servlet-spec
  1. servlet-spec
  2. SERVLET_SPEC-34

Auth constraint that requires a valid user, but does not require any particular role

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      For many applications, the it is desirable to have authentication handled by the container, while authorization must be handled by the application login. In such scenarios, it would be useful to require the a user is logged on, without having to specify roles.

      There is precendence for this kind of security from other environments:

      Since the last one conflicts with the current spec, maybe something like this would work:

      <auth-constraint anyAuthenticatedUserAllowed="true" />
      @ServletSecurity(@HttpConstraint(anyAuthenticatedUserAllowed=true))
      public class Example4 extends HttpServlet {
      }

        Activity

        elygre created issue -
        Rajiv Mordani made changes -
        Field Original Value New Value
        Assignee Shing Wai Chan [ swchan2 ]
        Shing Wai Chan made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Shing Wai Chan
            Reporter:
            elygre
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: