I am trying to implement role based authorization in an application running on WebSphere / Open Liberty server. Authentication is implemented using OIDC token & socual-login feature & it is workig fine. I am struggling to create roles from JWT token & depending on that authorizing access to different servlets.
My server.xml -
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>appSecurity-3.0</feature>
<feature>socialLogin-1.0</feature>
<feature>microProfile-4.1</feature>
<feature>jsp-2.3</feature>
<feature>localConnector-1.0</feature>
</featureManager>
<logging traceSpecification="*=info" consoleLogLevel="INFO"/>
<oidcLogin clientId="${clientId}"
clientSecret="${clientSecret}"
discoveryEndpoint="${oAuthServerUrl}/.well-known/openid-configuration"
id="liberty-aad-oidc-javaeecafe" signatureAlgorithm="RS256"
userNameAttribute="email" groupNameAttribute="role"/>
<authFilter id="myAuthFilter">
<requestUrl id="myRequestUrl" matchType="contains"
urlPattern="/*" />
</authFilter>
<keyStore id="defaultKeyStore"
password="${env.keystore_password}" />
<keyStore id="mytruststore"
location="${server.config.dir}/mytruststore.jks" password="****" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore"
trustDefaultCerts="true" trustStoreRef="mytruststore" />
<applicationManager autoExpand="true" />
<httpEndpoint host="*" httpPort="9080" httpsPort="9443"
id="defaultHttpEndpoint" />
<mpJwt id="myMpJwt"
jwksUri="${oAuthServerUrl}/publickeys"
issuer="${oAuthServerUrl}"
authFilterRef="myAuthFilter" groupNameAttribute="role"/>
<applicationMonitor updateTrigger="mbean" />
<applicationMonitor dropinsEnabled="false"/>
<webApplication contextRoot="/" id="oidcsampleapp"
location="oidcsampleapp-1.0.0.war" name="oidcsampleapp" >
<application-bnd>
<security-role name="admin-role">
<group name="admin" />
</security-role>
<!-- <security-role name="admin">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role> -->
</application-bnd>
</webApplication>
</server>
When using request is forwarded to application, otherwise access is denied. I am trying to create the security principal role "admin-role" which is coming along with the JWT token.
Web.xml security configuration -
<security-role>
<role-name>admin-role</role-name>
</security-role>
<security-role>
<role-name>user-role</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminServlet</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin-role</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Roles defined above are part of the JWT token from OIDC server & mentioned in server.xml.
<security-role>
<role-name>admin-role</role-name>
</security-role>
<security-role>
<role-name>appuser-role</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminServlet</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin-role</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
JWT token received:
{
"iss": https://xxxxx.xxxxx,
"exp": 1665245032,
"aud": [
"931280e3-xxxx-xxxx-xxxxx-xxxxxxx"
],
"sub": "xxxxx-xxxx-xxxxxxx-xxxx-xxxxxxxxx",
"amr": [
"saml"
],
"iat": 1665241432,
"tenant": "xxxxxxxxx",
"scope": "openid appid_default appid_readuserattr appid_readprofile appid_writeuserattr appid_authenticated",
"role": "admin-role",
"surname": "Basu",
"groups": [
"014a0054-942f-4c20-a6e0-235dd906ca1c"
],
"entityID": https://sts.windows.net/81fa766e-a349-4867-8bf4-ab35e250a08f/
}
Related
When trying to login as a registered user in LDAP Server, wrong username or password redirect successfully to error page, However when they are correct it didn't grant the user the access with the following error:
HTTP Status 403 - Forbidden.
I'm coding my pages in JSF.
My Glassfish console looks like this.
My web.xml like this :
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
<security-role>
<description>all the users with the role Admin</description>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<description>all the users that are authenticated</description>
<role-name>LOGGEDIN_USER</role-name>
</security-role>
<security-role>
<description>all the users that are moderators/extended rights</description>
<role-name>MODERATOR</role-name>
</security-role>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>Secured resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>LOGGEDIN_USER</role-name>
<role-name>ADMIN</role-name>
<role-name>MODERATOR</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ldapRealm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
</web-app>
My sun-web.xml has this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/</context-root>
<security-role-mapping>
<role-name>LOGGEDIN_USER</role-name>
<group-name>default</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>MODERATOR</role-name>
<group-name>moderatoren</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>root</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated
servlet class' java code.</description>
</property>
</jsp-config>
</sun-web-app>
I solved it.
the problem was with the uppercase letters for roles in the web.xml
I tried to make jdbc realm authentication with single table, but it always redirect me to loginerror page.
