Security constraint in web.xml for authenticated users without role memberships

msaladin picture msaladin · Jan 11, 2012 · Viewed 12.6k times · Source

I am quite desperate, because I think there must be an easy solution to my problem but I am searching - to no avail.

I am using a custom Realm in Glassfish 3.1.1. This custom realm (implements AppservPasswordLoginModuleInterface) takes a security token from the HTTPS request, validates the security token and then returns the user to Glassfish.

The problem is that the security token does not contain any groups, meaning that the method public String[] getGroupsList() or the custom realm returns an empty list (correctly, because there are no roles in the security token).

That said, I would like to have a security contraint that only validated users can login. I know that I can use the following constraint in web.xml:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>mywebapp</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>Users</role-name>
  </auth-constraint>
</security-constraint>

But because I don't have any groups, I cannot map any groups to roles, and therefore I cannot use the auth-constraint with role-name.

Is there a way in web.xml to define that only authenticated users are allowed, ignoring in which role they are and ignoring whether they are in any role at all.

There are a couple of solutions which I cannot implement:

  • I cannot change the underlying LDAP to include roles, because the LDAP schema and the way how LDAP users are mapped to security tokens our out of scope.
  • I have to use the current custom realm handler, I cannot replace it with one of my own which just returns a default group. I did try this once, and it worked. But I cannot replace the existing custom realm with my own because the custom realm should be generic.

But I really think there should be a way in web.xml just to say: Ignore all groups and roles, I just want an authenticated user?

Any help would be appreciated.

Answer

Will picture Will · Mar 6, 2013

Pretty old, but for those looking for an answer, you can use an * role name:

<auth-constraint>
    <role-name>*</role-name>
</auth-constraint>

This guy managed to solve it.