When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml <security-constraint> tag.
This flaw is resolved in EAP 6.0.0 GA.
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.1.2 Via RHSA-2012:1013 https://rhn.redhat.com/errata/RHSA-2012-1013.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.1.2 Via RHSA-2012:1014 https://rhn.redhat.com/errata/RHSA-2012-1014.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 Via RHSA-2012:1027 https://rhn.redhat.com/errata/RHSA-2012-1027.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 Via RHSA-2012:1026 https://rhn.redhat.com/errata/RHSA-2012-1026.html
This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.3.0 Via RHSA-2012:1028 https://rhn.redhat.com/errata/RHSA-2012-1028.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.3.0 Via RHSA-2012:1125 https://rhn.redhat.com/errata/RHSA-2012-1125.html
This issue has been addressed in following products: JBoss Enterprise Portal Platform 5.2.2 Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html