Here is my settings:
Table (korisnici):
idkorisnika
korIme (it is username)
sifra (it is password)
tipKor (it is role)
Role type's are: admin, radnik and klijent
Password in database is hashed as SHA-256
glassfish-resources.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE resources PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Resource Definitions//EN" "http://glassfish.org/dtds/glassfish-resources_1_5.dtd">
<resources>
<jdbc-resource enabled="true" jndi-name="jdbc/rentacarDatasource" object-type="user" pool-name="jdbcRealmPool">
<description/>
</jdbc-resource>
<jdbc-connection-pool allow-non-component-callers="false" associate-with-thread="false" connection-creation-retry-attempts="0" connection-creation-retry-interval-in-seconds="10" connection-leak-reclaim="false" connection-leak-timeout-in-seconds="0" connection-validation-method="auto-commit" datasource-classname="com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource" fail-all-connections="false" idle-timeout-in-seconds="300" is-connection-validation-required="false" is-isolation-level-guaranteed="true" lazy-connection-association="false" lazy-connection-enlistment="false" match-connections="false" max-connection-usage-count="0" max-pool-size="32" max-wait-time-in-millis="60000" name="jdbcRealmPool" non-transactional-connections="false" pool-resize-quantity="2" res-type="javax.sql.ConnectionPoolDataSource" statement-timeout-in-seconds="-1" steady-pool-size="8" validate-atmost-once-period-in-seconds="0" wrap-jdbc-objects="false">
<property name="URL" value="jdbc:mysql://localhost:3306/rentacar?zeroDateTimeBehavior=convertToNull"/>
<property name="User" value="root"/>
<property name="Password" value=""/>
</jdbc-connection-pool>
</resources>
glassfish-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>klijent</role-name>
<group-name>klijent</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>radnik</role-name>
<group-name>radnik</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>AdminConstraint</display-name>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<description/>
<url-pattern>/faces/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>RadnikConstraint</display-name>
<web-resource-collection>
<web-resource-name>radnik</web-resource-name>
<description/>
<url-pattern>/faces/radnik/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>radnik</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>KlijentConstraint</display-name>
<web-resource-collection>
<web-resource-name>klijent</web-resource-name>
<description/>
<url-pattern>/faces/klijent/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>klijent</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc-realm</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/loginerror.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>admin</role-name>
</security-role>
<security-role>
<description/>
<role-name>radnik</role-name>
</security-role>
<security-role>
<description/>
<role-name>klijent</role-name>
</security-role>
</web-app>
persistance.xml
<?xml version="1.0" encoding="UTF-8"?>
<persistence version="2.1" xmlns="http://xmlns.jcp.org/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd">
<persistence-unit name="RentacarPU" transaction-type="JTA">
<jta-data-source>jdbc/rentacarDatasource</jta-data-source>
<exclude-unlisted-classes>false</exclude-unlisted-classes>
<properties/>
</persistence-unit>
</persistence>
login form
<p:panel header="Login From">
<form method="POST" action="j_security_check">
Username: <input type="text" name="j_username" />
Password: <input type="password" name="j_password" />
<input type="submit" value="Login" />
<input type="reset" value="Reset" />
</form>
</p:panel>
Here is properties for jdbc-realm in glassfish console:
JAAS Context: jdbcRealm
JNDI: jdbc/rentacarDatasource
User Table: korisnici
User Name Column: korIme
Password Column: sifra
Group Table: korisnici
Group Table User Name Column: korIme
Group Name Column: tipKor
Password Encryption Algorithm: AES
Charset: UTF-8
Everytime when i try to log as any type of user it redirect me to loginerror.xhtml
Can someone help me how to solve this problem?
I am using the following filter in the web.xml of my application, with it I am able to get authentication over java melody page.
How can I integrate this authentication with LDAP? When I login at localhost:8080/application/monitoring, it will ask credentials and they should be validated against LDAP.
Is it possible to achieve this?
