2 Replies Latest reply: Jan 6, 2012 10:10 AM by r.reimann RSS

    HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)

    r.reimann Newbie

      I'm experiencing migration issues while porting our application from AS6 to AS7 (7.1.0.CR1). While accessing HTTP Basic protected resources i always receive a 403 forbidden response.

       

      The security-constraint inside the web.xml is defined as follws:

       

      <security-constraint>
                <web-resource-collection>
                               <web-resource-name>protected resources</web-resource-name>
                               <url-pattern>/protected/*</url-pattern>
                </web-resource-collection>
                <auth-constraint>
                               <description>any rolle allowed</description>
                               <role-name>*</role-name>
                </auth-constraint>
      </security-constraint>
      

       

      Activating trace logging revealed the following message:

      13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm] (http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework says:true:final=false
      

       

      In AS6 the meaning of <role-name>*</role-name> was determined by the allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml and set to authOnly (= Allow any authenticated user) by default.

       

      In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name).

       

      I found no trace of JBossWebRealm in standalone.xml so i wonder if (and how) it is possible to configure the allRolesMode property in AS7 to restore the previous behavior.

       

      Regards

      Robert