2 Replies Latest reply: Jan 6, 2012 10:10 AM by r.reimann RSS

HTTP Basic authentication fails due to changed JBossWebRealm defaults (AS6->AS7)

r.reimann Newbie

I'm experiencing migration issues while porting our application from AS6 to AS7 (7.1.0.CR1). While accessing HTTP Basic protected resources i always receive a 403 forbidden response.

 

The security-constraint inside the web.xml is defined as follws:

 

<security-constraint>
          <web-resource-collection>
                         <web-resource-name>protected resources</web-resource-name>
                         <url-pattern>/protected/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
                         <description>any rolle allowed</description>
                         <role-name>*</role-name>
          </auth-constraint>
</security-constraint>

 

Activating trace logging revealed the following message:

13:35:59,019 TRACE [org.jboss.as.web.security.JBossWebRealm] (http-localhost-127.0.0.1-8080-1) hasRole:RealmBase says:false::Authz framework says:true:final=false

 

In AS6 the meaning of <role-name>*</role-name> was determined by the allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml and set to authOnly (= Allow any authenticated user) by default.

 

In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name).

 

I found no trace of JBossWebRealm in standalone.xml so i wonder if (and how) it is possible to configure the allRolesMode property in AS7 to restore the previous behavior.

 

Regards

Robert