1.17 The allRolesMode must be configured to 'strict' - 'allRolesMode = strict'

Information

The allRolesMode within JBOSS_HOME/server/@PROFILE@/deploy/jbossweb.sar/server.xml must be set to strict for production environments. This requires the authenticated user to be assigned to one of the web-app/security-role/role-name roles in order to be authorized.

Solution

Update allRolesAttribute for the <Realm> element with className="org.jboss.web.tomcat.security.JBossWebRealm" in JBOSS_HOME/server/@PROFILE@/deploy/jbossweb.sar/server.xml. Set the attribute value to "strict". By default, the allRolesAttribute is set to "authOnly". For example:

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, 800-53|AC-6, CAT|II

Plugin: Unix

Control ID: 96488a7c156a2eecb3975f2eb387a8b51302f5daa43cf6f54d39e770e97ba0d7