I'd like to prevent the unidentified user anonymous to access anything in my WildFly application server.
All of my users are managed in an LDAP server. Some have special roles with extra privileges so they can access methods annotated as @RolesAllowed. Some methods don't need such a special role and should be accessible by all users, except for anonymous.
Of course I could introduce a role like User and grant that to all users, but I'd rather have a general rule to globally exclude anonymous.
Looking at the Elytron docs didn't help me.
You can specify the special role-name * in a security-contstaint of your web.xml, which matches any role name, but fails on users without any roles, i.e. anonymous:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>*</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
</web-app>
Note: My IDE complains about * not being a valid NMTOKEN, but it works.