0 Replies Latest reply on Jun 20, 2014 1:43 AM by Chris Bitmead

    Is Wildfly 8.1 security broken?

    Chris Bitmead Newbie

      I'm trying to allow everything in my web app EXCEPT /admin/* to the "flatmate" role, and of course, everything in /admin/* to the admin role. So I've got the following in my web.xml.

       

      As I understand it, this should work, as it says here: http://www2.sys-con.com/itsg/virtualcd/java/archives/0704/mccay/index.html

       

      Because "Prefix matches take precedence over shorter prefix matches".

       

      So the /admin/* match should take precedence over the /* match.

       

      However if I login as someone with the "flatmate" role, but no admin role, they can get access to the /admin/ functions.

       

       

        <security-constraint>

          <web-resource-collection>

             <web-resource-name>admin-resources</web-resource-name>

             <description>Administrators</description>

             <url-pattern>/admin/*</url-pattern>

          </web-resource-collection>

          <auth-constraint>

             <description>These roles are allowed access</description>

             <role-name>admin</role-name>

          </auth-constraint>

        </security-constraint>

       

        <security-constraint>

          <web-resource-collection>

             <web-resource-name>common-resources</web-resource-name>

             <description>Common Resources</description>

             <url-pattern>/*</url-pattern>

          </web-resource-collection>

          <auth-constraint>

             <description>These roles are allowed access</description>

             <role-name>flatmate</role-name>

             <role-name>admin</role-name>

          </auth-constraint>

        </security-constraint>