Authentication without Role in web.xml in JBoss AS 7

Frank picture Frank · Dec 15, 2011 · Viewed 10k times · Source

For a RESTful enterprise application I need all calls to be authenticated, but I cannot provide a common group/rolt that all users of the system have. I authenticate and authorize over LDAP (which should not make a difference for this issue).

If I leave the elements commented out as in the web.xml below, I do not get any authentication at all. How can I have authentication without the need of a common role? Also, an empty auth-consraint does not work.

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee       http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <!-- fpe: This one is necessary. -->
        <param-name>resteasy.role.based.security</param-name>
        <param-value>true</param-value>
    </context-param>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Resteasy</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
<!--        <auth-constraint> -->
<!--            <role-name>*</role-name> -->
<!--        </auth-constraint> -->
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Login</realm-name>
    </login-config>
<!--    <security-role> -->
<!--        <role-name>the_common_role</role-name> -->
<!--    </security-role> -->
</web-app>

Answer

Frank picture Frank · Nov 21, 2012

Using the * properly does the trick:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee       http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <!-- fpe: This one is necessary. -->
        <param-name>resteasy.role.based.security</param-name>
        <param-value>true</param-value>
    </context-param>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Resteasy</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Login</realm-name>
    </login-config>
    <security-role>
        <role-name>*</role-name>
    </security-role>
</web-app>