2 Replies Latest reply on Jan 6, 2012 10:10 AM by r.reimann

    HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)


      I'm experiencing migration issues while porting our application from AS6 to AS7 (7.1.0.CR1). While accessing HTTP Basic protected resources i always receive a 403 forbidden response.


      The security-constraint inside the web.xml is defined as follws:


                               <web-resource-name>protected resources</web-resource-name>
                               <description>any rolle allowed</description>


      Activating trace logging revealed the following message:

      13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm] (http-localhost- hasRole:RealmBase says:false::Authz framework says:true:final=false


      In AS6 the meaning of <role-name>*</role-name> was determined by the allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml and set to authOnly (= Allow any authenticated user) by default.


      In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name).


      I found no trace of JBossWebRealm in standalone.xml so i wonder if (and how) it is possible to configure the allRolesMode property in AS7 to restore the previous behavior.