The recent changes in the handling of the <role-name>*</role-name> have broken a long standing ability to specify authentication only access. Although not explicitly supported by the servlet spec(and I think it should be), this is a useful feature that users ask for. It can be achieved in various vendor specific ways via tomcat customizations, but I would like to see inherent support for it. The simplest approach would be a Realm attribute like authenticationOnlyAllRolesMode=true allowing for an authenticated user access regardless of the role(s) they have been granted.
Created attachment 17916 [details] Example enum type class for the all roles mode behavior
Created attachment 17917 [details] Realm.hasResourcePermission override fragment example
The jboss embedded tomcat Realm implementation has added support for the following modes of handling the all roles auth-constraint: + strict = Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name + authOnly = Allow any authenticated user + strictAuthOnly = Allow any authenticated user only if there are no web-app/ security-roles specified The attachements illustrate the logic used in the Realm.hasResourcePermission override.
Created attachment 17927 [details] Translated patch AFAIK, this would translate to this patch (note: I am not doing any work in this part of the code at the moment). You need to grant permission for inclusion (one of the sources are LGPL covered).
I grant the right to license portions or all of the code under the ASL 2.0. The translated patch looks correct.
Cool. So unless someone disagrees, I will commit my patch, as the old behavior was most likely useful in some cases.
Ok, I applied the patch, since nobody complained.