I've run into a problem where we are running against a clients existing LDAP server for authenticating against our app. We're using form based authentication and have roles defined for 'privileged' and 'admin' users, but the client would like anyone who can authenticate to have read-only access.
I need to define a security constraint that allows any authenticated user, regardless of role. I've tried things like this:
but while I can still login with users and admins, it returns a 403 if the user does not have any groups defined. Thoughts?