One easy way to achieve that can be use * (wildcard character) to allow any authenticated user who belong to any group.
I actually tried that (I think it worked in older jboss versions). But it doesn't seem to work with Wildfly 9. Here is a test project:
Steps to Reproduce:
- Clone and build the above project
- Install Wildfly 9 (I tested with 9.0.2.Final)
- Add a user via add-user.sh - the user should have no roles.
- Deploy to Wildfly 9
- Go to: http://localhost:8080/authtest
- Log in with user created in step #3
thank you for sharing the code.
I will test it at my end. I just wanted to quickly check that in the web.xml why do you still have the <role-name>user</role-name> authenticated-webapp/web.xml at master · EricWittmann/authenticated-webapp · GitHub
<security-role> <role-name>user</role-name> <!-- Should not this also be * --> </security-role>
According to Servlet Spec 3.0 [17. security-constraint Element]
The role-name used here must either correspond to the role-name of one of the security-role elements defined for this Web application, or be the specially reserved role-name "*" that is a compact syntax for indicating all roles in the web application. If both "*" and role names appear, the container interprets this as all roles. If no roles are defined, no user is allowed access to the portion of the Web application described by the containing security-constraint. The container matches role names case sensitively when determining access.
NOTE: I also see that your "jboss-web.xml" has no security-domain referencing in it so how will WildFly know the users has to be authenticated against which security realm?
Looks like I forgot to remove the security-role when I was iterating on this. I removed it (and pushed the change to github) but that didn't have an impact. I'm still getting the Forbidden response.
As for the jboss-web.xml - if no security domain is referenced my understanding was that WF would default to the application domain. It does seem to be doing that, because I have added another user with the role I was requiring and everything worked as expected.
Note that with "*" set as the auth-constraint, I'm not even challenged for credentials now. It's just a straight-up "Forbidden" response now. Before, when I had an auth-constraint, I had to authenticate but (because my user didn't have the appropriate role) then I was told Forbidden.
Try the following:
Add a user as following:
$ ./add-user.sh -a testuser testuser@123 Added user 'testuser' to file '/PATH/TO/wildfly-9.0.1.Final/standalone/configuration/application-users.properties' Added user 'testuser' to file '/PATH/TO/wildfly-9.0.1.Final/domain/configuration/application-users.properties'
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <context-root>authtest</context-root> <security-domain>java:/jaas/other</security-domain> </jboss-web>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>Demo Authenticated Web Application</display-name> <security-constraint> <web-resource-collection> <web-resource-name>authtest</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>*</role-name> </security-role> </web-app>
Try the above config.
Why didn't I think to add "*" as the security-role???
I am now filled with self-loathing.
That worked, thanks very much!
Ah ha - that is very interesting, thanks. I guess ** seems like more of what I want. I'll give that a try when I get a chance.