-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@RolesAllowed rejects unauthenticated users when they mapped to an allowed (EVERYONE) role #12050
Comments
Hi, have you tried using @permitAll annotation? JAX-RS is using the standard security annotations to perform the security checks. The EVERYONE special subject is specific to WebSphere. |
Thanks @arkarkala, in our case we normally have a user group mapped to this security-role. |
HI @arkarkala @andymc12 do you have any other approaches or ideas on how to approach the case that @lmsurpre highlights in this issue? |
I chatted with @arkarkala and we think that the reason this is failing is because the Our plan is to create a test case using the EVERYONE subject and validating that we get the same failure you are seeing - and then swap the order so that Hope this helps! |
awesome - thank you so much |
Just an update (sorry for the long delay) - in our tests, even when we switched the order so that we check that the user is authorized after checking that the user is in the role, the |
@andymc12 we're still quite interested in this one. Having this supported would give us a way to ship a Liberty application which has endpoints that are tied to specific security roles (protected via a JAX-RS Is it still on your radar? |
we are also interested by the support of EVERYONE, any update ? I facing the issue with 21.0.0.9 |
@lmsurpre, prb112, sdehors-ibm, Thank you for your patience, this has been merged into our integration branch and should be released with 22.0.0.3. |
Describe the bug
The special-subject
EVERYONE
doesn't play well with the@RolesAllowed
annotation on JAX-RS resources.Steps to Reproduce
@RolesAllowed("User")
annotation to this class and bind the special-subjectEVERYONE
to this security-role:Expected behavior
When the special-subject EVERYONE is bound to a security-role, unauthenticated users should be considered to be in that role and should have access to the endpoints allowed for that role.
Diagnostic information:
Additional context
If I remove the
@RolesAllowed("User")
annotation, I am now able to access this endpoint, even when my web.xml includes a security-constraint like the following:If I remove the special-subject mapping and keep this in the web.xml, it returns a 401 as expected. So it seems that special-subject works as expected with the
auth-constraint
in web.xml.Similarly, if I add a basicRegistry to the server.xml, then this user is able to access the resource, despite not being explicitly mapped to the seurity-role.
So it seems like special-subject EVERYONE is actually behaving the way I would expect special-subject ALL_AUTHENTICATED_USERS to behave.
The text was updated successfully, but these errors were encountered: