Issue Details (XML | Word | Printable)

Key: SERVLET_SPEC-34
Type: Improvement Improvement
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Shing Wai Chan
Reporter: elygre
Votes: 1
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
servlet-spec

Auth constraint that requires a valid user, but does not require any particular role

Created: 16/Mar/12 11:52 AM   Updated: 01/Mar/13 12:30 AM   Resolved: 01/Mar/13 12:29 AM
Component/s: None
Affects Version/s: None
Fix Version/s: None

Time Tracking:
Not Specified

Tags: security
Participants: elygre and Shing Wai Chan


 Description  « Hide

For many applications, the it is desirable to have authentication handled by the container, while authorization must be handled by the application login. In such scenarios, it would be useful to require the a user is logged on, without having to specify roles.

There is precendence for this kind of security from other environments:

Since the last one conflicts with the current spec, maybe something like this would work:

<auth-constraint anyAuthenticatedUserAllowed="true" />
@ServletSecurity(@HttpConstraint(anyAuthenticatedUserAllowed=true))
public class Example4 extends HttpServlet {
}


Rajiv Mordani made changes - 18/Jul/12 09:32 PM
Field Original Value New Value
Assignee Shing Wai Chan [ swchan2 ]
Shing Wai Chan added a comment - 09/Jan/13 02:01 AM

According to JSR 115 MR2, "*" means all the roles defined for the web app.
It is not any users there.


elygre added a comment - 09/Jan/13 08:30 AM

Shing Wai Chan Yes, that is correct. This issue is an enhancement request for a new auth-constraint that does not require roles, but instead just requires any valid user.

The use case is very common. As show above, the google app-engine deviates from the servlet spec and redefines this aspect of web.xml to support the use case. That should be a strong argument that there is a market requirement.


Shing Wai Chan added a comment - 10/Jan/13 09:53 PM

"*" is for any roles rather than users as defined in JSR 115.
We need to investigate a backward compatible solution.

One way to achieve this is to have the realm to add a universal role to any authenticated users. This is how GlassFish resolve this issue.
You can find more details in
https://blogs.oracle.com/swchan/entry/assign_groups


elygre added a comment - 10/Jan/13 10:24 PM

I totally agree that we need a backward compatible solution. The jira issue does not suggest using the role name "*" at all, but clearly states that this "conflicts with the current spec", and suggests that something else is needed, "maybe the something like this would work":

<auth-constraint anyAuthenticatedUserAllowed="true" />

The GlassFish solutions is interesting. I would hope for a servlet-level solution (which would then be supported by all appservers), but at least it serves to further validate the requirement


Shing Wai Chan added a comment - 01/Mar/13 12:29 AM

A special role "**" is added to achieve this in the spec.
Please see section 13.3 of the Servlet 3.1 PFD for details.


Shing Wai Chan made changes - 01/Mar/13 12:29 AM
Status Open [ 1 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Shing Wai Chan added a comment - 01/Mar/13 12:30 AM

See also section 13.4.1.3 in Servlet 3.1 PFD.