Security constraint in web.xml for authenticated users without role memberships

Question

I am quite desperate, because I think there must be an easy solution to my problem but I am searching - to no avail.

I am using a custom Realm in Glassfish 3.1.1. This custom realm (implements AppservPasswordLoginModuleInterface) takes a security token from the HTTPS request, validates the security token and then returns the user to Glassfish.

The problem is that the security token does not contain any groups, meaning that the method public String[] getGroupsList() or the custom realm returns an empty list (correctly, because there are no roles in the security token).

That said, I would like to have a security contraint that only validated users can login. I know that I can use the following constraint in web.xml:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>mywebapp</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>Users</role-name>
  </auth-constraint>
</security-constraint>

But because I don't have any groups, I cannot map any groups to roles, and therefore I cannot use the auth-constraint with role-name.

Is there a way in web.xml to define that only authenticated users are allowed, ignoring in which role they are and ignoring whether they are in any role at all.

There are a couple of solutions which I cannot implement:

I cannot change the underlying LDAP to include roles, because the LDAP schema and the way how LDAP users are mapped to security tokens our out of scope.
I have to use the current custom realm handler, I cannot replace it with one of my own which just returns a default group. I did try this once, and it worked. But I cannot replace the existing custom realm with my own because the custom realm should be generic.

But I really think there should be a way in web.xml just to say: Ignore all groups and roles, I just want an authenticated user?

Any help would be appreciated.

score 23 · Answer 1 · edited May 23 '17 at 10:31

23

Pretty old, but for those looking for an answer, you can use an * role name:

<auth-constraint>
    <role-name>*</role-name>
</auth-constraint>

This guy managed to solve it.

edited May 23 '17 at 10:31

Community

1
1

answered Mar 06 '13 at 14:06

Will

14,348
1
42
44

2

Works on WF10.1.0. Don't forget to set also in a * (otherwise, if the * is only in , this doesn't work). – Xavier Portebois Apr 21 '17 at 10:02

score 2 · Answer 2 · answered Sep 29 '22 at 16:46

Use two asterisks:

<auth-constraint>
  <role-name>**</role-name>
</auth-constraint>

See section 13.8 of the Servlet 4.0 spec: https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf

The single asterisk means a user must have at least one of any declared role vs double asterisks means a user simply must be authenticated. So with single asterisk a user must have one of the roles declared in the security-role section of the web.xml, and it appears some application servers (like JBoss/Wildfly) allow you to also put a single asterisk in this section to make this work similarly to the double asterisks. This single asterisk in the security-role section appears to be non-standard and likely non-portable:

<security-role>
  <role-name>*</role-name>
</security-role>

Thank you so much for sharing this answer. I lost so much time looking for a solution on this topic. — fayabobo, Feb 21 '23 at 17:10

Security constraint in web.xml for authenticated users without role memberships

2 Answers2

Linked