-
1. Re: How to enforce webapp authentication but not authorization
jaysensharma Nov 6, 2015 2:23 PM (in response to eric.wittmann)One easy way to achieve that can be use * (wildcard character) to allow any authenticated user who belong to any group.
Example:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint> -
2. Re: How to enforce webapp authentication but not authorization
eric.wittmann Nov 6, 2015 2:46 PM (in response to jaysensharma)I actually tried that (I think it worked in older jboss versions). But it doesn't seem to work with Wildfly 9. Here is a test project:
https://github.com/EricWittmann/authenticated-webapp
authenticated-webapp/web.xml at master · EricWittmann/authenticated-webapp · GitHub
Steps to Reproduce:
- Clone and build the above project
- Install Wildfly 9 (I tested with 9.0.2.Final)
- Add a user via add-user.sh - the user should have no roles.
- Deploy to Wildfly 9
- Go to: http://localhost:8080/authtest
- Log in with user created in step #3
- FORBIDDEN!
-
3. Re: How to enforce webapp authentication but not authorization
jaysensharma Nov 6, 2015 3:12 PM (in response to eric.wittmann)thank you for sharing the code.
I will test it at my end. I just wanted to quickly check that in the web.xml why do you still have the <role-name>user</role-name> authenticated-webapp/web.xml at master · EricWittmann/authenticated-webapp · GitHub
<security-role> <role-name>user</role-name> <!-- Should not this also be * --> </security-role>
According to Servlet Spec 3.0 [17. security-constraint Element]
The role-name used here must either correspond to the role-name of one of the security-role elements defined for this Web application, or be the specially reserved role-name "*" that is a compact syntax for indicating all roles in the web application. If both "*" and role names appear, the container interprets this as all roles. If no roles are defined, no user is allowed access to the portion of the Web application described by the containing security-constraint. The container matches role names case sensitively when determining access.
NOTE: I also see that your "jboss-web.xml" has no security-domain referencing in it so how will WildFly know the users has to be authenticated against which security realm?
-
4. Re: How to enforce webapp authentication but not authorization
eric.wittmann Nov 6, 2015 3:29 PM (in response to jaysensharma)Looks like I forgot to remove the security-role when I was iterating on this. I removed it (and pushed the change to github) but that didn't have an impact. I'm still getting the Forbidden response.
As for the jboss-web.xml - if no security domain is referenced my understanding was that WF would default to the application domain. It does seem to be doing that, because I have added another user with the role I was requiring and everything worked as expected.
Note that with "*" set as the auth-constraint, I'm not even challenged for credentials now. It's just a straight-up "Forbidden" response now. Before, when I had an auth-constraint, I had to authenticate but (because my user didn't have the appropriate role) then I was told Forbidden.
-
5. Re: How to enforce webapp authentication but not authorization
jaysensharma Nov 6, 2015 3:31 PM (in response to eric.wittmann)Try the following:
Add a user as following:
$ ./add-user.sh -a testuser testuser@123 Added user 'testuser' to file '/PATH/TO/wildfly-9.0.1.Final/standalone/configuration/application-users.properties' Added user 'testuser' to file '/PATH/TO/wildfly-9.0.1.Final/domain/configuration/application-users.properties'
See "jboss-web.xml":
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <context-root>authtest</context-root> <security-domain>java:/jaas/other</security-domain> </jboss-web>
web.xml
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>Demo Authenticated Web Application</display-name> <security-constraint> <web-resource-collection> <web-resource-name>authtest</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>*</role-name> </security-role> </web-app>
Try the above config.
-
6. Re: How to enforce webapp authentication but not authorization
eric.wittmann Nov 6, 2015 3:35 PM (in response to jaysensharma)Why didn't I think to add "*" as the security-role???
I am now filled with self-loathing.
That worked, thanks very much!
-
7. Re: How to enforce webapp authentication but not authorization
atijms Nov 7, 2015 11:05 AM (in response to eric.wittmann)Note the difference between * = any role that's defined in web.xml, and ** = any authenticated user.
See https://weblogs.java.net/blog/swchan2/archive/2013/04/19/role-servlet-31-security-constraint
-
8. Re: How to enforce webapp authentication but not authorization
eric.wittmann Nov 9, 2015 8:39 AM (in response to atijms)Ah ha - that is very interesting, thanks. I guess ** seems like more of what I want. I'll give that a try when I get a chance.
Thanks!