I'm experiencing migration issues while porting our application from AS6 to AS7 (7.1.0.CR1). While accessing HTTP Basic protected resources i always receive a 403 forbidden response.
The security-constraint inside the web.xml is defined as follws:
<security-constraint> <web-resource-collection> <web-resource-name>protected resources</web-resource-name> <url-pattern>/protected/*</url-pattern> </web-resource-collection> <auth-constraint> <description>any rolle allowed</description> <role-name>*</role-name> </auth-constraint> </security-constraint>
Activating trace logging revealed the following message:
13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm] (http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework says:true:final=false
In AS6 the meaning of <role-name>*</role-name> was determined by the allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml and set to authOnly (= Allow any authenticated user) by default.
In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name).
I found no trace of JBossWebRealm in standalone.xml so i wonder if (and how) it is possible to configure the allRolesMode property in AS7 to restore the previous behavior.
Thank you for the quick reply...
I'm heavily interested in the possibillity to configure the allRolesMode since we've got multiple applications that are affected and our role names are'nt static. Our role names contain a version suffix since multiple versions of an application may be in production at the same time and the roles assigned to a user may differ for each version. Assigning a "strict" role would require us to change the role with each release which seems a repetitive and error-prone task for multiple applications.
Should i create a feature request in Jira or could you contact the JBoss Web team directly?