacc-star-role-allow flag, its use was never very clear. Can you pass this to the security folks ?
For the new * behavior, the specification was clarified, it no longer means "anything", but any role in web.xml.
Stuart Douglas <firstname.lastname@example.org> updated the status of jira WFLY-2358 to Resolved
I have the same problem on EAP611, has to follow the workaround to make it work. Is this a realy bug on EAP611?
Issue is still valid for EAP 6.3.0.ER10.
Verified for EAP 6.4.0.DR3.