dev@glassfish.java.net

Application context security

From: Turner, George <george.turner_at_lmco.com>
Date: Thu, 16 Jul 2009 18:03:17 -0600

I am having problems determining an authentication standard and whether or not it is being handled correctly.

Given two enterprise applications (or wars), TestA and TestB deployed in the same Glassfish instance. Each web.xml has a security constraint on url-pattern "/*" and each has its own role on its respective constraint. I configure a separate user in the file realm for each role.

Using a browser, I access http://localhost:8080/TestA and I am prompted for a username and password as expected, and the browser only shows that the request is for http://localhost:8080, WITHOUT the /TestA application context path.
In a new tab, I access http://localhost:8080/TestB and I immediately receive

HTTP Status 403 - Access to the requested resource has been denied
________________________________
type Status report
messageAccess to the requested resource has been denied
descriptionAccess to the specified resource (Access to the requested resource has been denied) has been forbidden.
________________________________
Sun GlassFish Enterprise Server v2.1

This seems to indicate that SSO is running and the current credentials have been automatically provided to TestB, which requires a different user and password and thus fails. I have tried to disable SSO with no change.

Question 1. What is the correct method to disable SSO in Glassfish? The documentation states that SSO is enabled by default, but the domail.xml has
<property name="sso-enabled" value="false"/> on the virtual server. One set of documentation states to use "sso-enable" as an additional property, but the admin UI also as an SSO checkbox that changes the value sso-enabled to true, but still the behavior does not change.

Question 2. What is the correct demarcation of URL authentication? I have "assumed" that application context is the delineation, but it seems to be server[port].

Please confirm my findings and whether or not any bugs should be reported or if I am just missing something somewhere.

Thanks
Gene

George (Gene) Turner
[cid:image001.png_at_01CA0625.90B07340]
Senior Staff Software Engineer
Information Systems & Global Services
Work:(719) 277-5244 Cell:(719) 237-0490
george.turner_at_lmco.com<mailto:george.turner_at_lmco.com>







image001.png
(image/png attachment: image001.png)

© Oracle | By contributing to this project, you are agreeing to the terms of use described here.