Login/Register
Authentication without Role in web.xml in JBoss AS 7
Asked Answered
Solved authenticationrestful-authenticationweb.xmljboss7.x
G

2

10

For a RESTful enterprise application I need all calls to be authenticated, but I cannot provide a common group/rolt that all users of the system have. I authenticate and authorize over LDAP (which should not make a difference for this issue).

If I leave the elements commented out as in the web.xml below, I do not get any authentication at all. How can I have authentication without the need of a common role? Also, an empty auth-consraint does not work.

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee       http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <!-- fpe: This one is necessary. -->
        <param-name>resteasy.role.based.security</param-name>
        <param-value>true</param-value>
    </context-param>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Resteasy</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
<!--        <auth-constraint> -->
<!--            <role-name>*</role-name> -->
<!--        </auth-constraint> -->
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Login</realm-name>
    </login-config>
<!--    <security-role> -->
<!--        <role-name>the_common_role</role-name> -->
<!--    </security-role> -->
</web-app>
Gastrectomy answered 15/12, 2011 at 11:5 Comment(0)
G
9

Using the * properly does the trick:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee       http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <!-- fpe: This one is necessary. -->
        <param-name>resteasy.role.based.security</param-name>
        <param-value>true</param-value>
    </context-param>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Resteasy</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Login</realm-name>
    </login-config>
    <security-role>
        <role-name>*</role-name>
    </security-role>
</web-app>
Gastrectomy answered 21/11, 2012 at 10:56 Comment(0)
W
0

You should use double asterisks (if you're using Servlet 4.0+):

<auth-constraint>
  <role-name>**</role-name>
</auth-constraint>

See: https://mcmap.net/q/698808/-security-constraint-in-web-xml-for-authenticated-users-without-role-memberships

Whittier answered 29/9, 2022 at 16:57 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.