Security constraint in web.xml for authenticated users without role memberships

java glassfish web.xml jaas
13,495

Pretty old, but for those looking for an answer, you can use an * role name:

<auth-constraint>
    <role-name>*</role-name>
</auth-constraint>

This guy managed to solve it.

Share:
13,495
msaladin
Author by

msaladin

Updated on June 03, 2022

Comments

  • msaladin
    msaladin about 2 years

    I am quite desperate, because I think there must be an easy solution to my problem but I am searching - to no avail.

    I am using a custom Realm in Glassfish 3.1.1. This custom realm (implements AppservPasswordLoginModuleInterface) takes a security token from the HTTPS request, validates the security token and then returns the user to Glassfish.

    The problem is that the security token does not contain any groups, meaning that the method public String[] getGroupsList() or the custom realm returns an empty list (correctly, because there are no roles in the security token).

    That said, I would like to have a security contraint that only validated users can login. I know that I can use the following constraint in web.xml:

    <security-constraint>
  <web-resource-collection>
    <web-resource-name>mywebapp</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>Users</role-name>
  </auth-constraint>
</security-constraint>

    But because I don't have any groups, I cannot map any groups to roles, and therefore I cannot use the auth-constraint with role-name.

    Is there a way in web.xml to define that only authenticated users are allowed, ignoring in which role they are and ignoring whether they are in any role at all.

    There are a couple of solutions which I cannot implement:

    • I cannot change the underlying LDAP to include roles, because the LDAP schema and the way how LDAP users are mapped to security tokens our out of scope.
    • I have to use the current custom realm handler, I cannot replace it with one of my own which just returns a default group. I did try this once, and it worked. But I cannot replace the existing custom realm with my own because the custom realm should be generic.

    But I really think there should be a way in web.xml just to say: Ignore all groups and roles, I just want an authenticated user?

    Any help would be appreciated.

  • Xavier Portebois
    Xavier Portebois about 7 years
    Works on WF10.1.0. Don't forget to set also in <security-role/> a <role-name>*</role-name> (otherwise, if the * is only in <auth-constraint/>, this doesn't work).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

web.xml error-pages are not working, why?
Could not open ServletContext resource
Glassfish 3.1 default principal to role mapping
JSF 2.0 redirect to index.jsf after login
Which JAR contains the weblogic.servlet.security.ServletAuthentication class?
PrimeFaces and JasperReports
Where do @Context objects come from
asadmin command doesn't work in ubuntu
@Singleton, @Startup, @PostConstruct doesn't work on EJB3.1 and Glassfishv3.0.1
org.apache.catalina.LifecycleException when trying to start Glassfish server with Eclipse