<filter>
<filter-name>monitoring</filter-name>
<filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
<init-param>
<param-name>allowed-addr-pattern</param-name>
<param-value>10\.10\.10\..*|10\.10\.10\.10|10\.10\.10\..*</param-value>
</init-param>
<init-param>
<param-name>authorized-users</param-name>
<param-value>user1:pwd1, user2:pwd2</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>monitoring</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>net.bull.javamelody.SessionListener</listener-class>
</listener>
The following is the configuration that needs to be done in web.xml and
1.server.xml in case of tomcat
2.jetty.xml in case of jetty
web.xml code:
==============
<filter>
<filter-name>monitoring</filter-name>
<filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
<init-param>
<param-name>allowed-addr-pattern</param-name>
<param-value>127.0.0.1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>monitoring</filter-name>
<url-pattern>/monitoring</url-pattern>
</filter-mapping>
<listener>
<listener-class>net.bull.javamelody.SessionListener</listener-class>
</listener>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Monitoring</realm-name>
</login-config>
<security-role>
<role-name>tomcat</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Monitoring</web-resource-name>
<url-pattern>/monitoring</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
<!-- if SSL enabled (SSL and certificate must then be configured in the
server) <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> -->
</security-constraint>
In Tomcat:
===========
Add the following realm in tomcat_home/conf/server.xml
=======================================================
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://ldapip:ldapport/" userSubtree="true"
userBase="ou=xyz,dc=abc,dc=com" userSearch="(uid={0})"
roleBase="ou=Group,dc=abc,dc=com" roleName="cn"
roleSearch="(memberUid={0})" roleSubtree="true"/>
In Jetty:
===========
Add this code in jetty.xml
<Configure id='wac' class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="contextPath">/abc</Set>
<Set name="war"><Property name="jetty.webapps" default="."/>/abc.war</Set>
<Set name="extractWAR">true</Set>
<Set name="securityHandler">
<New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.jaas.JAASLoginService">
<Set name="name">Monitoring</Set>
<Set name="loginModuleName">ldaploginmodule</Set>
</New>
</Set>
</New>
</Set>
</Configure>
create a file login.conf file in etc folder of jetty_base directory:
ldaploginmodule {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="ldapip"
port="ldapport"
authenticationmenthod="simple"
forceBindingLogin="true"
userBaseDn="ou=People,dc=abc,dc=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userObjectClass="posixAccount"
roleBaseDn="ou=Group,dc=abc,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="memberUid"
roleObjectClass="posixGroup";
};
I'm trying to protect my administration which is after domain.com/edit/ with Realm and JDBC. I have done this on my development machine on a glassfish 4. But I don't get this thing working on openshift/jboss.
What I've done:
myproject.openshift\config\standalone.xml
[...]
<management>
<security-realms>
<security-realm name="managementSecurityRealm">
<authentication>
<jaas name="loginRealm" />
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="managementSecurityRealm">
<socket-binding native="management-native" />
</native-interface>
<http-interface security-realm="managementSecurityRealm">
<socket-binding http="management-http" />
</http-interface>
</management-interfaces>
</management>
[...]
<security-domains>
<security-domain name="loginRealm">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName"
value="java:jboss/datasources/MysqlDS" />
<module-option name="principalsQuery"
value="select PASSWORD from c_user where EMAIL=?" />
<module-option name="rolesQuery"
value="select groups_ROLENAME, 'Roles' from c_user_c_user_role where User_EMAIL=?" />
<module-option name="hashAlgorithm" value="SHA-256" />
</login-module>
</authentication>
</security-domain>
[...]
myproject\src\main\webapp\WEB-INF\jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/loginRealm</security-domain>
</jboss-web>
And at last my myproject\src\main\webapp\WEB-INF\web.xml
[...]<security-constraint>
<display-name>administration-constraint</display-name>
<web-resource-collection>
<web-resource-name>administration</web-resource-name>
<description>authorisation area</description>
<url-pattern>/edit/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>headchef</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>loginRealm</realm-name>
<form-login-config>
<form-login-page>/viewLogin.jsf</form-login-page>
<form-error-page>/viewError.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Administrator</description>
<role-name>headchef</role-name>
</security-role>
<security-role>
<description>normal user which can create recipes</description>
<role-name>cook</role-name>
</security-role>
[...]
For example when I call the url http://myproject-namespace.rhcloud.com/edit/somepages
I can access it directly. The login page will not be displayed! If I access the login page viewLogin.jsf directly and I try to login, jboss tells me "javax.servlet.ServletException: No authenticator available for programmatic login."
I dont know what I did wrong. Why I'm able to access the administration without login in and why do I get this exception. And last of it all, I'm generating my password hashes with
Hashing.sha256().hashString(password, com.google.common.base.Charsets.UTF_8).toString();
Is it possible to set the encoding for the password algorithm function?
I appreciate any help.
For a RESTful enterprise application I need all calls to be authenticated, but I cannot provide a common group/rolt that all users of the system have. I authenticate and authorize over LDAP (which should not make a difference for this issue).
If I leave the elements commented out as in the web.xml below, I do not get any authentication at all. How can I have authentication without the need of a common role? Also, an empty auth-consraint does not work.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<!-- fpe: This one is necessary. -->
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>Resteasy</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<!-- <auth-constraint> -->
<!-- <role-name>*</role-name> -->
<!-- </auth-constraint> -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Login</realm-name>
</login-config>
<!-- <security-role> -->
<!-- <role-name>the_common_role</role-name> -->
<!-- </security-role> -->
</web-app>
Using the * properly does the trick:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<!-- fpe: This one is necessary. -->
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>Resteasy</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Login</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
</web-app>
You should use double asterisks (if you're using Servlet 4.0+):
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
See: https://stackoverflow.com/a/73899071/562644