This content has been marked as final.
Show 3 replies
-
1. Re: Interpretation of rolename with
starksm64 Mar 10, 2006 1:05 PM (in response to anil.saldhana)This does not differ from the j2ee behavior, its the strict interpretation of it. The problem with this behavior in the past is that you could not say, "only allow access to authenticated users".
I still don't see how 2.4/2.5mr servlet spec allow for this:
SRV.12.7.1 Combining Constraints
When a url-pattern and http-method pair occurs in multiple security constraints, the constraints (on the pattern and method) are defined by combining the individual constraints. The rules for combining constraints in which the same pattern and method occur are as follows:
The combination of authorization constraints that name roles or that imply
roles via the name ?*? shall yield the union of the role names in the individual constraints as permitted roles. A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access. The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded.
The combination of user-data-constraints that apply to a common urlpattern and http-method shall yield the union of connection types accepted by the individual constraints as acceptable connection types. A security constraint that does not contain a user-data-constraint shall combine with other userdata-constraint to cause the unprotected connection type to be an accepted connection type.
I view this as a problem with the spec. I brought this up in the jacc eg. I guess it needs to be brought up in the servlet spec to get it clarified. In the meantime the question is how we allow for authentication only access in jboss. -
2. Re: Interpretation of rolename with
anil.saldhana Mar 10, 2006 2:02 PM (in response to anil.saldhana)"scott.stark@jboss.org" wrote:
This does not differ from the j2ee behavior, its the strict interpretation of it. The problem with this behavior in the past is that you could not say, "only allow access to authenticated users".
The strictness is certainly a diff in behavior with other j2ee specs.
For the 4.0.4GA, what should we do is the question?
Was there any clarification from the JACC Exec on this? -
3. Re: Interpretation of rolename with
starksm64 Mar 13, 2006 12:00 AM (in response to anil.saldhana)No clarification. The only way to restore the authentication only behavior is to override the RealmBase.hasResourcePermission to recheck for an all roles specification with no roles specified in addition to some jboss-web.xml setting.
http://jira.jboss.com/jira/browse/JBAS-2926