Affects Version/s: None
Fix Version/s: None
For many applications, the it is desirable to have authentication handled by the container, while authorization must be handled by the application login. In such scenarios, it would be useful to require the a user is logged on, without having to specify roles.
There is precendence for this kind of security from other environments:
- In Apache httpd, you can specify "require valid-user" to request authentication
- In the google appengine, you can specify a role name of "*": "If the authorization constraint specifies a user role of *, then any users signed in with a Google Account can access the URL." (http://code.google.com/appengine/docs/java/config/webxml.html#Security_and_Authentication)
Since the last one conflicts with the current spec, maybe something like this would work: