2 Replies Latest reply on Jan 6, 2012 10:10 AM by r.reimann

HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)

r.reimann Jan 6, 2012 8:43 AM

I'm experiencing migration issues while porting our application from AS6 to AS7 (7.1.0.CR1). While accessing HTTP Basic protected resources i always receive a 403 forbidden response.

The security-constraint inside the web.xml is defined as follws:

<security-constraint>
          <web-resource-collection>
                         <web-resource-name>protected resources</web-resource-name>
                         <url-pattern>/protected/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
                         <description>any rolle allowed</description>
                         <role-name>*</role-name>
          </auth-constraint>
</security-constraint>

Activating trace logging revealed the following message:

13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm] (http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework says:true:final=false

In AS6 the meaning of <role-name>*</role-name> was determined by the allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml and set to authOnly (= Allow any authenticated user) by default.

In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name).

I found no trace of JBossWebRealm in standalone.xml so i wonder if (and how) it is possible to configure the allRolesMode property in AS7 to restore the previous behavior.

Regards

Robert

1. Re: HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)

jaikiran Jan 6, 2012 8:50 AM (in response to r.reimann)

Last time I checked with the JBoss Web team http://community.jboss.org/message/617196#617196 they said it should be possible to add that configuration if there's enough interest/requirement to do so.
1 of 1 people found this helpful
Actions
2. Re: HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)

r.reimann Jan 6, 2012 10:10 AM (in response to jaikiran)

Thank you for the quick reply...

I'm heavily interested in the possibillity to configure the allRolesMode since we've got multiple applications that are affected and our role names are'nt static. Our role names contain a version suffix since multiple versions of an application may be in production at the same time and the roles assigned to a user may differ for each version. Assigning a "strict" role would require us to change the role with each release which seems a repetitive and error-prone task for multiple applications.

Should i create a feature request in Jira or could you contact the JBoss Web team directly?
Actions

Go to original post