Bug 39021 - Support authentication only access
Support authentication only access
Product: Tomcat 5
Classification: Unclassified
Component: Catalina
Other other
: P2 enhancement (vote)
: ---
Assigned To: Tomcat Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2006-03-17 17:04 UTC by Scott M Stark
Modified: 2006-03-26 12:55 UTC (History)
0 users

Example enum type class for the all roles mode behavior (2.68 KB, application/octet-stream)
2006-03-18 18:21 UTC, Scott M Stark
Realm.hasResourcePermission override fragment example (4.64 KB, application/octet-stream)
2006-03-18 18:23 UTC, Scott M Stark
Translated patch (4.70 KB, patch)
2006-03-20 23:57 UTC, Remy Maucherat
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Scott M Stark 2006-03-17 17:04:13 UTC
The recent changes in the handling of the <role-name>*</role-name> have broken a 
long standing ability to specify authentication only access. Although not 
explicitly supported by the servlet spec(and I think it should be), this is a 
useful feature that users ask for. It can be achieved in various vendor specific 
ways via tomcat customizations, but I would like to see inherent support for it. 
The simplest approach would be a Realm attribute like 
authenticationOnlyAllRolesMode=true allowing for an authenticated user access 
regardless of the role(s) they have been granted.
Comment 1 Scott M Stark 2006-03-18 18:21:30 UTC
Created attachment 17916 [details]
Example enum type class for the all roles mode behavior
Comment 2 Scott M Stark 2006-03-18 18:23:20 UTC
Created attachment 17917 [details]
Realm.hasResourcePermission override fragment example
Comment 3 Scott M Stark 2006-03-18 18:27:48 UTC
The jboss embedded tomcat Realm implementation has added support for the 
following modes of handling the all roles auth-constraint:

+ strict = Use the strict servlet spec interpretation which requires that the 
user have one of the web-app/security-role/role-name
+ authOnly = Allow any authenticated user
+ strictAuthOnly = Allow any authenticated user only if there are no web-app/
security-roles specified

The attachements illustrate the logic used in the Realm.hasResourcePermission 
Comment 4 Remy Maucherat 2006-03-20 23:57:18 UTC
Created attachment 17927 [details]
Translated patch

AFAIK, this would translate to this patch (note: I am not doing any work in
this part of the code at the moment). You need to grant permission for
inclusion (one of the sources are LGPL covered).
Comment 5 Scott M Stark 2006-03-23 16:32:25 UTC
I grant the right to license portions or all of the code under the ASL 2.0. The 
translated patch looks correct.
Comment 6 Remy Maucherat 2006-03-23 17:40:56 UTC
Cool. So unless someone disagrees, I will commit my patch, as the old behavior
was most likely useful in some cases.
Comment 7 Remy Maucherat 2006-03-26 20:55:48 UTC
Ok, I applied the patch, since nobody complained.